Technical Articles
SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App and Technical Step by Step guide
Introduction
In this blog post I have shared my experience about how to perform the SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App. Please find the below example where have selected the Microsoft Authenticator.
Two-Factor Authentication (TOTP) is a process where a user is prompted during the sign-in process with password for an additional form of identification. The Microsoft Authenticator application displays the time-based, one-time passwords (TOTP) helps to safeguard access to data and applications of the target system while maintaining password login users. It acts as an extra layer of security check to verify a user’s identity by requiring a second form of authentication. You can also use other authenticators such as SAP or Google Authenticator.
The users need to access SuccessFactors via the web application and need to enter correct username and password. As a second step, they are asked to enter a passcode, and then the authentication to the application will be successful.
First Step:
- User tries to access SuccessFactors via the web application.
- SuccessFactors checks if user is authenticated within the system and redirects the request to SAP IAS.
- SAP IAS requests the user to provide a user identifier in the login screen.
Second Step:
- First time login user needs to download and install the Microsoft Authenticator app.
Download and install the app
- Install the latest version of the Microsoft Authenticator app, based on your operating system:
- Google Android. On your Android device, go to Google Play to download and install the Microsoft Authenticator app.
- Apple iOS. On your Apple iOS device, go to the App Store to download and install the Microsoft Authenticator app.
Sign in with a QR code
- Add an account by scanning a QR Code
- Open the Microsoft Authenticator app, select the plus icon Select the plus icon on either iOS or Android devices and select Add account, and then select Work or school account, followed by Scan a QR Code. If you don’t have an account set up in the Authenticator app, you’ll see a large blue button that says Add account.
- If the user has a device already registered to generate passcodes for the two-factor authentication, she or he just has to enter the passcode from the mobile device, and will log on to the application.
Technical Step by Step Procedure:
- Login IAS with your administrator’s credentials.
- Once you enter the Administration Console of Identity Authentication service, in the left menu, go to “Applications and Resources” -> “Applications”
- Choose your application from the list of applications on the left side.
- Navigate to the “Authentication and Access“tab
- Choose “Risk-Based Authentication”
- Create a group for password users or External users.
Example: PWD_USERS
- Add a rule for “Two-Factor Authentication” and assign the “PWD_USERS” group click “Save”.
6. Assign password users to “PWD_USERS” group.
Conclusion
Now SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App is completed. We should first implement it in a non-prod system and perform tests before deploying it in Production system.
Hope this information is helpful !
Thank you for taking the time to read and leave your comments below!
Nice Blog..!!
Hi Krishna,
The blog is very helpful.
I have a query. Suppose If an individual(may be SF LMS SITE user) loses his phone or the phone crashes, what will the impact and what can be done to reset 2FA app in the new device?
Regards,
Divyanshi
Hi Divyanshi,
If an SF LMS SITE user lost his/her mobile or mobile crashes he can report to SAP IAS admin so that the SAP IAS admin can deactivate/activate the Two - Factor Authentication (TOTP).
Steps to Deactivate : (Mobile Lost)
Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status off & TOTP status off
Steps to Activate :
Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status on & TOTP status on
Hi Krishna,
Many thanks for helping with the steps.
Hi,
Can you please let us know how to add more people to get passcodes as there are situations when the person who gets the pass code is not available.
Hi,
How do you add user to the IAS group “PWD_USERS”? Manually in IAS admin console?
Did you know that running IPS Resync job can remove users from IAS group?
You do this through User Management. Note you can import users as well.
There is some missing configuration, as this alone does not work. Appears to be some SuccessFactors Provisioning settings that need to be completed?
The prerequisite is explained here: https://userapps.support.sap.com/sap/support/knowledge/E/2791410
Also, the steps subsequently: https://userapps.support.sap.com/sap/support/knowledge/E/2791410
Hi Krishna,
For the first time user, if the email link to setup the password & TOTP is expired, how to retrigger new email link to the user?
Thank you.