Skip to Content
Technical Articles
Author's profile photo Murali Shanmugham

Setting up SMS based Multi-factor Authentication in SAP Cloud Platform Identity Authentication

UPDATE – 15-May-2021: SAP Identity Authentication is a service which is now being bundled with many SAP Cloud Solutions and also offered with SAP BTP. This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps. Please refer to the SAP Business Technology Platform Service Description Guide for more info. This blog specifically focuses on how to setup SMS capabilities within Identity Authentication service leveraging SAP Authentication 365. Note that SAP Authentication 365 has been acquired by Sinch. Hence, if there are customers looking to enable SMS based MFA within Identity Authentication service, they would need a subscription to Sinch Authentication 365 (provided by Sinch).

SAP Cloud Platform Identity Authentication service (IAS) supports Two-Factor Authentication commonly referred to as Multi-factor authentication (MFA). The default mechanism leverages SAP Authenticator App which needs to be installed in each of the user’s devices. The SAP Authenticator app would generate the PIN number. I have earlier covered the topics on setting up IAS and MFA in the previous blog posts.

In this blog post, I am going to walk through the steps required to setup MFA which leverages SMS to send the PIN number. This feature requires the use of SAP Authentication 365 which is a separate subscription service. It leverages few other SAP Live Link services like SMS 365 and Email 365 to send One-Time PINs (OTPs) to devices. This is a modular solution and you can configure it according to your requirements. If you have your own SMS/Mail server already setup, SAP Authentication 365 can hook into it.

Follow this blog post to know more about how to setup SAP Authentication 365. Its quite simple and easy to configure.

To configure an SMS based MFA, navigate to the Tenant settings within the IAS Admin console and select “SAP Authentication 365 configuration”.

Populate the SAP Authentication 365 account details along with the Client ID and secret which you would have obtained when creating an API Key within SAP Authentication 365.

Configure the application created for your SAP Cloud Platform subaccount. Under the “Authentication and Access” tab, locate the “Risk-based Authentication”.

The default value is “Allow”. Change it to “SMS Two-Factor Authentication” as shown below.

Save your changes and you are now ready to test the MFA flow. Navigate to the Application/Fiori Launchpad in the SAP Cloud Platform subaccount and it will challenge you with the initial authentication with IAS.

After initial authentication, the user will be directed to a screen to provide the SMS Pin as shown below.

       

After providing the SMS code and successfully validating it, the user will be directed to the Fiori Launchpad/application.

Here is a video which I have recorded to show how this works.

If you would like to setup an SMS based MFA independently of the Identity Provider, you can refer to this blog post “Configuring SAP Authentication 365 for SMS based Multi-factor Authentication“.

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Chris Paine
      Chris Paine

      Hi Murali,

      I note that IAS also supports TOTP based MFA. Is there also an additional subscription required for this setup or is it "standard"?

      Especially thinking of the case of securing some admin/super user access for SuccessFactors users.

       

      Thanks!

      Chris

      Author's profile photo Valentin Ivanov
      Valentin Ivanov

      Hi Chris,

       

      TOTP is built-in functionality and it doesn't require additional subscription.

       

      Best regards,

      Valentin

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Thanks for your response Valentin. I missed this one.

      Hi Chris Paine 

      For the out-of-the-box support of TOTP, all that is required is the mobile app which needs to be generate the OTP code using SAP Authenticator mobile app

      https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/0d41cd49f6504f3eaf29b58d616b040f.html

      Author's profile photo Peter Roth
      Peter Roth

      Hi Murali

      Thanks for your blog. Very helpful and condensed information.

      Is it possible to configure the frequency when a passcode has to be entered. When I switch it on, the user has for every login enter a passcode.

      I know from e.g. Google, that they asked me from time to time to enter an additional PIN which they send to my mobile just to ensure, that I'm still the one which have been authenticated to my mobile device.

      I'm looking for a 2-factor-authentication solution which is not so strict, that I have to enter a passcode for every login. Can this anyhow achieved?

       

      Thanks

      Peter

      Author's profile photo Tobias Schneider
      Tobias Schneider

      Hi Murali,

      "This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps"

      Does that mean we are now allowed to use IAS with all of our SAP Cloud Products (SAP Marketing Cloud, SAP Sales Cloud, ...) without additional license?

      In the past we received IAS together with SAP Marketing Cloud and the statement from SAP was that the usage with SAP Sales Cloud would need additional license.

      Kind Regards

      Tobias

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Tobias,

      I believe IAS is allowed to be used for free with those SAP Cloud solutions. However, its best to check with your SAP Account Executive as I am unable to provide advise on licensing topic. Thanks.

      Author's profile photo Tobias Schneider
      Tobias Schneider

      Hi Murali,

      okay then I will check with our SAP AE, thanks for your reply anyway 🙂

      Author's profile photo Abhilash Sikenpore
      Abhilash Sikenpore

      Hi Murali,

       

      Great blog.

      Do you know how the MFA will work with SF application on mobiles? Will the mobile app get MFA prompted after initial setup?

       

      Thank you,

      Abhi

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Abhilash Sikenpore

      Thanks. Please refer to this SAP Note 2776016 - How to set up Two Factor Authentication between IAS and BizX SuccessFactors - BizX Platform

      Author's profile photo Liji Mathew
      Liji Mathew
      Hi Murali,
      
      Nice blog, can this SAP authentication 365 (cloud solution) can be used for MFA for SAPGUI login for on-perm systems?
      Any pointers how to configure this for on perm SAPGUI and NWBC client?
      
      Thank you,
      Liji Mathew
      Author's profile photo François RUFFINONI
      François RUFFINONI

      Hello,

      Did you manage to get any clarification or feedback on your questions ?

      Author's profile photo Praveen Sinha
      Praveen Sinha

      Hi Murali,

       

      I have exactly the same question as posted by Liji Mathew.

      Can this SAP authentication 365 (cloud solution) can be used for MFA for SAPGUI login for on-perm systems?
      
      We have SSO enabled with SNC Kerberos for SAP ABAP and BSPs. However we need to add 2FA using SAP Authenticator 
      or any SAP recommended authenticator app like MS Authenticator or Google Authenticator or DUO?
      Does it need a SAP NW Java Stack as mandt?
      
      
      Regards
      Praveen / Asadul