Simple Configuration Example for Implementing Two-Factor Authentication (2FA)
How to protect your AS JAVA application with Two-Factor-Authentication (2FA) based on Time-Based One-Time Passwords (TOTP)
Goal: You want to improve the security for an application running on AS Java server using а simple 2FA solution
Prerequisite: You have а license for the SAP Single Sign-On product.
In this blog you will find the simple steps for configuring 2FA based on ТOTP for an AS JAVA application using the SAP Single Sign-On product.
Time-Based One-Time Passwords (TOTP) are passcodes generated using an algorithm that computes a one-time password from a shared secret key and the current time (see RFC 6238). SAP Single Sign-On product offers a two-factor authentication solution based on TOTP. Such authentication is considered more secure because TOTP passcodes are time-based (valid only 30 seconds), they could be used for only one logon attempt and they are issued by two means of identification: the user possesses something and the user knows something – the user possesses a mobile device, where the passcode generator is installed, and knows the password that unlocks the device. This makes the TOTP a perfect security solution for protecting a system or an application with strong authentication mechanism. SAP offers a passcode generator mobile application called “SAP Authenticator” (available at the moment for iOS , Android and Windows devices) that generates 6-digit or 8-digit passcodes.
Note: SAP Single Sign-On product offers also solutions for 2FA alternative to TOTP like One-time Password (OTP) sent via SMS or e-mail, or integration with RADIUS server (RSA, other.) but in this blog I will provide the configuration details only for 2FA based on TOTP.
How to use the 2FA based on TOTP for protecting an application running on AS JAVA:
We assume that the authentication stack of your application is currently configured to use the default Login Module called BasicPasswordLoginModule and users have to provide their UserID & Password in order to be authenticated.
In my configuration example I will use a sample Java application that simply displays the User name of the logged user and also provides information about the authentication method used.
Open the NWA using this link https://<host>/nwa and the credentials of an administrative user.
Navigate to Configuration > Authentication and Single Sign-On > Authentication tab > Components
Find the respective Policy Configuration that you want to use and see the authentication stack. In my example the screenshot is from the Policy Configuration of my simple custom Java application.
Initial state of the configuration:
The User experience before to configure the 2FA based on TOTP is the following:
The user is requested to provide his/her User and Password:
When the credentials are correct, the user is successfully authenticated. Based on the logic of my simple application the User name is displayed and also the authentication method “Password”:
Now let’s do the configuration for implementing 2FA based on TOTP:
Click “Edit” for the Policy Configuration that you want to configure and change the Login Module of the Authentication stack for this Policy Configuration from BasicPasswordLoginModule to TOTPLoginModule, keep the flag “SUFFICENT” and click “Save”.
In our example we want to keep the first stage login with User & Password and to add a second stage login where the user will be prompted to provide a Passcode (TOTP). This is why we keep the OTP settings of the system with their default values (setting “First Factor Login Module” will be with its default value “BasicPasswordLoginModule”.) Here you can see a screenshot of the default configuration in the OTP Administrative UI. To open the OTP Administrative UI use this link https://<host>/otpadmin and the credentials of your administrative user:
Now it is time to test the configuration “Password + OTP”:
First the user will be prompted for his UserID and Password
As a second stage login, the user has to provide a TOTP passcode but because there is not a mobile device configure for his account yet, the user is informed that he/she needs to activate a mobile device:
In order to test the configuration to the end, you need to setup your mobile device for TOTP:
Prerequisite: You have the SAP Authenticator mobile application installed on your mobile device.
- Open the self-service for Mobile Device Setup via this link: https://<host>/otp and log-in with the test account
- Click the link “Set Up Account on Device”
3. A QR Code will be displayed. While you are using the SAP Authenticator mobile application click to “Add new account”, scann the QR code and click “Done” on the mobile app. The mobile application will start generating the TOTP passcodes immediately but before to start using them you have to finish the setup by clicking “Finish” for the self-service procedure on the PC:
Now we can finally test the configuration:
You have to start the authentication again with the UserID and Password:
On second stage login you will be prompted to provide a passcode generated for your test user via the SAP Authenticator on your mobile device. Type the current passcode and click “Log On”:
When you provide a valid passcode you will be authenticated successfully and you will see that the authentication method is “Password + OTP”:
Note: In order to make your login form to display “Passcode” for the second stage of the authentication, you have to make sure that you are using the proper “Alias of Application for Customizing Login Pages (ume.logon.application.ui_resources_alias)” with value /otp_logon_ui_resources (This alias is coming with the implementation of the SSO AUTHENTICATION LIBRARY 2.0). You have to configure it here:
Navigate to Authentication and Single Sign-On > Authentication tab > Properties. See:
One more scenario “SPNEGO +OTP”:
If you are already using a single sign-on technology in your company, like for example Kerberos/SPNEGO, it is also possible to implement easily 2FA based on TOTP. You can simply combine the login module that you are using at the moment with OTP like for example “SPNEGO + OTP” or “X.509 +OTP”.
