Technical Articles
One time Password Based security in WhatsApp Integration with SAP S/4HANA
Hello Everyone,
Security is important aspect in any Enterprise conversational system when it is Hosted in Public social media like WhatsApp, Facebook etc, Because now a days everyone got smart phone. Welcome to my another blog where i am going discuss about security aspect of WhatsApp integration with SAP S/4HANA, as most of the people are interested to see how security can be taken care in this particular integration so thought to write another blog in it.
**N.B Don’t forget to watch two minute Attached demo video at end of this Blog
Recap and purpose of Part II:
Who ever haven’t seen my previous post regarding WhatsApp integration with SAP S/4HANA, I would suggest to go through once, Here is the link. In last post we have seen how WhatsApp Integration with S/4HANA helping employee like Brooke to get information about her purchase status in Bestrun organization. However though project was cool to see but it also make me think that anyone can act as a Brooke and get the information which is security violation because once WhatsApp number is leaked its pretty easy to add number in their WhatsApp and play around with it and act as a different employee. And i am damn sure no one would be happy about that.
So Why Security is important in Enterprise Chat bot?
Business transaction information’s are very critical and it shouldn’t be disclosed with outsider random people like tom, dick and harry. And everyone got WhatsApp now a days it is very easy to add the bot number and start asking question and gathering information about organization as well business transaction. So enterprise Chat bot never should entertain the outsider people or unverified employee.
So how we are going to make sure that, only real verified employees are allowed to chat?
Everyone is smart enough to guess what i am talking about because above picture is enough to explain. Yes now a days two factor authentication based protocols are becoming very famous, it would be really nice to see that before starting any communication with our SAP CAI based bot if it verify the employee by sending one time password to their registered mobile number in organization’s HCM system. So if some one who is not a employee or outsider who try to initiate any conversion will be not entertained because they will never have entry in organization’s employee master record so their mobile number is also not registered in organization’s Employee Master record so they will not get one time password to go one step ahead.
Then how this One Time Password Integration is possible?
The answer is very simple Integration of SAP CAI and Twilio Authy Service which will help us to achieve this dream, The beauty of SAP CAI is If you design the brain and train your bot properly, you can achieve anything, Bot also can have emotion, they are also intelligent and smart as human are to filter out everything. At least that is what i have experienced as SAP CAI fan as of now.
What is Twilio Authy?
Well everyone is smart enough to do research on google, still i would tell you in very short and crisp way. Authy is the fastest way to add two-factor authentication or password less login to your app. It provides rest api to secure your users’ accounts with high-security checks during logins and step-up transactions to ensure you’re letting the right person in. Easy support for SMS, Voice, OTP, and Push Authentication channels.
Do we need to maintain Employee’s Mobile number and Employee ID in Authy? If yes then How this whole process would work?
Yes, We have to maintain otherwise how it will send one time passord, Each organization have HCM / SF Employee Central system to maintain Employee master record. For this example i have used Successfactors Employee central. In this example process flow is pretty straight forward something like below.
Adam is a HR who works in US based company Bestrun and responsible for on-boarding employee and maintaining employee Master record. Brooke is a new employee who is going to be on-boarded so Adam checked all the documents and after that adam maintained all the record in HCM / SFEC system. Now in this case Cloud Platform Integration will extract the Employee ID, Phone Number, Name from HCM and will push the data into Twilio Authy Service. On successful creation it will return Unique Authy ID to SAP CPI and SAP CPI Clubb Employee Central ID and Authy ID together and push it to SAP HANA DB in SAP CP as Authy doesn’t store Employee Central User ID.
Now most of the SAP CAI developers are started figuring out how SAP CAI will integrate this. Lets see how SAP CAI is going to be mingled in this.
Though above conversation flow gives good idea how its going to work, still let me discuss the verification process in short. when first time employee will send any message it will ask employee ID for verification once employee will send ID it will make a webhook call to node.js application which will first call Hana XS service to check is there any Authy ID is present or not against that particular employee ID, If it find valid authy ID it will call Authy OTP Api to send OTP to Employee’s Mobile and ask for OTP number from employee, now if its valid employee then employee will be able to provide correct OTP and SAP CAI will make another API call to veify that OTP, on successful response it will send positive response otherwise it will reset bot memory and send negative response.
Lets Redesign the architecture
If you have notice correctly then you could see green dash border around SAP CAI which is verifying the real employee, lets look at how this secure architecture looks like.
Now people may started thinking is there any special training required in SAP CAI Bot to work seamlessly this verification process?
Lets answer this different way, if i ask you to verify a employee what you would do you would go to HCM system and search with that employee record, for that you need to know how to access this HCM system, where to search and all. Similarly bot also need to know how to get the employee Id and One time password from conversation and pass it into webhook call.
