Setting up SMS based Multi-factor Authentication in SAP Cloud Platform Identity Authentication
UPDATE – 15-May-2021: SAP Identity Authentication is a service which is now being bundled with many SAP Cloud Solutions and also offered with SAP BTP. This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps. Please refer to the SAP Business Technology Platform Service Description Guide for more info. This blog specifically focuses on how to setup SMS capabilities within Identity Authentication service leveraging SAP Authentication 365. Note that SAP Authentication 365 has been acquired by Sinch. Hence, if there are customers looking to enable SMS based MFA within Identity Authentication service, they would need a subscription to Sinch Authentication 365 (provided by Sinch).
SAP Cloud Platform Identity Authentication service (IAS) supports Two-Factor Authentication commonly referred to as Multi-factor authentication (MFA). The default mechanism leverages SAP Authenticator App which needs to be installed in each of the user’s devices. The SAP Authenticator app would generate the PIN number. I have earlier covered the topics on setting up IAS and MFA in the previous blog posts.
- Setting up Authentication for Cloud Portal using Cloud Identity
- Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform
In this blog post, I am going to walk through the steps required to setup MFA which leverages SMS to send the PIN number. This feature requires the use of SAP Authentication 365 which is a separate subscription service. It leverages few other SAP Live Link services like SMS 365 and Email 365 to send One-Time PINs (OTPs) to devices. This is a modular solution and you can configure it according to your requirements. If you have your own SMS/Mail server already setup, SAP Authentication 365 can hook into it.
Follow this blog post to know more about how to setup SAP Authentication 365. Its quite simple and easy to configure.
To configure an SMS based MFA, navigate to the Tenant settings within the IAS Admin console and select “SAP Authentication 365 configuration”.
Populate the SAP Authentication 365 account details along with the Client ID and secret which you would have obtained when creating an API Key within SAP Authentication 365.
Configure the application created for your SAP Cloud Platform subaccount. Under the “Authentication and Access” tab, locate the “Risk-based Authentication”.
The default value is “Allow”. Change it to “SMS Two-Factor Authentication” as shown below.
Save your changes and you are now ready to test the MFA flow. Navigate to the Application/Fiori Launchpad in the SAP Cloud Platform subaccount and it will challenge you with the initial authentication with IAS.
After initial authentication, the user will be directed to a screen to provide the SMS Pin as shown below.
After providing the SMS code and successfully validating it, the user will be directed to the Fiori Launchpad/application.
Here is a video which I have recorded to show how this works.
If you would like to setup an SMS based MFA independently of the Identity Provider, you can refer to this blog post “Configuring SAP Authentication 365 for SMS based Multi-factor Authentication“.