How to protect your AS JAVA application with Two-Factor-Authentication (2FA) based on Time-Based One-Time Passwords (TOTP)

Goal: You want to improve the security for an application running on AS Java server using а simple 2FA solution

Prerequisite: You have а license for the SAP Single Sign-On product.

In this blog you will find the simple steps for configuring 2FA based on ТOTP for an AS JAVA application using the SAP Single Sign-On product.

Time-Based One-Time Passwords (TOTP) are passcodes generated using an algorithm that computes a one-time password from a shared secret key and the current time (see RFC 6238). SAP Single Sign-On product offers a two-factor authentication solution based on TOTP. Such authentication is considered more secure because TOTP passcodes are time-based (valid only 30 seconds), they could be used for only one logon attempt and they are issued by two means of identification: the user possesses something and the user knows something – the user possesses a mobile device, where the passcode generator is installed, and knows the password that unlocks the device. This makes the TOTP a perfect security solution for protecting a system or an application with strong authentication mechanism. SAP offers a passcode generator mobile application called “SAP Authenticator” (available at the moment for iOS , Android and Windows devices) that generates 6-digit or 8-digit passcodes.

Note: SAP Single Sign-On product offers also solutions for 2FA alternative to TOTP like One-time Password (OTP) sent via SMS or e-mail, or integration with RADIUS server (RSA, other.) but in this blog I will provide the configuration details only for 2FA based on TOTP.

How to use the 2FA based on TOTP for protecting an application running on AS JAVA:

We assume that the authentication stack of your application is currently configured to use the default Login Module called BasicPasswordLoginModule and users have to provide their UserID & Password in order to be authenticated.

In my configuration example I will use a sample Java application that simply displays the User name of the logged user and also provides information about the authentication method used.

Open the NWA using this link https://<host>/nwa and the credentials of an administrative user.

Navigate to Configuration > Authentication and Single Sign-On > Authentication tab > Components

Find the respective Policy Configuration that you want to use and see the authentication stack. In my example the screenshot is from the Policy Configuration of my simple custom Java application.


Initial state of the configuration:

01_InitialConfLogModules.png

The User experience before to configure the 2FA based on TOTP is the following:

The user is requested to provide his/her User and Password:

/wp-content/uploads/2015/12/02_857422.png

When the credentials are correct, the user is successfully authenticated. Based on the logic of my simple application the User name is displayed and also the authentication method “Password”:

/wp-content/uploads/2015/12/03_857393.png

Now let’s do the configuration for implementing 2FA based on TOTP:

Click “Edit” for the Policy Configuration that you want to configure and change the Login Module of the Authentication stack for this Policy Configuration from BasicPasswordLoginModule to TOTPLoginModule, keep the flag “SUFFICENT” and click “Save”.

04_Configuration_Pass&TOTP.png

In our example we want to keep the first stage login with User & Password and to add a second stage login where the user will be prompted to provide a Passcode (TOTP). This is why we keep the OTP settings of the system with their default values (setting “First Factor Login Module” will be with its default value BasicPasswordLoginModule.) Here you can see a screenshot of the default configuration in the OTP Administrative UI. To open the OTP Administrative UI use this link https://<host>/otpadmin and the credentials of your administrative user:

DefaultOTP.png

Now it is time to test the configuration “Password + OTP”:

First the user will be prompted for his UserID and Password

/wp-content/uploads/2015/12/02_857422.png

As a second stage login, the user has to provide a TOTP passcode but because there is not a mobile device configure for his account yet, the user is informed that he/she needs to activate a mobile device:

00_RegRequired.png

In order to test the configuration to the end,  you need to setup your mobile device for TOTP:

Prerequisite: You have the SAP Authenticator mobile application installed on your mobile device.

  1. Open the self-service for Mobile Device Setup via this link: https://<host>/otp and log-in with the test account
  2. Click the link “Set Up Account on Device

01_ClickLink.png

3. A QR Code will be displayed. While you are using the SAP Authenticator mobile application click to “Add new account”, scann the QR code and click “Done” on the mobile app. The mobile application will start generating the TOTP passcodes immediately but before to start using them you have to finish the setup by clicking “Finish” for the self-service procedure on the PC:

0002_QRcode.png

Now we can finally test the configuration:

You have to start the authentication again with the UserID and Password:

0003_StartAgain.png

On second stage login you will be prompted to provide a passcode generated for your test user via the SAP Authenticator on your mobile device. Type the current passcode and click “Log On”:

OTPsledConfiguracia.png

When you provide a valid passcode you will be authenticated successfully and you will see that the authentication method is “Password + OTP”:

