Hello Everyone,
Security is important aspect in any Enterprise conversational system when it is Hosted in Public social media like WhatsApp, Facebook etc, Because now a days everyone got smart phone. Welcome to my another blog where i am going discuss about security aspect of WhatsApp integration with SAP S/4HANA, as most of the people are interested to see how security can be taken care in this particular integration so thought to write another blog in it.
**N.B Don't forget to watch two minute Attached demo video at end of this Blog
Recap and purpose of Part II:
Who ever haven't seen my previous post regarding WhatsApp integration with SAP S/4HANA, I would suggest to go through once, Here is the link. In last post we have seen how WhatsApp Integration with S/4HANA helping employee like Brooke to get information about her purchase status in Bestrun organization. However though project was cool to see but it also make me think that anyone can act as a Brooke and get the information which is security violation because once WhatsApp number is leaked its pretty easy to add number in their WhatsApp and play around with it and act as a different employee. And i am damn sure no one would be happy about that.
So Why Security is important in Enterprise Chat bot?
Business transaction information's are very critical and it shouldn't be disclosed with outsider random people like tom, dick and harry. And everyone got WhatsApp now a days it is very easy to add the bot number and start asking question and gathering information about organization as well business transaction. So enterprise Chat bot never should entertain the outsider people or unverified employee.
So how we are going to make sure that, only real verified employees are allowed to chat?
Everyone is smart enough to guess what i am talking about because above picture is enough to explain. Yes now a days two factor authentication based protocols are becoming very famous, it would be really nice to see that before starting any communication with our SAP CAI based bot if it verify the employee by sending one time password to their registered mobile number in organization's HCM system. So if some one who is not a employee or outsider who try to initiate any conversion will be not entertained because they will never have entry in organization's employee master record so their mobile number is also not registered in organization's Employee Master record so they will not get one time password to go one step ahead.
Then how this One Time Password Integration is possible?
The answer is very simple Integration of SAP CAI and Twilio Authy Service which will help us to achieve this dream, The beauty of SAP CAI is If you design the brain and train your bot properly, you can achieve anything, Bot also can have emotion, they are also intelligent and smart as human are to filter out everything. At least that is what i have experienced as SAP CAI fan as of now.
What is Twilio Authy?
Well everyone is smart enough to do research on google, still i would tell you in very short and crisp way. Authy is the fastest way to add two-factor authentication or password less login to your app. It provides rest api to secure your users’ accounts with high-security checks during logins and step-up transactions to ensure you’re letting the right person in. Easy support for SMS, Voice, OTP, and Push Authentication channels.
Do we need to maintain Employee's Mobile number and Employee ID in Authy? If yes then How this whole process would work?
Yes, We have to maintain otherwise how it will send one time passord, Each organization have HCM / SF Employee Central system to maintain Employee master record. For this example i have used Successfactors Employee central. In this example process flow is pretty straight forward something like below.
Adam is a HR who works in US based company Bestrun and responsible for on-boarding employee and maintaining employee Master record. Brooke is a new employee who is going to be on-boarded so Adam checked all the documents and after that adam maintained all the record in HCM / SFEC system. Now in this case Cloud Platform Integration will extract the Employee ID, Phone Number, Name from HCM and will push the data into Twilio Authy Service. On successful creation it will return Unique Authy ID to SAP CPI and SAP CPI Clubb Employee Central ID and Authy ID together and push it to SAP HANA DB in SAP CP as Authy doesn't store Employee Central User ID.
Now most of the SAP CAI developers are started figuring out how SAP CAI will integrate this. Lets see how SAP CAI is going to be mingled in this.
Though above conversation flow gives good idea how its going to work, still let me discuss the verification process in short. when first time employee will send any message it will ask employee ID for verification once employee will send ID it will make a webhook call to node.js application which will first call Hana XS service to check is there any Authy ID is present or not against that particular employee ID, If it find valid authy ID it will call Authy OTP Api to send OTP to Employee's Mobile and ask for OTP number from employee, now if its valid employee then employee will be able to provide correct OTP and SAP CAI will make another API call to veify that OTP, on successful response it will send positive response otherwise it will reset bot memory and send negative response.
