Technical Articles
Activate TOTP Two-Factor Authentication for platform users on SAP Business Technology Platform (formerly known as Cloud Platform) at Alibaba Cloud
SAP Business Technology Platform (BTP) is formerly known as Cloud Platform (CP).
Purpose
The main purpose of this post is to let BTP platform users know how to enable TFA to make accounts more secure.
Platform users are usually developers, administrators or operators who deploy, administer, and troubleshoot applications and services on SAP BTP. They’re the users that you give certain permissions for instance at global account or subaccount level.
Difference between Platform Users and Business Users: https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/cc1c676b43904066abb2a4838cbd0c37.html
Background
Identity Providers for Platform Users
For platform users, BTP provides default identity provider, but if you want to have subaccount members from your own user base, you can use your own tenant of SAP Cloud Identity Services – Identity Authentication.
Thus, in order to manage platform users, we can have:
- Default Identity Provider
- Customized Identity Provider
In this post, we focus on the Default Identity Provider on BTP@Alibaba Cloud.
Default Identity Provider on BTP@Alibaba Cloud
In the majority of cases, the default platform identity provider and application identity provider of SAP Cloud Platform is SAP ID service, which is owned by SAP.
For BTP@Alibaba Cloud, the default identity provider is another tenant of SAP Identity Authentication Service (IAS) dedicated to BTP@Alibaba Cloud, which is owned by CDC.
In case readers got any confusion that why BTP@Alibaba Cloud needs a separate IAS tenant, furthermore, why we should let it be owned by a third-party company. The reason behind this is complex. In a nutshell, the main purpose is to meet compliance in China. Any data center in China should be operated by a wholly china-owned company. In this case, SAP chose CDC as its partner to join this program.
The specific difference in default identity provider is listed as below:
| IaaS Provider | Region & Region Name | Default Identity Provider | |
|---|---|---|---|
| Alibaba Cloud | cn40 China (Shanghai) | cn40.platform.sapcloud.cn | https://awmtxn6rh.accounts.ondemand.com (an IAS tenant owned by CDC) |
| Others | Others’ | Others’ | https://accounts.sap.com/ (a special IAS tenant owned by SAP IT) |
For more information on accounts at all IaaS Providers or Regions, please visit this page: https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/350356d1dc314d3199dca15bd2ab9b0e.html
Activate TOTP Two-Factor Authentication on BTP@Alibaba Cloud
To log on to platform and applications that require time-based one-time password (TOTP) as two-factor authentication, first you have to activate a mobile device that will generate TOTP passcodes.
SAP Authenticator runs on both iOS and Android mobile operating systems.
Step 1: Download App
Download the SAP Authenticator App from Playstore/Appstore to your smartphone.
You can also use other third-party authenticators such as Google Authenticator or Microsoft Authenticator. For more information about how to install and configure authenticators other than SAP Authenticator see their documentation.
Step 2: Init App
Open the app and click on Start Setup. You will be prompted to setup initial password. This password will be used while opening the app every time. Add Password and click on Tick button at top right corner.
Step 3: Add an Account
Tap the Add Account button or tap Add icon from menu. In next screen, check on Scan QR Code button.
Step 4: Get QR Code
Activate button under the Two-Factor Authentication section.
The profile page of a IAS tenant is:
https://<idp-tenant>/ui/protected/profilemanagement
For BTP@Alibaba Cloud, please visit:
https://awmtxn6rh.accounts.ondemand.com/ui/protected/profilemanagement
Step 5: Set the Account
- Use the scanner on your mobile device (Step 3) to scan the QR Code (Step 4).
- Tap
Doneon your mobile device. - Enter the passcode generated by the SAP Authenticator app into the
Passcodefield provided on the IAS profile page as below. - Press Activate.
The setup of SAP Authenticator and adding accounts is a one-time activity, Once you have added the IDP to the authenticator, you can use the passcode generated for all authentications where a passcode for the respective IDP is required.
Activate TOTP Two-Factor Authentication on BTP@Alibaba Cloud without Mobile Device
Windows also provide a PC version for you to add TFA. It can be used by people without mobile devices or those who do not want to install “work stuff” on their personal phones.
On a Windows laptop, you can download and install SAP Authenticator the Windows version from Microsoft Store:
https://www.microsoft.com/en-us/p/sap-authenticator/9nblggh4s7q7#activetab=pivot:overviewtab
Result
Now you can log on to applications that require passcode as additional security for authentication.
How to log on to Cockpit
Without TFA passcode.
How to log on to SaaS services
Enter your TFA passcode according to the service guide
How to log on to CF CLI
Replace your password with password+passcode (pending directly without any character between them)
How to configure Cloud Connector to your org
Customized Identity Provider
With Customized Identity Provider, customers can have more flexibility to manage platform users, for example, customers can force platform users to enable TFA. Otherwise, with Default Identity Provider, customers can only “ask” the individual platform user to change his/her TFA setting on Default Identity Provider, which may be not sufficient for some customers.
BTP enterprise accounts can be either
BTP@Alibaba Cloud is Feature Set B (
Feature Set A
Customers with accounts of Feature Set A can configure Customized Identity Provider by referring to:
Bringing Your Corporate Identity Provider for Platform Users [Feature Set A]
Feature Set B
Temporarily, for platform users, Feature Set B can only use the Default identity Provider. Of course, Feature Set B can configure Customized Identity Provider to manage business users (in case you made any confusion).
Reference
Activate a Device for TOTP Two-Factor Authentication (Help Portal): https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/ab8a3237cd424a0c97b921100d263b8a.html