12_2FAResult.png

Note: In order to make your login form to display “Passcode” for the second stage of the authentication, you have to make sure that you are using the proper “Alias of Application for Customizing Login Pages (ume.logon.application.ui_resources_alias)” with value /otp_logon_ui_resources (This alias is coming with the implementation of the SSO AUTHENTICATION LIBRARY 2.0). You have to configure it here:

Navigate to Authentication and Single Sign-On > Authentication tab > Properties. See:

Alias.png

One more scenario “SPNEGO +OTP”:

If you are already using a single sign-on technology in your company, like for example Kerberos/SPNEGO, it is also possible to implement easily 2FA based on TOTP. You can simply combine the login module that you are using at the moment with OTP like for example “SPNEGO + OTP” or “X.509 +OTP”.

I will provide the details about the “SPNEGO + OTP” configuration and you will be able to do the configuration also for other Login Modules following the same approach.

Note: As usual, when you want to use SPNEGO as the first authentication attempt, your AS JAVA system needs to be already configured for SPNEGO (see the screenshot with the example):

14_SPNEGO_OTP.jpg

If you are currently using the SPNegoLoginModule in the authentication stack for your application like here:

15_SPNEGOInitial.png

You have to do two things:

1) Simply replace the SPNegoLoginModule with TOTPLoginModule for the authentication stack of your application (this is similar to the configuration we did for the scenario with “Password + OTP”) :

16_SPN_OTP_Conf.png

2) Go to the OTP administrative UI and change the default setting of the “First Factor Login Module” to be the SPNegoLoginModule and don’t forget to Save. See the screenshot with the configuration below:

17_OTPUI_SPN.png

Now you application will be using “SPNEGO + OTP” authentication.

Test of the new configuration:

If we test the access to the application with an account already authenticated to the Microsoft domain, the first authentication stage will be SPNEGO and the user will see only the second authentication stage, where he/she will be prompted to provide a TOTP:

RemSSO.png

When a correct TOTP will be provided, the user will be successfully authenticated and his authentication method will be “SPNEGO + OTP”:

RemSSORez.png

An alternative scenario “SPNEGO or PASSWORD + OTP”:

This scenario is important when you have to protect an application that is used also on kiosk/shared PCs. In such cases you have one group of users, who have a Kerberos token and the SPNEGO could be working for them, but you also have to manage secure access for another group of users, who use shared PCs, where the single sign-on is not an option. For the protection of such application you can simply configure in the OTP settings both login modules using comma separation. Simply type the BasicPasswordLoginModule  after SPNegoLoginModule like this “SPNegoLoginModule,BasicPasswordLoginModule“.

With such simple configuration you will be able to offer “SPNEGO + OTP” authentication for the first group of users (who are logged into the Microsoft Domain), and “Password + OTP” authentication for the other group of users (who use the application via a kiosk/shared PC).

Note: Make sure the SPNegoLoginModule to be configured on the first place, otherwise every user will be prompted directly for a “password + OTP” and the SPNEGO will not be working even for users who have a Kerberos token available.

See the screenshot of the configuration:

20_SPN_BAS.png

More details about the 2FA based on TOTP and all settings available for configuration you will be able to find in our documentation here:

http://help.sap.com/download/sapsso/one_time_pwd_authentic_impl_guide_en.pdf





To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

    1. Donka Dimitrova Post author

      Hello Venkatesh,

      As I mentioned at the beginning of my blog, the prerequisite is to have a license for the SAP Single Sign-On product. The TOTPLoginModule is coming with SSO AUTHENTICATION LIBRARY 2.0 that is part of the product. You can install the library on AS Java 7.30 or higher.

      Regards,

      Donka Dimitrova

      (0) 
  1. Mohamed Mehdi AIDOUDI

    Hi Donka,

    Thank you for this blog it is very helpful to start playing with TOTP.

    I have one question regarding the authentication step:

    I am using TOTP module (in SAML2 context) with AS Java 7.42, I am facing an issue when users are required to reset the password. I have the first screen for login password. After, I have the passe code screen and when I am in change password screen I have the error that says I need to give a passe code again. So it triggers a login failed in authentication traces


    Does the password reset supported by this login module or we should not use it in this case? We are using basic form login to reset password (without TOTP) for the moment.


    Thank you and regards,

    Mehdi.