Lets Redesign the architecture
If you have notice correctly then you could see green dash border around SAP CAI which is verifying the real employee, lets look at how this secure architecture looks like.
Now people may started thinking is there any special training required in SAP CAI Bot to work seamlessly this verification process?
Lets answer this different way, if i ask you to verify a employee what you would do you would go to HCM system and search with that employee record, for that you need to know how to access this HCM system, where to search and all. Similarly bot also need to know how to get the employee Id and One time password from conversation and pass it into webhook call.
Same thing we have to do for OTP also, once we will maintain this entity and intent then our bot will be able to recognize and store it in memory, which can be used in webhook call. E.G In Authy you have configured six digit OTP then entity should be looking like 134575,842292,123098..... and Intent should be looking like 144133is my otp, my otp is 245763 ...
Enough of information and architecture, lets get into main business which is implementation of it, so like previous lets break this into smaller pieces so it would be easier to understand.
1. Setting up Authy Application / OTP service in Twilio
2. Exploring the Authy API
Look at the nice documentation for Authy API. Here mainly we need three API
a) Authy User Creation API
b) Request One Time Password API
c) Verifying One Time Password API
3. Re-Designing the skills of Sarah (Bot)
We have two additional skills here to add this verification. a) Verify Employee b) otp. Verify employee would be triggered incase emp and otp both memories are absent and any intent get captured from user conversation. OTP skill will be triggered from Verify employee incase employee id get matched with supplied employee id from user.
Let look how the OTP skill look like
Action of OTP Skill
Lets Look at how i have designed other skill triggered
4. Writting Node.js Application and integrate with SAP CAI in Webhook
As you might have noticed two extra function i have added a) Verifying Employee b) Verifying OTP
Github for Verifying Employee Function
Github for Verifying One time Password function
5. Twilio function
Here I have attached my demo video, i hope everyone would like this.
I hope everyone enjoyed this blog, please don't forget to like, comment and share.
Regards,
Sudip
Security is important aspect in any Enterprise conversational system when it is Hosted in Public social media like WhatsApp, Facebook etc, Because now a days everyone got smart phone. Welcome to my another blog where i am going discuss about security aspect of WhatsApp integration with SAP S/4HANA, as most of the people are interested to see how security can be taken care in this particular integration so thought to write another blog in it.
**N.B Don't forget to watch two minute Attached demo video at end of this Blog
Recap and purpose of Part II:
Who ever haven't seen my previous post regarding WhatsApp integration with SAP S/4HANA, I would suggest to go through once, Here is the link. In last post we have seen how WhatsApp Integration with S/4HANA helping employee like Brooke to get information about her purchase status in Bestrun organization. However though project was cool to see but it also make me think that anyone can act as a Brooke and get the information which is security violation because once WhatsApp number is leaked its pretty easy to add number in their WhatsApp and play around with it and act as a different employee. And i am damn sure no one would be happy about that.
So Why Security is important in Enterprise Chat bot?
Business transaction information's are very critical and it shouldn't be disclosed with outsider random people like tom, dick and harry. And everyone got WhatsApp now a days it is very easy to add the bot number and start asking question and gathering information about organization as well business transaction. So enterprise Chat bot never should entertain the outsider people or unverified employee.
So how we are going to make sure that, only real verified employees are allowed to chat?
Everyone is smart enough to guess what i am talking about because above picture is enough to explain. Yes now a days two factor authentication based protocols are becoming very famous, it would be really nice to see that before starting any communication with our SAP CAI based bot if it verify the employee by sending one time password to their registered mobile number in organization's HCM system. So if some one who is not a employee or outsider who try to initiate any conversion will be not entertained because they will never have entry in organization's employee master record so their mobile number is also not registered in organization's Employee Master record so they will not get one time password to go one step ahead.
Then how this One Time Password Integration is possible?
The answer is very simple Integration of SAP CAI and Twilio Authy Service which will help us to achieve this dream, The beauty of SAP CAI is If you design the brain and train your bot properly, you can achieve anything, Bot also can have emotion, they are also intelligent and smart as human are to filter out everything. At least that is what i have experienced as SAP CAI fan as of now.
What is Twilio Authy?
