Skip to Content
Technical Articles

Setting up SMS based Multi-factor Authentication in SAP Cloud Platform Identity Authentication

SAP Cloud Platform Identity Authentication service (IAS) supports Two-Factor Authentication commonly referred to as Multi-factor authentication (MFA). The default mechanism leverages SAP Authenticator App which needs to be installed in each of the user’s devices. The SAP Authenticator app would generate the PIN number. I have earlier covered the topics on setting up IAS and MFA in the previous blog posts.

In this blog post, I am going to walk through the steps required to setup MFA which leverages SMS to send the PIN number. This feature requires the use of SAP Authentication 365 which is a separate subscription service. It leverages few other SAP Live Link services like SMS 365 and Email 365 to send One-Time PINs (OTPs) to devices. This is a modular solution and you can configure it according to your requirements. If you have your own SMS/Mail server already setup, SAP Authentication 365 can hook into it.

Follow this blog post to know more about how to setup SAP Authentication 365. Its quite simple and easy to configure.

To configure an SMS based MFA, navigate to the Tenant settings within the IAS Admin console and select “SAP Authentication 365 configuration”.

Populate the SAP Authentication 365 account details along with the Client ID and secret which you would have obtained when creating an API Key within SAP Authentication 365.

Configure the application created for your SAP Cloud Platform subaccount. Under the “Authentication and Access” tab, locate the “Risk-based Authentication”.

The default value is “Allow”. Change it to “SMS Two-Factor Authentication” as shown below.

Save your changes and you are now ready to test the MFA flow. Navigate to the Application/Fiori Launchpad in the SAP Cloud Platform subaccount and it will challenge you with the initial authentication with IAS.

After initial authentication, the user will be directed to a screen to provide the SMS Pin as shown below.

       

After providing the SMS code and successfully validating it, the user will be directed to the Fiori Launchpad/application.

Here is a video which I have recorded to show how this works.

If you would like to setup an SMS based MFA independently of the Identity Provider, you can refer to this blog post “Configuring SAP Authentication 365 for SMS based Multi-factor Authentication“.

4 Comments
You must be Logged on to comment or reply to a post.
  • Hi Murali,

    I note that IAS also supports TOTP based MFA. Is there also an additional subscription required for this setup or is it “standard”?

    Especially thinking of the case of securing some admin/super user access for SuccessFactors users.

     

    Thanks!

    Chris

  • Hi Murali

    Thanks for your blog. Very helpful and condensed information.

    Is it possible to configure the frequency when a passcode has to be entered. When I switch it on, the user has for every login enter a passcode.

    I know from e.g. Google, that they asked me from time to time to enter an additional PIN which they send to my mobile just to ensure, that I’m still the one which have been authenticated to my mobile device.

    I’m looking for a 2-factor-authentication solution which is not so strict, that I have to enter a passcode for every login. Can this anyhow achieved?

     

    Thanks

    Peter