I will provide the details about the “SPNEGO + OTP” configuration and you will be able to do the configuration also for other Login Modules following the same approach.
Note: As usual, when you want to use SPNEGO as the first authentication attempt, your AS JAVA system needs to be already configured for SPNEGO (see the screenshot with the example):
If you are currently using the SPNegoLoginModule in the authentication stack for your application like here:
You have to do two things:
1) Simply replace the SPNegoLoginModule with TOTPLoginModule for the authentication stack of your application (this is similar to the configuration we did for the scenario with “Password + OTP”) :
2) Go to the OTP administrative UI and change the default setting of the “First Factor Login Module” to be the SPNegoLoginModule and don’t forget to Save. See the screenshot with the configuration below:
Now you application will be using “SPNEGO + OTP” authentication.
Test of the new configuration:
If we test the access to the application with an account already authenticated to the Microsoft domain, the first authentication stage will be SPNEGO and the user will see only the second authentication stage, where he/she will be prompted to provide a TOTP:
When a correct TOTP will be provided, the user will be successfully authenticated and his authentication method will be “SPNEGO + OTP”:
An alternative scenario “SPNEGO or PASSWORD + OTP”:
This scenario is important when you have to protect an application that is used also on kiosk/shared PCs. In such cases you have one group of users, who have a Kerberos token and the SPNEGO could be working for them, but you also have to manage secure access for another group of users, who use shared PCs, where the single sign-on is not an option. For the protection of such application you can simply configure in the OTP settings both login modules using comma separation. Simply type the BasicPasswordLoginModule after SPNegoLoginModule like this “SPNegoLoginModule,BasicPasswordLoginModule“.
With such simple configuration you will be able to offer “SPNEGO + OTP” authentication for the first group of users (who are logged into the Microsoft Domain), and “Password + OTP” authentication for the other group of users (who use the application via a kiosk/shared PC).
Note: Make sure the SPNegoLoginModule to be configured on the first place, otherwise every user will be prompted directly for a “password + OTP” and the SPNEGO will not be working even for users who have a Kerberos token available.
See the screenshot of the configuration:
More details about the 2FA based on TOTP and all settings available for configuration you will be able to find in our documentation here:
Thanks for the useful blog. Kindly let me know, from which AS Java version we have this TOTP Login Module is available.
As I mentioned at the beginning of my blog, the prerequisite is to have a license for the SAP Single Sign-On product. The TOTPLoginModule is coming with SSO AUTHENTICATION LIBRARY 2.0 that is part of the product. You can install the library on AS Java 7.30 or higher.
Thanks for your quick response and clarification.
Thank you for this blog it is very helpful to start playing with TOTP.
I have one question regarding the authentication step:
I am using TOTP module (in SAML2 context) with AS Java 7.42, I am facing an issue when users are required to reset the password. I have the first screen for login password. After, I have the passe code screen and when I am in change password screen I have the error that says I need to give a passe code again. So it triggers a login failed in authentication traces
Does the password reset supported by this login module or we should not use it in this case? We are using basic form login to reset password (without TOTP) for the moment.
Thank you and regards,
The flow is correct - a password change is triggered when the authentication has completed, means a valid passcode is provided at the second step. However the password change at that stage should work as expected and no additional passcode is required. Could you please make sure that you use the latest version of SSOAUTHLIB component (SP6 patch level 2), as well you have configured to use the OTP logon application (alias /otp_logon_ui_resources). If this is the case then I would recommend to open a ticket in component BC-IAM-SSO-OTP. Please attach to the ticket traces that are collected as described here: Collecting Traces with the Security Troubleshooting Wizard - One-Time Password Authentication - SAP Library.
After some troubleshooting. I found that TOTP module was called twice (Thank you for the link) but we stayed in the same page (asking for : old password, new password, repeat passowrd). It was a mistake in the SAML2 configuration. We were calling two authentication contexts with the same LoginModule (TOTPLogin Module).
Thank you for your help,
Excellent blog..!!! We have a requirement right now for using Fiori Launchpad from Mobile Devices. Is it possible, to authenticate Fiori Launchpad only form Active Directory and without using SAP authenticatior? Or this is the only way to use SAP Fiori app in iOS and Android Devices. We have licence to use SAP SSO
If you want to use the SAP Fiori Clinet (native mobile application) you can choose between single sign-on based on X.509 Client Certificates or our Mobile SSO solution available with the SAP Single Sign-On product.
