Strong Two-Factor Authentication with One-Time Password Solution
One of the new features of SAP Single Sign-On 2.0 SP3 is support for two-factor authentication with SAP Authenticator, a one-time password generator. In my blog, I will show you how to use a second authentication factor for high security scenarios.
Do you want to make it hard for an attacker to impersonate you and compromise your user account?
Imagine a solution that provides a one-time password generated on your mobile device. Imagine this password is valid for 30 seconds and can only be used once. Now combine it with another authentication factor, like your corporate password.
It seems hard to hack two passwords at a time, isn’t it? Even if an attacker steals your mobile device he still needs your corporate password to authenticate and vice versa.
With SAP Single Sign-On 2.0 SP3 you can have a solution to some of the most serious threats companies face today – identity thefts and data breaches. It provides two-factor authentication with one-time passwords as an additional layer of security on top of passwords (two-step verification). Of course, using one secure password is good but using it with two-factor authentication is even better.
Beside security concerns, the solution addresses some usability and cost saving issues. Just read on.
The main goal of two-factor authentication is to prevent an attacker from accessing your account due to a compromised password.
In fact, without using the SAP Single Sign-On solution companies are facing security problems because their users need to maintain and remember large number of passwords which results in insecure credentials.
With the already existing capabilities of SAP Single Sign-On, companies are safe. Their users need to authenticate with only one password to gain access to multiple systems.
By introducing two factors to the authentication process – a password (something the user knows) and a one-time password generated on a mobile device (something the user has), the SAP Single Sign-On 2.0 SP3 solution makes companies even safer. It adds an additional layer of security for scenarios that require a very high level of protection.
One-time passwords (OTP), referred to as passcodes, are 6-digit codes generated by the SAP Authenticator mobile application (available on Apple Store for iOS devices with its first version). They are short lived and cannot be reused across websites.
SAP Authenticator mobile application for iPhone
To add more on the security side, the SAP Authenticator provides a secure storage of the secret keys used to generate the passcodes. You can also protect the mobile application by setting up a password in case your mobile device is lost or stolen.
You can use the solution to log on to SAP systems via Secure Login Client, via SAML (using SAP NetWeaver Application Server (AS) Java as an Identity Provider) as well as to log on to web applications running on SAP NetWeaver AS Java.
Basically, what you need to benefit from the solution is an administrator to configure an SAP NetWeaver AS Java system to require two-factor authentication, and a user to install and activate the SAP Authenticator on a mobile device.
- The administrator needs to configure the system to require two-factor authentication by using two login modules to authenticate the user: the TOTPLoginModule and the BasicPasswordLoginModule. For more information, see: One-Time Password Authentication Administrator’s Guide
- The user (employee) needs to install the SAP Authenticator on a mobile device and activate it by completing the User Activation of SAP Authenticator wizard. It is a two-step process that requires the user to download the SAP Authenticator from the Apple Store or scan a QR-code, then set it up and verify it. Currently the application runs on iOS mobile devices only. For more information, see: Using SAP Authenticator on Your Mobile Device: User Guide
- Once ready, the user can log on with a password and a passcode to any SAP system or application that requires OTP authentication and that the user can access with the activated account.
Third Party Solutions
By providing a two-step verification with one-time passwords generated by the SAP Authenticator mobile application, we offer an all SAP solution which can reduce total cost of ownership for customers that otherwise would use a third party product.
In addition, the SAP solution is an interoperable solution, meaning the server provides QR codes that can be scanned by third party mobile applications (like Google Authenticator application), and also gives the SAP Authenticator mobile application the ability to generate passcodes for non-SAP sites (like Dropbox, Gmail).
Just try it, to make sure it is easy to use and hard to abuse.
Enable Two-Factor Authentication with SAP Cloud Identity Service
is it also possible to use other OTP apps than the SAP Authenticator like „HDE OTP Generator“?
Yes it is possible to use other OTP apps like HDE OTP
Generator or others which implement RFC6238 specs because our implementation is
based on this RFC.
An advantage of SAP Authenticator over HDE OTP Generator is
that HDE is only pin protected while SAP Authenticator is password protected.
Thanks, very good. This also allows to use this solution on other mobile operating systems.
Would the registration application be able to display the QR image with a unique link? There could be users who don't have mobile and a tablet devices (or don't want to use their personal ones for business use), for those type of user a Windows based client (that supports RFC 6238) could generate the code, as long as it can access the QR code via a link.
You are right, this is un opportunity for people without mobile devices. We have this in mind and could add in the product capabilities with some of the next versions. This kind of feedback is what we are looking for.
