Setting up SMS based Multi-factor Authentication in SAP Cloud Platform Identity Authentication
UPDATE – 15-May-2021: SAP Identity Authentication is a service which is now being bundled with many SAP Cloud Solutions and also offered with SAP BTP. This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps. Please refer to the SAP Business Technology Platform Service Description Guide for more info. This blog specifically focuses on how to setup SMS capabilities within Identity Authentication service leveraging SAP Authentication 365. Note that SAP Authentication 365 has been acquired by Sinch. Hence, if there are customers looking to enable SMS based MFA within Identity Authentication service, they would need a subscription to Sinch Authentication 365 (provided by Sinch).
SAP Cloud Platform Identity Authentication service (IAS) supports Two-Factor Authentication commonly referred to as Multi-factor authentication (MFA). The default mechanism leverages SAP Authenticator App which needs to be installed in each of the user’s devices. The SAP Authenticator app would generate the PIN number. I have earlier covered the topics on setting up IAS and MFA in the previous blog posts.
- Setting up Authentication for Cloud Portal using Cloud Identity
- Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform
In this blog post, I am going to walk through the steps required to setup MFA which leverages SMS to send the PIN number. This feature requires the use of SAP Authentication 365 which is a separate subscription service. It leverages few other SAP Live Link services like SMS 365 and Email 365 to send One-Time PINs (OTPs) to devices. This is a modular solution and you can configure it according to your requirements. If you have your own SMS/Mail server already setup, SAP Authentication 365 can hook into it.
Follow this blog post to know more about how to setup SAP Authentication 365. Its quite simple and easy to configure.
To configure an SMS based MFA, navigate to the Tenant settings within the IAS Admin console and select “SAP Authentication 365 configuration”.
Populate the SAP Authentication 365 account details along with the Client ID and secret which you would have obtained when creating an API Key within SAP Authentication 365.
Configure the application created for your SAP Cloud Platform subaccount. Under the “Authentication and Access” tab, locate the “Risk-based Authentication”.
The default value is “Allow”. Change it to “SMS Two-Factor Authentication” as shown below.
Save your changes and you are now ready to test the MFA flow. Navigate to the Application/Fiori Launchpad in the SAP Cloud Platform subaccount and it will challenge you with the initial authentication with IAS.
After initial authentication, the user will be directed to a screen to provide the SMS Pin as shown below.
After providing the SMS code and successfully validating it, the user will be directed to the Fiori Launchpad/application.
Here is a video which I have recorded to show how this works.
If you would like to setup an SMS based MFA independently of the Identity Provider, you can refer to this blog post “Configuring SAP Authentication 365 for SMS based Multi-factor Authentication“.
I note that IAS also supports TOTP based MFA. Is there also an additional subscription required for this setup or is it "standard"?
Especially thinking of the case of securing some admin/super user access for SuccessFactors users.
TOTP is built-in functionality and it doesn't require additional subscription.
Thanks for your response Valentin. I missed this one.
Hi Chris Paine
For the out-of-the-box support of TOTP, all that is required is the mobile app which needs to be generate the OTP code using SAP Authenticator mobile app
Thanks for your blog. Very helpful and condensed information.
Is it possible to configure the frequency when a passcode has to be entered. When I switch it on, the user has for every login enter a passcode.
I know from e.g. Google, that they asked me from time to time to enter an additional PIN which they send to my mobile just to ensure, that I'm still the one which have been authenticated to my mobile device.
I'm looking for a 2-factor-authentication solution which is not so strict, that I have to enter a passcode for every login. Can this anyhow achieved?
"This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps"
Does that mean we are now allowed to use IAS with all of our SAP Cloud Products (SAP Marketing Cloud, SAP Sales Cloud, ...) without additional license?
In the past we received IAS together with SAP Marketing Cloud and the statement from SAP was that the usage with SAP Sales Cloud would need additional license.
I believe IAS is allowed to be used for free with those SAP Cloud solutions. However, its best to check with your SAP Account Executive as I am unable to provide advise on licensing topic. Thanks.
okay then I will check with our SAP AE, thanks for your reply anyway 🙂
Do you know how the MFA will work with SF application on mobiles? Will the mobile app get MFA prompted after initial setup?
Hi Abhilash Sikenpore
Thanks. Please refer to this SAP Note 2776016 - How to set up Two Factor Authentication between IAS and BizX SuccessFactors - BizX Platform
Did you manage to get any clarification or feedback on your questions ?
I have exactly the same question as posted by Liji Mathew.