If you choose the X.509 certificates you have to use a solution like SAP Mobile Platform Server. See the details and prerequisites here:
If you choose our Mobile SSO solution you have to use the SAP Authenticator and the implementation is described here in this step-by-step guide:
Mobile Single Sign-On for SAP Fiori - Step-by-Step Guide
Thanks a lot for the quick response.
We use SAP Afaria MDM on cloud. Is it enough ? Or It should be SAP Mobile platform itself?
X.509 Certificate means, authentication using certificates never with any user ID and password?
Yes, it will be possible to do this also with Afaria. See the details here:
User Authentication and Single Sign-On - SAP Fiori Client - SAP Library
Thanks a lot Donka for your valuable information. Now, we can conceptualize our project for SSO.
Thanks a lot Donka.
With the help of your blog I was able to configure the Two Factor Authentication.
The blog had all the required info to configure 2FA. I do appreciate all your help and support for the community.
Is there a way to configure 2FA only for /irj/portal and exclude /nwa etc others.
We have requirement to implement 2FA, can you please let me know if any of these are feasible?
1) Implement 2FA with OTP for AS ABAP (instead of AS JAVA) because our requirement is to have SSO configured for Fiori Launch pad which resides in SAP Netweaver Gateway ABAP system.
2) Can we use Azure instead of SAP SSO product and configure 2FA ? If yes, what Authenticator app and OTP modules can we use?
Thanks in advance
Yes, you can implement 2FA with OTP for AS ABAP when you use the SAP Single Sign-On product. This scenario requires the Secure Login Server (SLS) implementation because the authentication flow goes with the 2FA (OTP) to the SLS that on its side will issue the required by the AS ABAP an X.509 Client Certificate.
When you want to implement 2FA based on OTP for the AS ABAP you have to make sure that the authentication service that will be enabled for 2FA with OTP will be able to issue a token that can be used for authentication by the AS ABAP server (for example X.509 Client Certificate).
When the user interface is web based (like for example SAP Fiori), you can use also SAML as an authentication technology for example but when your company is still using SAP GUI for Windows, you have to implement SSO via SNC and this is possible only with Kerberos tokens and X.509 Client certificates.
Implementing 2FA with OTP for AS ABAP using the SAP Single Sign-On product is simple and easy and you can also combine it with the risk-based authentication wherever necessary. You can find more details on this topic in my blog https://blogs.sap.com/2015/05/22/stronger-security-for-your-business-data-at-risk/
How can we check version and SP level of SAP Single Sign On component .
Go to Netweaver Administrator, System Information, Components Info and search for SSOAUTHLIB - see attached picture. The second number group of the version is the SSO version used.
I want to archive configuration to get the below screen hwerein my SAP portal is authenticated through my AD credentials but can login to my ECC, BW system. Let me know what all steps need to be done.
Thank you for the blog! Any chance you could provide the code for the simple app you are using for testing? To display Username, User principal, and User principal class.
Very nice blog to start with.
I would like to know if there is any configuration where while using 2FA the user can choose whether the OTP is required over SMS or Email and then get the OTP respectively.
Else any option to enable SMS and Email both for the user to receive OTP?
this is not something that the user can choose at runtime. You can however check in a script whether a user has OTP configured, has a phone that can receive SMS or otherwise use email for sending the passcode. Please see the following document: https://help.sap.com/viewer/a2ee572048674dd4bef257616560cc94/3.0/en-US/3cd788a749ec427cafea6aa40d596843.html#07e9854351fa479b99301c738e572eb5.html
Thanks for the helpful blog.
Is it possible to activate OTP for inidividual users via group or role assignment in case we don't want to activate OTP for all users?
Is there any way to use the 2FA can be used for SAP GUI login?
yes, with the SAP Single Sign-On product, you can implement two-factor authentication with SAP GUI. Two-factor authentication works with X.509 client certificates that are issued by the Secure Login Server. To get the certificate the end user needs to perform two-factor authentication as defined in the Secure Login Server profile for the given ABAP system or list of ABAP systems.
You can find the documentation here:
Thanks a lot Martina
Thanks for your wonderful Blog, It helped me a lot in configuration.
Could please clarify once TOTP module is configured, system is always prompting for passcode as a second screen, in this case what about new users ? How they can register their device without passcode as they are first time registering.
please refer to the documentation here:
One-Time Password Authentication Implementation Guide