Skip to Content
Author's profile photo Murali Shanmugham

Setting up Authentication for Cloud Portal using Cloud Identity – VI

This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.

Setting up Authentication for Cloud Portal using Cloud Identity

Part 1 – Setting up SCI as IdP for a vendor facing Cloud Portal

Part 2 – Using Social Identity Providers to access Cloud Portal

Part 3 – Setup Self-registration form

Part 4 – Manage Cloud Portal Catalogs and roles

Part 5 – Mapping of groups between SCI and Cloud Portal
Part 6 – Setup 2FA for Cloud Portal access

In the previous blogs, we had a look at the some of the steps involved to enable different types of authentication between Cloud Identity and Cloud Portal and also the mapping of groups between Cloud Identity and Cloud Portal. When exposing a Portal to external vendors, there are requirements to highly secure the data being made available to the vendors. Especially, when there are certain roles within the vendor organization which deal with approval of certain processes, there is a need to have two levels of authentication. Cloud Identity supports Two-Factor authentication and it’s very easy to enable it.

What is Two-Factor Authentication (2FA)

In simple terms, it refers to a user providing two means of identification from separate categories of credentials. In this case, it is going to be the user login/password followed by an access token which is only accessible to the user. An access token gets generated from a Mobile App (SAP Authenticator) which the user install on their device.

I am going to describe this process in this blog to show how easy it is to setup a different authentication rule based on the user groups. In our previous example, we dealt with Employee and Manager role. I am going to set a rule which enforces two-factor authentication for managers when they try to access the Cloud Portal.

Configure application in Cloud Identity

Navigate to the Cloud Identity as an Admin and select the HCP account which is registered as an Application. From the “Authentication and Access” tab select Risk-based Authentication as shown below


Click on the “Add Rule” button.


Select “Two-Factor Authentication” as action and select the Manager SCI group. We need this rule to be only applicable for Managers. Save your changes.



Activate 2FA from the User Profile

Logon to SCI Profile page as a Manager by navigating to https://<your tenant>


Scroll down to Two-Factor Authentication section and click on “Activate” button.


Configure SAP Authenticator Mobile App

Download the SAP Authenticator Mobile App from the Apple/Andriod store.  Provide a password to protect your App and click on the + icon to add a new account. Turn on the switch to Scan a QR code and point your camera to the QR code which is generated in the above step.


Once the QR code is scanned, your account details will appear within the App. make a note of the passcode which gets generated for this account and navigate to the Profile page in SCI which has a prompt for the passcode.



Provide the six digit passcode as shown below and click on “Activate” button.


2FA has been successfully setup for this user who is a manager.


Test the Cloud Portal

In the above step, we have configured a user to be able to use 2FA. Login to the Cloud Portal as the same user. In this case, this user is a Manager role. Hence, SCI would force 2FA for this user.

`You will be challenged with a login screen from SCI. Provide the usual login credentials for this user


The system will prompt for a passcode as part of the Two-Factor authentication process. Use the SAP Authenticator App to generate the passcode and key it in the below screen.


On successful authentication, you should be able to see the Cloud Portal with the Manager roles for this user.


This concludes the series of blogs which I have put on showing how to use SCI to authenticate HCP services. Hope you found it informative.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Murali,

      Great Blog,very descriptive!!

      Just one question-Rather than using the SAP authenticator application,is it possible to send the OTP on mobile or via email.




      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Thanks. I dont think this feature is supported yet.

      Author's profile photo Marco SILVA
      Marco SILVA

      Dear Murali,


      Thank you for the blog.


      I have some questions / issues about the identity provider and the portal services. If you have the answers for them, it would be great!

      1) In Identity Authentication Administration Console, for my custom application (subaccount), I've added as SAML Assertion Attributes user attribute Application Custom Attribute 1. Under user management I can't find where I can fill a value for this attribute for a specific user... Have you an idea?

      2) When I access to my site deployed on my Cloud Portal it doesn't challenge me with a login screen, it directly goes to the FLP logged as a "Guest". Do you know why?

      3) In my SCP subaccount I've my Local Service Provider as Custom and Principal Propagation "Enabled". I've defined the Assertion-based Groups under the Application Identity Provider for the groups of roles mapping. I tried to let as Platform Identity Provider, also to put my custom Identity Authentication Tenant on this role, but in both cases the services are not reachable no matter I connect with my SAP user or my custom IDP user. For example when I try to go to the Portal Admin page I get this error: "HTTP Status 500 - An internal application error occurred. Request: 0xxxxxxxx9 {my_subaccount_id}:flpnwc". Any idea about what I'm doing wrong?


      Thank you in advance for your time and thanks again for the great work you provided.


      Best regards,

      Marco Silva

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Marco,

      Its best to post these questions in the relevant forum for experts to respond to it.


      Author's profile photo shobhit taggar
      shobhit taggar

      hi Murali,


      I have a question. We are implementing for SAP CPIS ( Cloud platform integration suite) service.


      1. As per my understanding the SAP Identity provisioning service is included in the above integration service subscription ?
      2. Can we enable this 2FA for the CPIS service?
      3. The client has requirement to enable 2FA login to CPIS tenant. We will be enabling only the SAP Authenticator ( PIN based) 2FA. Do we require any other subscription, other than CPIS service to enable this 2FA login.



      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Hi Shobhit,

      Please post a question in the forum. CPI Suite does not include Identity Authentication Service (IAS). You should be able to configure 2FA for developers/admins accessing CPI Suite. You will require IAS for this.

      Author's profile photo vinay malempati
      vinay malempati

      hi Murali Shanmugham ,

      What do we do when we delete the account sap authenticator by mistake. i mean how do we set up again. i cannot find steps for that in the pass cide screen. One of my team mate had this problem. it would be helpful if you can answer this