Thank you for your response. I have a few follow-on questions:
1. If this feature were to be included in one of the next releases, do you have any high level ETA when that would happen?
2. Is there any available API for NW SSO with the current SP3 that would allow us to develop a custom application that would provide this QR image functionality via a link? Or would this delivered SAP WD token registration application have entry points/user exits for customer modifications?
First of all, sorry for the delay. For the moment I cannot share with you concrete plans for the delivery of the feature. We will work to provid it soon.
The asnwer to your second question is again negative. We did not provide any API or user exits which can be used to retreive the QR code image with SP3.
If you like we can have a call and discuss in more details what exactly is your scenario and which of the possible solutions would be better for you?
I will schedule the call if you confirm your interest in that.
That is very good solution. Thanks a ton for sharing.
Is it possible to get the on other platforms as well? viz android, blackberry
Thanks a lot for your interest.
In the moment it is not possible. The SAP Authenticator is released only for iOS. We are working on an Android version and it will also be delivered. For other platforms we still need to make a plan.
The functionality is compatible with the standard, so for the moment you could use any other application running on your needed platform which covers TOTP specification as defined in RFC 4226.
is this feature available also to SuccessFactors? or it's just for NW?
Reem Amr Khairy
Not directly. However you can configure SAML 2.0 based authentication to SuccessFactors. The SAP IDP (NW AS Java) then can be configured to enforce two-factor authentication. Example SAML 2.0 configuration between SuccessFactors and NW AS Java could be found here: Single Sign-On between SAP Portal and SuccessFactors. The only additional step is to enable two-factor authentication for the IDP and disable U/P authentication at SuccessFactors. Let me know if you need further details.
We have requirement to enable the 2 FA on netweaver portal 7.4 where passcode to be send via sms for 2nd factor authentication.
We have read through many SCN forums and help documentation but the steps to enable the 2nd Factor to login on /irj/portal is not available.
We created a new template as OTP with TOTPLoginModule and change the Policy configuration default, Basicauthentication and ticket to use template OTP but after that we are not even able to login to /irj/portal and /nwa
It will be of great help if there are steps to enable the 2FA on /irj/portal.
P.S : We have also performed the steps as per one_time_pwd_authentic_impl_guide_en guide but still the 2FA not getting enabled on /irj/portal
For 2FA with SMS using 3-rd party gateway you would need to implement a policy script. Some examples are available in the following note: Note 2225027.
If you have troubles configuring 2FA for the Portal I would recommend to open a support ticket. You may post the number here and I will notify the colleagues to check it as quickly as possible.
Thanks for quick response.
We have raised SAP OSS#260897/2016 to have sap support look into this issue as well.
As mentioned in my previous post, the 2nd factor is not even getting triggered when we logged in to /irj/portal using userID/password and we are able to login just using userID/password.
We have already read through the note#2225027 and created sample policy file to trigger the sms using thrid party sms gateway but since the 2nd factor is not triggering so not able to test the scripts.
I had a quick look at the ticket. Some comments/recommendations:
1. The error message on the logon page indicates a syntax error in the policy script. In order to find out the issue collect traces using the procedure described here: Collecting Traces with the Security Troubleshooting Wizard - One-Time Password Authentication - SAP Library. If you cannot find the error then attach the traces to the ticket.
2. Please remove all login module options of TOTPLoginModule. They are not necessary. Instead use the /otpadmin to configure the policy, to enable it and to set the login module for first-factor authentication.
3. Before enabling 2FA for the whole system, i.e. set "OTP" template as default one, perform tests with a dedicated web application. For this purpose you can use "ticketissuer" application. Find it in /nwa -> Authentication & SSO, assign to it the "OTP" template and try to authentication to http(s)://host:port/ticketissuer.
Thanks Dimitar for your inputs.
We have made some progress in this regards and sending the updated logs and policy script file to SAP support for further analysis as now it seems that policy is picked up and no syntax error reported (in traces) after first factor authentication but seems passcode is not getting generated.
As far as I could see there are no syntax errors and the script looks OK. My recommendation would be to first try to send a regular email in order to check that the whole flow is working. Afterwards you can switch to SMS (via email). Additional remarks:
- You can trace the generated passcode using logger.traceWarning("Passcode: " + passcode); in method onFirstStageLogin(). Thus even if you do not receive email or SMS you can see the passcode in the traces and complete the authentication.
- In order to get on the second screen "Passcode" instead of "Password" you have to switch to the OTP specific logon application - see Configuring an OTP-Related Logon Application - One-Time Password Authentication - SAP Library
After above suggestion, i am able to login to the ticketissuer app by tracing the passcode in trace. Also the second screen is now showing "Passcode" instead of "Password".