Well everyone is smart enough to do research on google, still i would tell you in very short and crisp way. Authy is the fastest way to add two-factor authentication or password less login to your app. It provides rest api to secure your users’ accounts with high-security checks during logins and step-up transactions to ensure you’re letting the right person in. Easy support for SMS, Voice, OTP, and Push Authentication channels.
Do we need to maintain Employee's Mobile number and Employee ID in Authy? If yes then How this whole process would work?
Yes, We have to maintain otherwise how it will send one time passord, Each organization have HCM / SF Employee Central system to maintain Employee master record. For this example i have used Successfactors Employee central. In this example process flow is pretty straight forward something like below.
Adam is a HR who works in US based company Bestrun and responsible for on-boarding employee and maintaining employee Master record. Brooke is a new employee who is going to be on-boarded so Adam checked all the documents and after that adam maintained all the record in HCM / SFEC system. Now in this case Cloud Platform Integration will extract the Employee ID, Phone Number, Name from HCM and will push the data into Twilio Authy Service. On successful creation it will return Unique Authy ID to SAP CPI and SAP CPI Clubb Employee Central ID and Authy ID together and push it to SAP HANA DB in SAP CP as Authy doesn't store Employee Central User ID.
Now most of the SAP CAI developers are started figuring out how SAP CAI will integrate this. Lets see how SAP CAI is going to be mingled in this.
Though above conversation flow gives good idea how its going to work, still let me discuss the verification process in short. when first time employee will send any message it will ask employee ID for verification once employee will send ID it will make a webhook call to node.js application which will first call Hana XS service to check is there any Authy ID is present or not against that particular employee ID, If it find valid authy ID it will call Authy OTP Api to send OTP to Employee's Mobile and ask for OTP number from employee, now if its valid employee then employee will be able to provide correct OTP and SAP CAI will make another API call to veify that OTP, on successful response it will send positive response otherwise it will reset bot memory and send negative response.
Lets Redesign the architecture
If you have notice correctly then you could see green dash border around SAP CAI which is verifying the real employee, lets look at how this secure architecture looks like.
Now people may started thinking is there any special training required in SAP CAI Bot to work seamlessly this verification process?Lets answer this different way, if i ask you to verify a employee what you would do you would go to HCM system and search with that employee record, for that you need to know how to access this HCM system, where to search and all. Similarly bot also need to know how to get the employee Id and One time password from conversation and pass it into webhook call.
Same thing we have to do for OTP also, once we will maintain this entity and intent then our bot will be able to recognize and store it in memory, which can be used in webhook call. E.G In Authy you have configured six digit OTP then entity should be looking like 134575,842292,123098..... and Intent should be looking like 144133is my otp, my otp is 245763 ...
Enough of information and architecture, lets get into main business which is implementation of it, so like previous lets break this into smaller pieces so it would be easier to understand.
1. Setting up Authy Application / OTP service in Twilio
2. Exploring the Authy API
Look at the nice documentation for Authy API. Here mainly we need three API
a) Authy User Creation API
b) Request One Time Password API
c) Verifying One Time Password API
3. Re-Designing the skills of Sarah (Bot)
We have two additional skills here to add this verification. a) Verify Employee b) otp. Verify employee would be triggered incase emp and otp both memories are absent and any intent get captured from user conversation. OTP skill will be triggered from Verify employee incase employee id get matched with supplied employee id from user.
Let look how the OTP skill look like
Action of OTP Skill
Lets Look at how i have designed other skill triggered
4. Writting Node.js Application and integrate with SAP CAI in Webhook
As you might have noticed two extra function i have added a) Verifying Employee b) Verifying OTP
Github for Verifying Employee Function
Github for Verifying One time Password function
5. Twilio function
exports.handler = function(context, event, callback) {
console.log('invoked with', event)
global.twiml = new Twilio.twiml.MessagingResponse();
var sapcai = require('sapcai')
let build = new sapcai.build('<CAI APi KEY>', 'en')
build.dialog({ type: 'text', content: event.Body}, { conversationId: event.From })
.then(function(res) {
'debugger';
dta = res.messages[0].content;
twiml.message(dta);
callback(null, twiml);
})
};Here I have attached my demo video, i hope everyone would like this.
I hope everyone enjoyed this blog, please don't forget to like, comment and share.
Regards,
Sudip
- SAP Managed Tags:
19 Comments
