Skip to Content
Author's profile photo Donka Dimitrova

Risk-Based Authentication for Your Critical Business Processes

For many years, companies have often been required to allow access to critical business data from outside their corporate network. For example,  employees go on business trips or work remotely, or partner consultants need to gain access because of a new project. In addition to this security challenge, a new and more complicated scenario has been in high demand for the last several years: Mobile access. Easy and flexible, it allows users to connect and work from anywhere and on any device. All these challenges require a revision of corporate security policies as well as new security tools for an effective mitigation of the newly defined risks.

With the latest support package (SP04) for SAP Single Sign-On, released on Nov. 03, 2014, SAP offers a solution that will help companies to mitigate such risks by implementing Risk-Based Authentication, improving security for all critical business processes.

Risk-based authentication helps companies capture and evaluate centrally the authentication circumstances based on custom-defined access policies. As a result, you can allow or forbid the access, or if necessary enforce Two-Factor Authentication mechanism based on One-Time Password (OTP).

Sample scenario:

Security policy of Company “A”: Access to HR systems, when requested from outside the corporate network and/or outside normal working hours, is considered a very high risk.

Such a risk could be easily mitigated with the implementation of risk-based authentication: When the user tries to access the systems from outside the corporate network/or when the time is between 6:00 PM and 9:00 AM of the respective for the user time-zone, two-factor authentication will be enforced.

How Risk-Based Authentication Works

The solution is based on custom-defined access policies. Many companies develop a set of access policies, based on their corporate security standards. The access policies are implemented in a configuration UI or in the SAP NetWeaver Administrator by writing the logic in JavaScript. The access policy logic is based on a set of contextual information (for example: time, origin, authentication method, device, and others) and the risk, defined by the company with regard to the values of this contextual information.

The Access Policies are available as implementation for two authentication methods:

  • For authentication with Time-Based One-Time Password Login Module (TOTPLoginModule)here the Login Module processes the specified access policy script and decides which one of these two types of authentication to use – single or two-factor authentication.
  • For authentication through an Identity Provider (IdP)here the access policies are specified for IdP extensions and policies can be set for a specific trusted service provider or for all trusted service providers

When a user tries to log-in to a resource, where the Risk-Based Authentication has been implemented, the authentication request is sent to the Access Policies Engine, running on the SAP NetWeaver AS Java.

The Access Policies Engine performs the following steps:

  1. Collects the context information
  2. Applies a rule to straighten authentication – here based on the context information the access policy script is executed. Based on the result, the access is allowed or denied, or two-factor authentication is enforced.
  3. Persists the context – this step is performed only when the access is allowed. The relevant information (context, authentication procedure, risk level, etc.) is stored in the authentication token and the token is sent to the client.

How to Implement Risk-Based Authentication:

Risk-Based Authentication requires installation of the SSO AUTHENTICATION LIBRARY 2.0. and configuration, dependent on the authentication method.

If you choose to implement authentication with Time-Based One-Time Password Login Module (TOTPLoginModule), you need to:

  1. Create an access policy and define its script
  2. Configure the TOTPLoginModule to use this access policy

    For more details, see Access Policies Implementation Guide. Here you will find an example access policy script.

    You can find example scripts also in the SAP Note 2225027 – Policy Scripts for Risk-Based Authentication

If you choose to implement authentication through an Identity Provider (IdP) you have two options:

  • to configure access policies for an external adapter by implementing authentication and assertion policies
  • to configure access policies for an attribute provider by implementing a script for policy-based assertion attributes

Implementation steps include:

  1. Set the IdP extension, choosing one of the extension types: External Adapter or Attribute Provider
  2. Implement an access policy for the extension type, selected on previous step.

     For more details, see Configuring Access Policies for Identity Provider Extensions

Risk-Based Authentication with SAP Single Sign-On:

  • Centrally evaluate and mitigate the risk of allowing access to the IT landscape, based on context
  • Dynamic authorization restriction on service and transaction level using pre-defined rules
  • Risk-based enforcement of two-factor authentication
  • Available also for authentication through the Identity Provider

The new SAP solution that helps companies to offer access from anywhere and on any device by controlling and mitigating risk successfully!

See also:Stronger security for your business data at risk   (sample access policies included)

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Donka,

      I was just browsing for risk based authentication to SAP and i came across this post. I have a requirement here to our SAP Application, Can we integrate risk based authentication (Adaptive Authentication) with the 3rd party/external software from RSA to our SAP application?

      Thanks in Advance..



      Author's profile photo Dimitar Mihaylov
      Dimitar Mihaylov

      Hi Akesh,

      Technically you can integrate any external system. During the authentication process different events are sent to the policy script and it can call an external system to decide if access has to be denied or multi-factor authentication is required, or the user will be authenticated but with limited access permissions. You can contact me and Donka via email to discuss in details your scenario and how it can be implemented.

      Best regards,

      Dimitar Mihaylov

      P.S. Our emails are <firstname>.<lastname><AT>

      Author's profile photo Former Member
      Former Member

      Hi Dimitar,

      Thanks for the reply.

      Please check the mail for the details on this.



      Author's profile photo Shubham Jain
      Shubham Jain

      Dear Donka,

      It seems that the Risk based authentication is for Java stack only , whatever links o find for configuration takes me to Java portal . Is there a way we can enforce two factor authentication for ABAP stack , like for people accessing confidential data on BW systems using EPM  , BPC or normally thorugh SAP GUI


      Shubham Jain

      Author's profile photo Dheeraj Tripathi
      Dheeraj Tripathi

      Dear Donka,

      I am looking forward to Multifactor authentication and  Risk based authentication for SAP ABAP application ,  Need urgently .. Please can you help or suggest if already any products available I read about SAP SSO and SAP Mobile authenticator but I think they are for AS Java applocation or Mobile Application .. Please suggest if i can discuss with some one .. in this area .. Thanks in Advance !!

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann

      Hi Dheeraj,

      based on access policies you can make a dynamic decision on whether you accept or deny access, or alternatively enforce two-factor authentication. Risk-based authentication is possible with the Identity Provider and Secure Login Server of SAP Single Sign-On on SAP NetWeaver AS Java, and uses SAML 2.0 or X.509 digital certificates.