How to Define Risk-Based Authentication Rules with SAP HANA Cloud Platform Identity Authentication (previously SAP Cloud Identity)
How do you control the access to your cloud applications?
Being very cautious about the existing risks, you deny access from outside your corporate network or being very liberal, you allow access from anywhere?
Are you willing to set different rules for different users, for different applications and according to the network from which the users try to access the protected applications?
If yes, then SAP HANA Cloud Platform Identity Authentication(shortly Identity Authentication) can provide you with such flexibility of defining authentication rules, tailored to your exact business needs.
Let’s take a closer look at the available options and variants to configure Risk-Based Authentication.
With the Risk-Based Authentication, you are able to set different rules for each application according to the following factors:
1. User group membership of the authenticating user:
i. Cloud user group, defined in the Identity Authentication service
or
ii. On-premise user group(e.g. LDAP User Group, SAP NetWeaver AS UME Group or ABAP Roles as UME Groups), if you are using Corporate User Store scenario(authentication against on-premise user store(LDAP, SAP NW AS JAVA, SAP NW AS ABAP).
2. Network IP ranges from which the users are logging into the applications
For the combination of these factors, you can define actions to be performed:
- Allow access
- Enforce Two-Factor Authentication
- Deny access
The set of rules are executed by priority and if none of the conditions of the defined rules are met, then the default action would be performed.
In this blog you can find four examples of four different risk-based authentication rules sets defined:
- Enable Two-Factor Authentication for all the users of an application
- Deny access from outside corporate network for everybody, except a certain group of users that would be asked to authenticate with Two-Factor Authentication
- Allow access only for the users that exist in Microsoft Active Directory
- Deny Access to an application
- Apply stronger security for the administrators’ access to the Administration Console of the Identity Authentication service
1. Enable Two-Factor Authentication for all the users of an application
For an application that needs higher level of protection, you can set all users to be prompted to provide an One-Time Password(code), generated on a mobile device(SAP Authenticator – available on iOS , Android and Windows or any authenticator app compatible with RFC 6238)
Here are the steps you need to take:
Prerequisites:
1. You have added your application and configured Trust between your application(SP) and the Identity Authentication(SAML IDP). For SAP HCP apps – see here
2. You have an Administrator account for Identity Authentication service with “Manage Applications” Role enabled
Steps:
1. Go to your application in the Administration Console of Identity Authentication service – Navigate to https://<your tenant ID>.accounts.ondemand.com/admin/ and login with your administrator’s credentials
2. In the left menu, go to “Applications and Resources” -> “Applications”
3. Choose your application from the list of applications on the left side
4. Navigate to the „Authentication and Access“ tab
5. Choose “Risk-Based Authentication”
6. Change Default Action from “Allow” to “Two-Factor Authentication” and click “Save”
The result for the end users:
All users would be prompted to provide One-Time Password when they log into the application
2. Deny access from outside corporate network for everybody, except a certain group of users that would be asked to authenticate with Two-Factor Authentication
Follow all the steps up to step 5 from the previous example, the prerequisites are also the same.
Define the following rules:
1st Rule: Allow access from within the IP-range of your corporate network.
2nd Rule: Require Two-Factor Authentication for any user that is member of the Cloud User Group “Manager“
In addition, deny access to any other users by setting Default Action to “Deny”
The rules are executed by the order of priority until the conditions of a rule are met. If none of the conditions of the defined rules is met then the default action is performed.
Once the users who are not members of the Cloud User Group “Manager” try to access the application from outside of the corporate network, they would get the following message:
Find more info about Cloud User Groups:
3. Allow access only for on-premise users that exist in Microsoft Active Directory
Prerequisites:
1. You have configured authentication against Corporate User Store(with Microsoft Active Directory), additionally see this blog
2. You have added your application and configured Trust between your application(SP) and the Identity Authentication service(SAML IDP). For SAP HCP apps – see here
3. You have an Administrator account for Identity Authentication service with “Manage Applications” Role enabled
Steps:
Follow all the steps up to step 5 from example 1.
Assign all the users to a Microsoft Active Directory group (e.g. called “MSAD Everybody”) so that you enable them to authenticate in your cloud application and deny access for all other users.
You can define other more complex rules for other Microsoft Active Directory Groups, for example:
- An Administrator would have access only from within corporate network and would be required to provide 2 means of authentication(Two-Factor Authentication).
- Partners outside of their corporate network would also be required to authenticated with Two-Factor Authentication.
- All the users of this applications shall belong to an on-premise Microsoft Active Directory User Group – “MSAD Everybody”.
- For all other users the access will be denied.
If you have configured Corporate User Store scenario of the Identity Authentication service to authenticate against SAP NetWeaver AS JAVA server, you can define the same type of rules for other types of On-premise User Groups – depending on the different options – UME Groups, User Groups of the connected multiple LDAP Directories or ABAP Roles as UME Groups, see documentation about UME Groups
4. Deny access to an application
Steps:
Follow all the steps up to step 5 from example 1, the prerequisites are also the same.
Before going live of your application you can deny access to everybody by setting Default Action “Deny”
Once you are ready to go live, you just change the Default Action to “Allow”
5. Apply stronger security for the administrators’ access to the Administration Console of the Identity Authentication service
5.1. Define Risk-Based Authentication rules to the Administration console
You can find the Administration console as a System Application and you can define your own rules, e.g. allow access of the Administrators only from inside your corporate network or enforce the admins to authenticate always with a second factor.
5.2 Define a Custom Password Policy and assign it to the Administration Console
1. Go to “Password Policies” from the left menu and choose “Add Custom Policy”
2. Create your own Password Policy, according to your security needs
3. Assign it to the Administration Console
In a nutshell, you have the freedom to flexibly configure the authentication to your applications based on your security requirements and corporate needs. You can enforce more stronger password polices to applications, too.
Enjoy your journey with Risk-Based Authentication
Did not follow step-by-step. But nice blog about risk-based authentication. Thanks
Hi Thorsten,
How to configure my on-premise web application developed using java language and provide my on-premise users with single sign on and OTP on the HANA Cloud platform???
Is it mandatory that my web application should be deployed on the HCP ???
Thanks,
Anurag
If you run applications on NW AS Java, you can configure trust with SAP Cloud Identity and then the authentication would happen against the SAP Cloud Identity SAML IDP, and you will benefit from the SSO and OTP capabilities.
Hi Radostina,
My on-premise web application is hosted on go-daddy , and it runs on apache tomcat server.....
Is it mandatory that my application should run on SAP NW AS Java , SAP Server only???
Hi Radostina,
Thanks for the reply , I have a client and whose website is developed using PHP language
and how do i enable SAML 2.0 trust on the website and how do i integrate it with SAP Cloud Identity , Can you please help me on this.some prototype
Thanks,
Anurag
Hi Radostina,
Very nice blog. For tOTP generation, is SMS/Email based OTP creation is added to Cloud Identity features or does it support only app based OTP generation?
All of the examples in this blog apply to Applications. How can I apply risk-based authentication to services like WEBIDE? I have a requirement to restrict WEBIDE access to specific IP addresses.