Setting up Authentication for Cloud Portal using Cloud Identity – VI
This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.
In the previous blogs, we had a look at the some of the steps involved to enable different types of authentication between Cloud Identity and Cloud Portal and also the mapping of groups between Cloud Identity and Cloud Portal. When exposing a Portal to external vendors, there are requirements to highly secure the data being made available to the vendors. Especially, when there are certain roles within the vendor organization which deal with approval of certain processes, there is a need to have two levels of authentication. Cloud Identity supports Two-Factor authentication and it’s very easy to enable it.
What is Two-Factor Authentication (2FA)
In simple terms, it refers to a user providing two means of identification from separate categories of credentials. In this case, it is going to be the user login/password followed by an access token which is only accessible to the user. An access token gets generated from a Mobile App (SAP Authenticator) which the user install on their device.
I am going to describe this process in this blog to show how easy it is to setup a different authentication rule based on the user groups. In our previous example, we dealt with Employee and Manager role. I am going to set a rule which enforces two-factor authentication for managers when they try to access the Cloud Portal.
Configure application in Cloud Identity
Navigate to the Cloud Identity as an Admin and select the HCP account which is registered as an Application. From the “Authentication and Access” tab select Risk-based Authentication as shown below
Click on the “Add Rule” button.
Select “Two-Factor Authentication” as action and select the Manager SCI group. We need this rule to be only applicable for Managers. Save your changes.
Activate 2FA from the User Profile
Logon to SCI Profile page as a Manager by navigating to https://<your tenant>.accounts.ondemand.com/
Scroll down to Two-Factor Authentication section and click on “Activate” button.
Configure SAP Authenticator Mobile App
Download the SAP Authenticator Mobile App from the Apple/Andriod store. Provide a password to protect your App and click on the + icon to add a new account. Turn on the switch to Scan a QR code and point your camera to the QR code which is generated in the above step.
Once the QR code is scanned, your account details will appear within the App. make a note of the passcode which gets generated for this account and navigate to the Profile page in SCI which has a prompt for the passcode.
Provide the six digit passcode as shown below and click on “Activate” button.
2FA has been successfully setup for this user who is a manager.
Test the Cloud Portal
In the above step, we have configured a user to be able to use 2FA. Login to the Cloud Portal as the same user. In this case, this user is a Manager role. Hence, SCI would force 2FA for this user.
`You will be challenged with a login screen from SCI. Provide the usual login credentials for this user
The system will prompt for a passcode as part of the Two-Factor authentication process. Use the SAP Authenticator App to generate the passcode and key it in the below screen.
On successful authentication, you should be able to see the Cloud Portal with the Manager roles for this user.
This concludes the series of blogs which I have put on showing how to use SCI to authenticate HCP services. Hope you found it informative.
Hi Murali,
Great Blog,very descriptive!!
Just one question-Rather than using the SAP authenticator application,is it possible to send the OTP on mobile or via email.
Regards
Radhika
Thanks. I dont think this feature is supported yet.
Dear Murali,
Thank you for the blog.
I have some questions / issues about the identity provider and the portal services. If you have the answers for them, it would be great!
1) In Identity Authentication Administration Console, for my custom application (subaccount), I've added as SAML Assertion Attributes user attribute Application Custom Attribute 1. Under user management I can't find where I can fill a value for this attribute for a specific user... Have you an idea?
2) When I access to my site deployed on my Cloud Portal it doesn't challenge me with a login screen, it directly goes to the FLP logged as a "Guest". Do you know why?
3) In my SCP subaccount I've my Local Service Provider as Custom and Principal Propagation "Enabled". I've defined the Assertion-based Groups under the Application Identity Provider for the groups of roles mapping. I tried to let accounts.sap.com as Platform Identity Provider, also to put my custom Identity Authentication Tenant on this role, but in both cases the services are not reachable no matter I connect with my SAP user or my custom IDP user. For example when I try to go to the Portal Admin page I get this error: "HTTP Status 500 - An internal application error occurred. Request: 0xxxxxxxx9 {my_subaccount_id}:flpnwc". Any idea about what I'm doing wrong?
Thank you in advance for your time and thanks again for the great work you provided.
Best regards,
Marco Silva
Hi Marco,
Its best to post these questions in the relevant forum for experts to respond to it.
Thanks,
hi Murali,
I have a question. We are implementing for SAP CPIS ( Cloud platform integration suite) service.
BR
Shobhit
Hi Shobhit,
Please post a question in the forum. CPI Suite does not include Identity Authentication Service (IAS). You should be able to configure 2FA for developers/admins accessing CPI Suite. You will require IAS for this.
hi Murali Shanmugham ,
What do we do when we delete the account sap authenticator by mistake. i mean how do we set up again. i cannot find steps for that in the pass cide screen. One of my team mate had this problem. it would be helpful if you can answer this
Thanks
Vinay
Hi Vinay,
Was your team mate able to fix this? I am facing the same issue and unable to log in to the portal now.
I tried to deactivate MFA from https://<tenant>.accounts.ondemand.com/ui/protected/profilemanagement and its asking for passcode.