Meanwhile we are trying to check why the email is not getting triggered or if there are any other issue at Gateway server, would it be possible to guide us on main issue as to how to enable the 2nd factor authentication on /irj/portal
Also please note that we have configured back end ECC application in Portal as iViews and configured SSO between Portal and ECC so while we want the 2nd factor authentication on /irj/portal but still want to maintain the SSO between Portal and ECC.
I could recommend to trace the mail server and the recipient email in order to see if the values are the expected ones. It could be that the format of the mobile number and the corresponding email address are not in the format expected by the mail server, e.g. having a leading "+" sign, etc. By the way have you tried the scenario using a regular mail server and a regular mail address, not the mobile number one?
Regarding the configuration of /irj/portal - follow the standard procedure, TOTPLoginModule is just another login module. Using it should not affect the SSO between Portal and ECC.
Portal Authentication Infrastructure - Configuring the Portal for Initial Use - SAP Library
Regarding point 1, yes we have tried to send only email using regular email address but seems there is some issue at gateway server as that is also not getting received. We are checking on the same.
Regarding point 2, we are not able to enable TOTPLoginmodule on /irj/portal even after assigning the OTP template (which is working as expected for /ticketissuer app) to uidpwdlogon login. Not sure if we are missing any point here but we have also tried changing the Default login context (ume.login.context) to OTP which changes the login behavior of /nwa to 2FA but still /irj/portal is not having the 2nd factor enabled.
Appreciate any pointers or guidance to enable the 2FA on /irj/portal.
Thanks for your support and direction.
We are able to configure the 2FA on /irj/portal and receiving the passcode via email as well.
For other community member, below information might be useful to enable the 2FA on /irj/portal:
Add the TOTPLoginmodule to 'ticket' policy configuration with value as REQUISITE and change the BasicPasswordLoginLodule to SUFFICIENT along others.
Thanks praveen gupta and Dimitar Mihaylov for sharing the info. Your info has helped me to apply OTP for entire /irj/portal
hi Dimitar Mihaylov,
For Implementing this policy Scripts we need to have the Login Users to be maintained at ABAP Stack too ?
I mean we have the current login users of portal only on java stack.
We are trying to do the SSO with OTP, for activation am not getting field for entering passcode and verify. Can anyone please guide on the same?
See this blog: Simple Configuration Example for Implementing Two-Factor Authentication (2FA) - SAP Blogs
Thanks for the reply.,
I followed the mentioned blogs, for setting up TOTP for mobile device I tried to open the
link as mentioned https://<host>/otp but url is directing us to irj/portal link ..
Can you please help on the same.
This problem could appear if you have a reverse proxy in front of your SAP NetWeaver system, which is rewriting the URLs and this way the .../otp/... URL is redirected to the .../irj/...
Whether I need to check in SAML config level for redirect or in any other place.
Can you please guide me on that where I've to configure/change the redirect URL.
See the details about the: Parameterization of the SAP Web Dispatcher - SAP Web Dispatcher - SAP Library
If you are not the one responsible for these settings in the company, you have to get in contact with the person responsible and to discuss with him the settings for the re-directs and to make together these settings to fit to all your scenarios accordingly.
Great blog Ivelina Kiryakova
By following your blog and Donka Dimitrova I was able to configure 2FA.
Thanks for sharing the valuable info. I do appreciate all the support that you have been doing for the community.
Can you please let me know if any of these are feasible?
1) Implement 2FA with OTP for AS ABAP because our requirement is to have SSO configured for Fiori Launch pad which resides in SAP Gateway ABAP system.
2) Can we use Azure instead of SAP SSO product and configure 2FA? If yes, what Authenticator app and OTP modules can we use?
Thanks in advance.
up to now ABAP does not support TOTP natively - because there was no demand for such feature.
If you require such by now, you can consider to use SAP Secure Login Server (Java-based server component offering many more features).
If you want to file a feature request for native TOTP support in ABAP you can use https://influence.sap.com to seak for other supporters.
Thanks for sharing this details. If we are planing to implement SAP OTP do we need to have one JAVA stack available in our landscape?
Can we use a centralized JAVA stack to configure OTP for multiple SAP applications (different fiori systems). Is there any prerequisites (other than SAP applications) we need to have in place to aid this configurations?
Thanks and best regards,
Is it possible to user SSO 2FA with SAP Login (SAP GUI)?
If yes, do you have any tips for that?