Skip to Content
Author's profile photo Former Member

Enable Two-Factor Authentication with SAP HANA Cloud Platform Identity Authentication(previously SAP Cloud Identity)

Do you have cloud applications for your employees or partners that you want to protect in a more secure and reliable way?


With SAP HANA Cloud Platform Identity Authentication(shortly Identity Authentication), you can now decide which applications you want to protect better.

If you configure an application to have two-factor authentication, once the user of this application provides valid username and password, additional one-time password will be required as a second authentication factor.


What is one-time password (aka OTP or passcode)?


It is a 6-digits passcode (for example: 899866) that expires in 30 seconds. For the generation of the passcodes, the users need to install SAP Authenticator on their mobile device. It is a free mobile app available on iOSAndroid and Windows.


Let’s take a closer look at the steps you need to enable two-factor authentication for your application.


1. You have added your application and configured Trust between your application(SP) and the Identity Authentication(SAML IDP). For SAP HCP apps – see here

2. You have an Administrator account for Identity Authentication service with “Manage Applications” Role enabled


1. Navigate to https://<your tenant ID> and login with your administrator’s credentials.

2. Once you enter the  Administration Console of Identity Authentication service, in the left menu, go to “Applications and Resources” -> “Applications”

3. Choose your application from the list of applications on the left side

4. Navigate to the „Authentication and Access“ tab

5. Choose “Risk-Based Authentication”

6. Change Default Action from “Allow” to “Two-Factor Authentication” and click “Save”



What are the steps for the end users?

The users of a sample application “ABC” need to enter correct username and password. As a second step, they are asked to enter a passcode, and then the authentication to the application is successful.


First Step:

08 Feb 16 14-31-05.png

Second Step:

If the user has a device already registered to generate passcodes for the two-factor authentication, she or he just has to enter the passcode from the mobile device, and will log on to the application.


Successful authentication to the application:

16 Feb 16 15-54-17.png

Note: If the user submits 5 incorrect passcodes, the passcode is locked for 60 minutes. A tenant administrator has an option to unlock manually the user passcode in the Administration Console, as explained here.

If the users decide to use the feature “Remember me”, the passcode will still be required, only the first step when the users enter their credentials will be skipped.

How to activate a device that will generate passcodes?

The user needs to proceed as follows:

  1. Open the User Profile page in a web browser, the User Profile page address is the tenant URL: https://<your tenant>
  2. Login and press “Activate” under Two-Factor Authentication.

    28 Mar 16 10-28-05.png

  3. Open SAP Authenticator app on a mobile device. Open the Add Account screen in SAP Authenticator and do one of the following on your mobile device:
  4. Scan the QR Code  and once ready, tap Add Account on your mobile device
  5. Enter the passcode in the User Profile page and press Activate.


The two-factor authentication is now activated. The user is able to login with a second factor to all applications from this Identity Authentication tenant that require an OTP.
For the generation of the passcodes, SAP Authenticator uses a Time-based One Time Password (TOTP) Algorithm defined as an open standard RFC 6238.

Alternatively, you can use another application for the generation of the passcodes that is based on the same algorithm (e.g.  the Google Authenticator app).

Ensuring a higher level of security for your applications is a matter of a few steps to enable two-factor authentication. It is really that easy and it is really worth it.

If you are looking for more flexibility in controlling the user access to your applications, you can acquaint with this blog and learn how to define Risk-Based Authentication Rules.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Harald Mueller
      Harald Mueller

      Is this available to HCP applications?

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Harald,

      Yes, by default HCP Applications are SAML Enabled and a default trust configuration is set between HCP and SAP Cloud Identity. So if you have a protected resource(page) of an HCP Application and enable the Two-Factor Authentication for this application in SAP Cloud Identity Admin Console, as shown above in Step 2, then the users for this protected resource would be required to enter an OTP.

      Best regards,


      Author's profile photo Mohan Kumar
      Mohan Kumar


      Can we use 2 factor authentication, if the IDP is other than SAP Cloud Identity?



      Author's profile photo SANDEEP TDS


      In the second point of you pre-requisites you have stated the following:

      You have an Administrator account for Identity Authentication service with “Manage Applications” Role enabled

      I wish to know If this can be done on a trial account?

      Thank You.

      Warm Regards
      Sandeep T D S