This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.

Setting up Authentication for Cloud Portal using Cloud Identity

Part 1 – Setting up SCI as IdP for a vendor facing Cloud Portal

Part 2 – Using Social Identity Providers to access Cloud Portal

Part 3 – Setup Self-registration form

Part 4 – Manage Cloud Portal Catalogs and roles

Part 5 – Mapping of groups between SCI and Cloud Portal
Part 6 – Setup 2FA for Cloud Portal access


In the previous blogs, we had a look at the some of the steps involved to enable different types of authentication between Cloud Identity and Cloud Portal and also the mapping of groups between Cloud Identity and Cloud Portal. When exposing a Portal to external vendors, there are requirements to highly secure the data being made available to the vendors. Especially, when there are certain roles within the vendor organization which deal with approval of certain processes, there is a need to have two levels of authentication. Cloud Identity supports Two-Factor authentication and it’s very easy to enable it.

What is Two-Factor Authentication (2FA)

In simple terms, it refers to a user providing two means of identification from separate categories of credentials. In this case, it is going to be the user login/password followed by an access token which is only accessible to the user. An access token gets generated from a Mobile App (SAP Authenticator) which the user install on their device.

I am going to describe this process in this blog to show how easy it is to setup a different authentication rule based on the user groups. In our previous example, we dealt with Employee and Manager role. I am going to set a rule which enforces two-factor authentication for managers when they try to access the Cloud Portal.

Configure application in Cloud Identity

Navigate to the Cloud Identity as an Admin and select the HCP account which is registered as an Application. From the “Authentication and Access” tab select Risk-based Authentication as shown below

                     

Click on the “Add Rule” button.

                   

Select “Two-Factor Authentication” as action and select the Manager SCI group. We need this rule to be only applicable for Managers. Save your changes.

                   

                 

Activate 2FA from the User Profile

Logon to SCI Profile page as a Manager by navigating to https://<your tenant>.accounts.ondemand.com/

                   

Scroll down to Two-Factor Authentication section and click on “Activate” button.

                   

You will be presented with the below screen. To proceed further, you will need to install an App on your mobile device.

                   

Configure SAP Authenticator Mobile App

Download the SAP Authenticator Mobile App from the Apple/Andriod store.  Provide a password to protect your App and click on the + icon to add a new account. Turn on the switch to Scan a QR code and point your camera to the QR code which is generated in the above step.

                   

Once the QR code is scanned, your account details will appear within the App. make a note of the passcode which gets generated for this account and navigate to the Profile page in SCI which has a prompt for the passcode.

  

                   

Provide the six digit passcode as shown below and click on “Activate” button.

                   

2FA has been successfully setup for this user who is a manager.

                   

Test the Cloud Portal

In the above step, we have configured a user to be able to use 2FA. Login to the Cloud Portal as the same user. In this case, this user is a Manager role. Hence, SCI would force 2FA for this user.

`You will be challenged with a login screen from SCI. Provide the usual login credentials for this user

                   

The system will prompt for a passcode as part of the Two-Factor authentication process. Use the SAP Authenticator App to generate the passcode and key it in the below screen.

                   

On successful authentication, you should be able to see the Cloud Portal with the Manager roles for this user.

                   

This concludes the series of blogs which I have put on showing how to use SCI to authenticate HCP services. Hope you found it informative.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply