SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App and Technical Step by Step guide
In this blog post I have shared my experience about how to perform the SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App. Please find the below example where have selected the Microsoft Authenticator.
Two-Factor Authentication (TOTP) is a process where a user is prompted during the sign-in process with password for an additional form of identification. The Microsoft Authenticator application displays the time-based, one-time passwords (TOTP) helps to safeguard access to data and applications of the target system while maintaining password login users. It acts as an extra layer of security check to verify a user’s identity by requiring a second form of authentication. You can also use other authenticators such as SAP or Google Authenticator.
The users need to access SuccessFactors via the web application and need to enter correct username and password. As a second step, they are asked to enter a passcode, and then the authentication to the application will be successful.
- User tries to access SuccessFactors via the web application.
- SuccessFactors checks if user is authenticated within the system and redirects the request to SAP IAS.
- SAP IAS requests the user to provide a user identifier in the login screen.
- First time login user needs to download and install the Microsoft Authenticator app.
Download and install the app
- Install the latest version of the Microsoft Authenticator app, based on your operating system:
- Google Android. On your Android device, go to Google Play to download and install the Microsoft Authenticator app.
- Apple iOS. On your Apple iOS device, go to the App Store to download and install the Microsoft Authenticator app.
Sign in with a QR code
- Add an account by scanning a QR Code
- Open the Microsoft Authenticator app, select the plus icon Select the plus icon on either iOS or Android devices and select Add account, and then select Work or school account, followed by Scan a QR Code. If you don’t have an account set up in the Authenticator app, you’ll see a large blue button that says Add account.
- If the user has a device already registered to generate passcodes for the two-factor authentication, she or he just has to enter the passcode from the mobile device, and will log on to the application.
Technical Step by Step Procedure:
- Login IAS with your administrator’s credentials.
- Once you enter the Administration Console of Identity Authentication service, in the left menu, go to “Applications and Resources” -> “Applications”
- Choose your application from the list of applications on the left side.
- Navigate to the “Authentication and Access“tab
- Choose “Risk-Based Authentication”
- Create a group for password users or External users.
- Add a rule for “Two-Factor Authentication” and assign the “PWD_USERS” group click “Save”.
6. Assign password users to “PWD_USERS” group.
Now SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App is completed. We should first implement it in a non-prod system and perform tests before deploying it in Production system.
Hope this information is helpful !
Thank you for taking the time to read and leave your comments below!
The blog is very helpful.
I have a query. Suppose If an individual(may be SF LMS SITE user) loses his phone or the phone crashes, what will the impact and what can be done to reset 2FA app in the new device?
If an SF LMS SITE user lost his/her mobile or mobile crashes he can report to SAP IAS admin so that the SAP IAS admin can deactivate/activate the Two - Factor Authentication (TOTP).
Steps to Deactivate : (Mobile Lost)
Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status off & TOTP status off
Steps to Activate :
Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status on & TOTP status on
Many thanks for helping with the steps.
Can you please let us know how to add more people to get passcodes as there are situations when the person who gets the pass code is not available.
How do you add user to the IAS group “PWD_USERS”? Manually in IAS admin console?
Did you know that running IPS Resync job can remove users from IAS group?