New Feature Review – Password Management features in SAP Cloud Platform Identity Authentication

A number of new features were introduced recently relating to the SAP Cloud Platform Identity Authentication Service (or SCPIA) – specifically in the area of User Management. Will get the Admin out of the way: I will use the acronym SCPIA to identify the SAP Cloud Platform Identity Authentication service throughout this blog.

The new features include:

• Unlocking of User’s Passwords.
• Sending of Reset Password emails.
• Resetting the counter of Email Sending.
• Setting of Initial passwords for Users

The new functions meet some of the business requirements I have come across in various projects in recent times and will provide more control over user authentication for the SCPIA service Tenant administrators. I will go through the new features in more detail in this blog.

All of the below functions were part of the improvements delivered on the 7^th August 2017.

Figure:1 SCPIA August release new features

All of the options appear within the Users & Authorisations section – specifically under User Management -> Authentication.

Figure:2 User Management – Authentication / Password Details option

Let’s proceed through the new features now.

Unlocking User Passwords

This is the first option within the Password Details section which allows the unlocking of users for when they log into an application incorrectly – a number of times.  This is a nice new feature and it was unclear in the past how a user could reset their password if in fact they had tried to log in too many times with an incorrect password so I am sure this feature will be well received.

Firstly, a password will be locked based on the setting in the Password Policy assigned to the application – specifically the allowed number of Failed login attempts. Once a user goes beyond this number the Password will be locked. As you can see in the below Password policy the user would have to provide an incorrect password 5 times for the user to be locked.

Figure:3 Password Policy settings

I will now go on to lock my password but first I will show you what my userid looks like before this is carried out. You can see below that it is not locked.

Figure:4 Password Status screen – BEFORE

After 3 failed attempts I go back to check the Password Status and you can see below that this is recorded correctly. It is keeping track of how many failed login attempts I have had.

Figure:5 Password Status screen – After 3 failed login attempts

I try to log on (incorrectly) another 2 times and then come back to check that my userid has in fact been Locked. You should see from the below screen that the status on the right hand side has changed from Unlocked to Locked and the Unlock icon is now active.

Figure:6 Password Status screen – After 5 failed login attempts

Not only is the status correct but it also tells the Tenant Administrator when it was locked with the date and time as highlighted above. The [Unlock] button is now enabled and can be selected to Unlock the user id. A notification email would have also been sent to the user’s email address, alerting them to the fact that their login has failed with a link to reset their password.

Figure:7 Password reset email 

I will now click on the Unlock button to unlock the userid.

A message toast will appear on the screen stating that the Userid has been unlocked.

 

Awesome. This completes the new feature showcase of Unlocking a userid.

Send E-Mail to Reset Password

This feature allows the Tenant administrator to send an email to the user with information on how they can reset their password. This is the second option included in the Password Details section.

NOTE: Tenant administrator can send to the user only three reset password e-mails per 24 hours.

Figure:8 Password Reset Send Email option

What I found when testing this was that an error occurred due to the fact that I had already reset my password on the same day. When this occurs the following error message is displayed.

Figure:9 Password Reset Send email option error screen

Normally this would not be the case and an email with suitable instructions to reset passwords would be sent similar to that covered in Figure 7 above.

This completes the new feature showcase of Sending an email for Password reset.

 

Resetting the Email Send Counter

The Tenant Administrator can send 3 email password reset emails each 24 hours. If a new email is required to be sent and the full 3 have been used up the Tenant Administrator can reset the email counter – which allows the sending of another email to the user.

NOTE: The reset function can be used even when 1 email has been sent. The reset function would then set it back to 0.

When the previous option is utilized – that is – an email has been sent to the user with password reset information the third feature will be activated as you can see in the below screenshot.

 

Figure:10 Email Counter reset option

To reset this counter simply select the [Reset Counter] icon.

Figure:11 Reset Counter success screen

A message toast will appear stating that the counter for the user has been reset.

I can also now see that the emails sent number has been set back to 0.

Figure:12 Password Details main screen

Awesome! I love it when new features actually work as designed. Cool!

This completes the new feature showcase of Resetting the email send counter.

 

Set Initial Password

This feature allows the Tenant Administrator to set an initial password for a user. This is the last option included in the Password Details section.

NOTE: This can only be carried out for a user that has already activated their account.

When the user logs in with the new password (provided to them by the Tenant Administrator!) they will be prompted to reset it.

To set an Initial Password, choose the [Set Initial] icon as highlighted below.

Figure:13 Set Initial Password option 

When this is selected a new pop-up window will be displayed. I really like the features included in this pop-up basically directing the tenant administrator to enter a Password that meets the password requirements of the Password Policy. Cool! It was a little tricky trying to get rid of this popup especially when trying to re-enter the password but it is removed a couple of seconds later.

As I enter a new Initial password the pop-up will show the criteria that still needs to be met. I will show the different screenshots as I progress to enter the Initial password.

Figure:14 Initial Password entry assistance – transitions as user types

Re-enter the password again in the Re-enter Password field and then click [Save].

Figure:15 Re-Enter Password screen

If successful the following message toast will appear.

Figure:16 Message toast for Initial Password setting

NOTE: This step can fail if the password that is set as the Initial Password has been used before so you need to make sure this is unique! The message that did come up was slightly technical so hopefully in future revisions a nicer more user friendly message is provided to the user.

This completes the new feature showcase of setting an initial password.

I will go on to offer some new feature requests.

Additional Features

While the covered features are great there is still some additional features I would like implemented over the coming months, I will cover them briefly below.

• Emails to Administrators

I would like to see emails being sent to Administrators when major activities take place for the SCPIA Service. For instance, when a user Self-Registers an email should be sent to the Tenant Administrators alerting them to a new user sign up. This is currently not in place. An email should be sent to the Tenant Administrators alerting them to Locked passwords also. This would allow them to be proactive rather than reactive. Even better would be the ability to generate an email to some kind of helpdesk system. This could be achieved by the detailing of a specific support email address (rather than to the Tenant Administrators email address).

• Reporting Additions – New Users Report and Locked Users Report

At the moment there is only a single report offered detailing the monthly logon requests which is nice information to know but does not really assist Tenant Administrators in managing users more effectively. Two reports I would like added include:

• New User report. This would summarise the users that have self-registered and would also allow Month to be selected.
• Locked User Report. This would summarise the users that are currently locked. I realise this is available in the download however a report would be a better user experience.

For more information on these features please check out the following link.

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/de21efe39e1442618388784891497067.html

Look out for my next blog about the new email templates that have been delivered as a new feature in September.

Thanks for reading! Feel free to leave a comment or Like below.