Symptom
The command "cf login --origin <IdP name>" is used to log in to Cloud Foundry. On the IAS side, within the relevant application, Risk-Based Authentication (RBA) is configured to restrict access, with the default action set to "Deny." Consequently, when the command "cf login --origin <IdP name>" is executed, access is denied, resulting in a 401 error. The logs indicate this denial with the message "Denied by RBA rules," as observed below:
"<time stamp>","<incoming IP address>",anonymous,INFO,"ID","state=""failed"", action=""login"", objectType=""user"", objectId=""P00xxxx"", cause=""rbaRulesCheckFailure"", message=""Denied by RBA rules"", category=""audit.authentication"", credentialType=""{UID_PW=authenticated}"", originalCallerIp=""xxx.xxx.xxx.xxx"", workflow=""openIdConnect"", serviceProvider=""btp-platform"" "
To allow the access, it is necessary to add above incoming IP address to the rule list of Risk-Based Authentication. The incoming IP address is changing, so a list of the possible IP addresses is necessary.
Read more...
Environment
- SAP Cloud Identity Services
- BTP
Product
Keywords
cf login, cf login --origin, RBA Rule Configuration, IP Address Whitelisting, Credential Type UID_PW, RBA Rule Configuration , KBA , BC-IAM-IDS , Identity Authentication Service , BC-CP-CF-SEC-IAM , UAA, Authentication, Authorization, Trust Mgmnt , How To
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.