This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.
|Setting up Authentication for Cloud Portal using Cloud Identity|
In the previous blogs, we had a look at the some of the steps involved to enable different types of authentication between Cloud Identity and Cloud Portal and also the mapping of groups between Cloud Identity and Cloud Portal. When exposing a Portal to external vendors, there are requirements to highly secure the data being made available to the vendors. Especially, when there are certain roles within the vendor organization which deal with approval of certain processes, there is a need to have two levels of authentication. Cloud Identity supports Two-Factor authentication and it’s very easy to enable it.
What is Two-Factor Authentication (2FA)
In simple terms, it refers to a user providing two means of identification from separate categories of credentials. In this case, it is going to be the user login/password followed by an access token which is only accessible to the user. An access token gets generated from a Mobile App (SAP Authenticator) which the user install on their device.
I am going to describe this process in this blog to show how easy it is to setup a different authentication rule based on the user groups. In our previous example, we dealt with Employee and Manager role. I am going to set a rule which enforces two-factor authentication for managers when they try to access the Cloud Portal.
Configure application in Cloud Identity
Navigate to the Cloud Identity as an Admin and select the HCP account which is registered as an Application. From the “Authentication and Access” tab select Risk-based Authentication as shown below
Click on the “Add Rule” button.
Select “Two-Factor Authentication” as action and select the Manager SCI group. We need this rule to be only applicable for Managers. Save your changes.
Activate 2FA from the User Profile
Logon to SCI Profile page as a Manager by navigating to https://<your tenant>.accounts.ondemand.com/
Scroll down to Two-Factor Authentication section and click on “Activate” button.
You will be presented with the below screen. To proceed further, you will need to install an App on your mobile device.
Configure SAP Authenticator Mobile App
Download the SAP Authenticator Mobile App from the Apple/Andriod store. Provide a password to protect your App and click on the + icon to add a new account. Turn on the switch to Scan a QR code and point your camera to the QR code which is generated in the above step.
Once the QR code is scanned, your account details will appear within the App. make a note of the passcode which gets generated for this account and navigate to the Profile page in SCI which has a prompt for the passcode.
Provide the six digit passcode as shown below and click on “Activate” button.
2FA has been successfully setup for this user who is a manager.
Test the Cloud Portal
In the above step, we have configured a user to be able to use 2FA. Login to the Cloud Portal as the same user. In this case, this user is a Manager role. Hence, SCI would force 2FA for this user.
`You will be challenged with a login screen from SCI. Provide the usual login credentials for this user
The system will prompt for a passcode as part of the Two-Factor authentication process. Use the SAP Authenticator App to generate the passcode and key it in the below screen.
On successful authentication, you should be able to see the Cloud Portal with the Manager roles for this user.
This concludes the series of blogs which I have put on showing how to use SCI to authenticate HCP services. Hope you found it informative.