Same thing we have to do for OTP also, once we will maintain this entity and intent then our bot will be able to recognize and store it in memory, which can be used in webhook call. E.G In Authy you have configured six digit OTP then entity should be looking like 134575,842292,123098….. and Intent should be looking like 144133is my otp, my otp is 245763 …
Enough of information and architecture, lets get into main business which is implementation of it, so like previous lets break this into smaller pieces so it would be easier to understand.
1. Setting up Authy Application / OTP service in Twilio
2. Exploring the Authy API
Look at the nice documentation for Authy API. Here mainly we need three API
a) Authy User Creation API
b) Request One Time Password API
c) Verifying One Time Password API
3. Re-Designing the skills of Sarah (Bot)
We have two additional skills here to add this verification. a) Verify Employee b) otp. Verify employee would be triggered incase emp and otp both memories are absent and any intent get captured from user conversation. OTP skill will be triggered from Verify employee incase employee id get matched with supplied employee id from user.
Let look how the OTP skill look like
Action of OTP Skill
Lets Look at how i have designed other skill triggered
4. Writting Node.js Application and integrate with SAP CAI in Webhook
As you might have noticed two extra function i have added a) Verifying Employee b) Verifying OTP
Github for Verifying Employee Function
Github for Verifying One time Password function
5. Twilio function
exports.handler = function(context, event, callback) {
console.log('invoked with', event)
global.twiml = new Twilio.twiml.MessagingResponse();
var sapcai = require('sapcai')
let build = new sapcai.build('<CAI APi KEY>', 'en')
build.dialog({ type: 'text', content: event.Body}, { conversationId: event.From })
.then(function(res) {
'debugger';
dta = res.messages[0].content;
twiml.message(dta);
callback(null, twiml);
})
};
Here I have attached my demo video, i hope everyone would like this.
I hope everyone enjoyed this blog, please don’t forget to like, comment and share.
Regards,
Sudip
wow.. This is amazing..Thanks 🙂
Thanks. good to know
interesting.. !!
usually the customers will ask about security.. since facebook , google etc make money on data will they use customers data to mine... could you please shed some light on this..
This was really amazing....a pioneering exploration of today's SAP digital reality... It gives pointers to start thinking from. Thanks for the efforts in sharing this and the demo...I would like to try this...
I just read that Twilio messaging channel is planned for deprecation:
https://help.sap.com/viewer/9825cb46d5ff49ee88b8c37f0f651a87/1906/en-US
Is there any other alternative messaging channel that can be used for this OTP scenario?
It is really interesting blog though! Thanks for sharing.
Hello,
No where i have used standard twilio channel for this integration, Please go through the blog properly once, even i know standard twilio channel is deprecated. It is totally custom made integration. In order to understand this you have to first host your bot using standard connector then only you will understand the channel concept. Here you can see i haven't used any standard channel available in SAP CAI, rather i have used SAP CAI SDK to connect SAP CAI from Twilio. This SDK is based on Node.js and it is for multi purpose, using SDK you can connect from any app or platform. Dont worry it is not deprecated list.
Regards,
Sudip
Hi Sudip,
This is an awesome tutorial, but Im having problem when my CAI Bot try to send more than one response message.
do you know if the channel only work for one send message and one response message at time?
thanks.
Which channel you are trying to integrate? Can you explain what you are trying to do?
I have the same problem has @Jorge Florez
The integration via Twilio with SAP CAI only reply the first message.
For me and my colleague it is working perfectly fine, but after some message your trial periods will be expired then it wont allow. But before that everything would work properly. But in your case you didnt use even that means there is some problem you made in either configuration or in twilio function. We even tested last week it was working fine. Today also i ll test and let you know.
Perhaps is because you don´t use the sandbox enviroment?
After looking for some info I found this:
There are still some limitations concerning Twilio Sandbox:
No if you want other to communicate with your chat bot through twilio whatsapp channel they also have to join using the same code. I am also using sandbox. Definately limitation would be there as it is meant to testing purpose.
Ok, pls try it out and let us know if you have the same problem or if you could get more than 1 reply message. In the videos in your blog the bot always reply one message.
In my case it works fine only if the bot reply 1 message at a time, if the bot needs to output 2 different messages it only shows the first one, can you confirm us if this also happens to you.
Ohhk you meant two mobile number same time you are trying is it?
I dont know if you have used code for earlier blog or this blog. in earlier blog i need to change the twilio function code. The session id i made constant that could give some issue. Please use below code and let me know. Conversion ID or session ID plays a role please use your mobile number as conversion ID (conversationId: event.From)
Please have a look at the comment of previous blog.
Hi Sudip,
How to add multiple conversational id in upgraded account? If we want to add more than 1 whatsapp users.
I have given fixes in the previous blog comment, please have a look.
Hii Sudip Ghosh
I have the same problem has @Jorge Florez and @Rodrigo Ariel Giner de la Vega
The integration via Twilio with SAP Conversational AI only reply the first message.
Can you help me please.
Thanks in advance.
The workaround that I found was to parse each message with 2 carriage return "/n". In the function that you create in twilio.
So even thought it replies only one message now at least it can be more readable.
Regards