Enable Two-Factor Authentication with SAP HANA Cloud Platform Identity Authentication(previously SAP Cloud Identity)

Do you have cloud applications for your employees or partners that you want to protect in a more secure and reliable way?

With SAP HANA Cloud Platform Identity Authentication(shortly Identity Authentication), you can now decide which applications you want to protect better.

If you configure an application to have two-factor authentication, once the user of this application provides valid username and password, additional one-time password will be required as a second authentication factor.

What is one-time password (aka OTP or passcode)?

It is a 6-digits passcode (for example: 899866) that expires in 30 seconds. For the generation of the passcodes, the users need to install SAP Authenticator on their mobile device. It is a free mobile app available on iOS, Android and Windows.

Let’s take a closer look at the steps you need to enable two-factor authentication for your application.

Prerequisites:

1. You have added your application and configured Trust between your application(SP) and the Identity Authentication(SAML IDP). For SAP HCP apps – see here

2. You have an Administrator account for Identity Authentication service with “Manage Applications” Role enabled

Steps:

1. Navigate to https://<your tenant ID>.accounts.ondemand.com/admin/ and login with your administrator’s credentials.

2. Once you enter the  Administration Console of Identity Authentication service, in the left menu, go to “Applications and Resources” -> “Applications”

3. Choose your application from the list of applications on the left side

4. Navigate to the „Authentication and Access“ tab

5. Choose “Risk-Based Authentication”

6. Change Default Action from “Allow” to “Two-Factor Authentication” and click “Save”

What are the steps for the end users?

The users of a sample application “ABC” need to enter correct username and password. As a second step, they are asked to enter a passcode, and then the authentication to the application is successful.

First Step:

Second Step:

If the user has a device already registered to generate passcodes for the two-factor authentication, she or he just has to enter the passcode from the mobile device, and will log on to the application.

Successful authentication to the application:

Note: If the user submits 5 incorrect passcodes, the passcode is locked for 60 minutes. A tenant administrator has an option to unlock manually the user passcode in the Administration Console, as explained here.

If the users decide to use the feature “Remember me”, the passcode will still be required, only the first step when the users enter their credentials will be skipped.

How to activate a device that will generate passcodes?

The user needs to proceed as follows:

1. Open the User Profile page in a web browser, the User Profile page address is the tenant URL: https://<your tenant>.accounts.ondemand.com/.
2. Login and press “Activate” under Two-Factor Authentication.

   

3. Open SAP Authenticator app on a mobile device. Open the Add Account screen in SAP Authenticator and do one of the following on your mobile device:
4. Scan the QR Code  and once ready, tap Add Account on your mobile device
5. Enter the passcode in the User Profile page and press Activate.

The two-factor authentication is now activated. The user is able to login with a second factor to all applications from this Identity Authentication tenant that require an OTP.
For the generation of the passcodes, SAP Authenticator uses a Time-based One Time Password (TOTP) Algorithm defined as an open standard RFC 6238.

Alternatively, you can use another application for the generation of the passcodes that is based on the same algorithm (e.g.  the Google Authenticator app).

Ensuring a higher level of security for your applications is a matter of a few steps to enable two-factor authentication. It is really that easy and it is really worth it.

If you are looking for more flexibility in controlling the user access to your applications, you can acquaint with this blog and learn how to define Risk-Based Authentication Rules.