    (0) 
    1. Dimitar Mihaylov

      Hello,

      The flow is correct – a password change is triggered when the authentication has completed, means a valid passcode is provided at the second step. However the password change at that stage should work as expected and no additional passcode is required. Could you please make sure that you use the latest version of SSOAUTHLIB component (SP6 patch level 2), as well you have configured to use the OTP logon application (alias /otp_logon_ui_resources). If this is the case then I would recommend to open a ticket in component BC-IAM-SSO-OTP. Please attach to the ticket traces that are collected as described here: Collecting Traces with the Security Troubleshooting Wizard – One-Time Password Authentication – SAP Library.

      Best regards,

      Dimitar Mihaylov

      (0) 
      1. Mohamed Mehdi AIDOUDI

        Hi Dimitar,

        Problem fixed,

        After some troubleshooting. I found that TOTP module was called twice (Thank you for the link) but we stayed in the same page (asking for : old password, new password, repeat passowrd). It was a mistake in the SAML2 configuration. We were calling two authentication contexts with the same LoginModule (TOTPLogin Module).

        Thank you for your help,

        Regards,

        Mehdi.

        (0) 
  2. ABU SANDEEP BASIS

    Dear Donka,

    Excellent blog..!!! We have a requirement right now for using Fiori Launchpad from Mobile Devices. Is it possible, to authenticate Fiori Launchpad only form Active Directory and without using SAP authenticatior? Or this is the only way to use SAP Fiori app in iOS and Android Devices. We have licence to use SAP SSO

    Regards,

    Abu Sandeep

    (0) 
    1. Donka Dimitrova Post author

      Dear Abu,

      If you want to use the SAP Fiori Clinet (native mobile application) you can choose between single sign-on based on X.509 Client Certificates or our Mobile SSO solution available with the SAP Single Sign-On product.

      If you choose the X.509 certificates you have to use a solution like SAP Mobile Platform Server. See the details and prerequisites here:

      http://help.sap.com/saphelp_smp306sdk/helpdata/en/b2/99923cc0b94400acab320c812cc026/content.htm

      If you choose our Mobile SSO solution you have to use the SAP Authenticator and the implementation is described here in this step-by-step guide:

      Mobile Single Sign-On for SAP Fiori – Step-by-Step Guide

      Regards,

      Donka Dimitrova

      (0) 
      1. ABU SANDEEP BASIS

        Dears Donka,

        Thanks a lot for the quick response.

        We use SAP Afaria MDM on cloud. Is it enough ? Or It should be SAP Mobile platform itself? 

        X.509 Certificate means, authentication using certificates never with any user ID and password?

        Regards,

        Abu Sandeep.

        (0) 
  3. Yugandhar Reddy

    Thanks a lot Donka.

    With the help of your blog I was able to configure the Two Factor Authentication.

    The blog had all the required info to configure 2FA. I do appreciate all your help and support for the community.

    (0) 
  4. Deepesh K

    Hello Donka,

    We have requirement to implement 2FA, can you please let me know if any of these are feasible?

    1) Implement 2FA with OTP for AS ABAP (instead of AS JAVA) because our requirement is to have SSO configured for Fiori Launch pad which resides in SAP Netweaver Gateway ABAP system.

    2)  Can we use Azure instead of SAP SSO product and configure 2FA ? If yes, what Authenticator app and OTP modules can we use?

    Thanks in advance

    (0) 
    1. Donka Dimitrova Post author

      Hello Deepesh,

      Yes, you can implement 2FA with OTP for AS ABAP when you use the SAP Single Sign-On product. This scenario requires the Secure Login Server (SLS) implementation because the authentication flow goes with the 2FA (OTP) to the SLS that on its side will issue the required by the AS ABAP an X.509 Client Certificate.
      When you want to implement 2FA based on OTP for the AS ABAP you have to make sure that the authentication service that will be enabled for 2FA with OTP will be able to issue a token that can be used for authentication by the AS ABAP server (for example X.509 Client Certificate).
      When the user interface is web based (like for example SAP Fiori), you can use also SAML as an authentication technology for example but when your company is still using SAP GUI for Windows, you have to implement SSO via SNC and this is possible only with Kerberos tokens and X.509 Client certificates.
      Implementing 2FA with OTP for AS ABAP using the SAP Single Sign-On product is simple and easy and you can also combine it with the risk-based authentication wherever necessary. You can find more details on this topic in my blog https://blogs.sap.com/2015/05/22/stronger-security-for-your-business-data-at-risk/

      Regards,
      Donka Dimitrova

      (0) 
  5. Aleksandar Aleksandrov

    Hi,

    Go to Netweaver Administrator, System Information, Components Info and search for SSOAUTHLIB – see attached picture. The second number group of the version is the SSO version used.

    (0) 

Leave a Reply