Configuring SAP Authentication 365 for SMS based Multi-factor Authentication

UPDATE – 15-June-2021: SAP Identity Authentication is a service which is now being bundled with many SAP Cloud Solutions and also offered with SAP BTP. This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps. Please refer to the SAP Business Technology Platform Service Description Guide for more info. This blog specifically focuses on how to setup SMS capabilities within Identity Authentication service leveraging SAP Authentication 365. Note that SAP Authentication 365 has been acquired by Sinch. Hence, if there are customers looking to enable SMS based MFA within Identity Authentication service, they would need a subscription to Sinch Authentication 365 (provided by Sinch).

I recently came across a requirement to enable Multi-factor authentication (MFA) only when accessing specific apps or actions performed within these apps. One of the common approaches towards enabling MFA for SAP Cloud Platform apps is to leverage Identity Authentication service’s risk-based authentication capabilities. The challenge with this approach is that it performs MFA right at the beginning of the access to any apps on SAP Cloud Platform.  I have already posted a blog on how this works – “Setting up SMS based Multi-factor Authentication in SAP Cloud Platform Identity Authentication”

Since the requirements are different here, we had to directly leverage the capabilities of SAP Authentication 365 for MFA.  In this blog, I will walk through the steps as to what is required in setting up such as scenario.

The first step is to obtain subscription to SAP Authentication 365. It’s another service on SAP Cloud Platform which leverages few other cloud based services (behind the scene) like Email 365 and SMS 365 to send SMS/Emails as delivery channel. The whole solution is modular and you can easily integrate SAP Authentication 365 with your existing SMS/Mail servers if you wish to.

Here is a sample architecture to help you visualize.

I have assumed the customer is running Fiori apps on SAP Cloud Platform as well as WebDynpro/Fiori apps on-premise SAP ECC system and would like to protect some of the sensitive apps spread across their landscape. Infact, this solution can also work to protect non-SAP applications too. The only effort required is to develop plugin which can be used within on-premise and cloud apps and ofcourse configuring SAP Authentication 365.

Below is an E2E flow of how this would work.

1. End user navigates to the respective protected application within their Launchpad.
2. When they try to access the protected application, they get a popup requesting to provide the One-Time Pin(OTP).
3. The application simultaneously uses a REST API to the SAP Authentication 365 service requesting to generate a token for the user who is accessing the application. Note that the application needs be able to find the phone number/email of the user who is accessing the application. If these details are available in another system, the developer would need to configure the application to fetch them and make it available for the REST API.
4. SAP Authentication 365 generates an OTP
5. SAP Authentication 365 relies of SMS 365 or your own SMS server to send the SMS to the end user.
6. The end user makes a note of the OTP from the obtained SMS and provides it in the popup of the protected application and hits the “Authenticate” button.
7. The application now triggers another REST API call to SAP Authentication 365 to validate the OTP.
8. SAP Authentication validates the OTP and send a response back to the calling application
9. Depending on the response – Success/Failure, the calling application decides whether to allow access to the user.

As you can see, this is based on REST APIs. Hence, you can build a reusable plugin and drop it into each of the apps which you plan to protect with MFA.

Let’s look at the steps required to configure SAP Authentication 365. Once you obtain access to SAP Authentication 365, you can login to the Admin console which will give you access to set of applications to configure the service.

In the “Accounts” application, an entry is created with details relating to the Default message and Delivery channels which are going to be used for this account.

In the “Validation” app, you can test the setup of the newly created account. Just provide your phone number, message and the token specification. Click on “Generate” to trigger the creation of a SMS PIN. This SMS will be sent to your phone.

You can make a note of this SMS Pin and verify it by putting it in the “Token Received” field and clicking on “Validate”

SAP Authentication comes with REST APIs to interact with it programmatically. These APIs are published in api.sap.com and you can test them with any REST client.

In order to interact with these APIs, you will need a Client ID and Client Secret. This can be obtained by creating an entry in the “Manage API Keys” application.

There are also apps in the admin console to view the traffic as well as Analytics on the usage. You can view the number of tokens which are generated with SAP Authentication 365 as well as those which have been verified.

Once the configuration is complete, you can embed the REST API calls to SAP Authentication 365 within your existing apps. I haven’t created a reusable module, but instead just put some lines of code to invoke the APIs. The below application in SAP WebIDE is meant to mimic a payslip application.

I have configured a destination in SAP Cloud Platform cockpit to access the REST APIs of SAP Authentication 365

I have published my sample project in my Github repository incase you want to have a look at how I used the APIs to send and validate SMS OTPs.

Here is a video which I have recorded to show how this works.

I would encourage you to also browse through the SAP Help documentation on Live Link 365. It has lots of information for developers to understand how to call the APIs and refer to some of the existing How-to-guides.