Skip to Content
Technical Articles
Author's profile photo Badri krishna NMS

SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App and Technical Step by Step guide

Introduction

In this blog post I have shared my experience about how to perform the SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App. Please find the below example where have selected the Microsoft Authenticator.

Two-Factor Authentication (TOTP) is a process where a user is prompted during the sign-in process with password for an additional form of identification. The Microsoft Authenticator application displays the time-based, one-time passwords (TOTP) helps to safeguard access to data and applications of the target system while maintaining password login users. It acts as an extra layer of security check to verify a user’s identity by requiring a second form of authentication. You can also use other authenticators such as SAP or Google Authenticator.

 

The users need to access SuccessFactors via the web application and need to enter correct username and password. As a second step, they are asked to enter a passcode, and then the authentication to the application will be successful.

First Step:

  • User tries to access SuccessFactors via the web application.
  • SuccessFactors checks if user is authenticated within the system and redirects the request to SAP IAS.
  • SAP IAS requests the user to provide a user identifier in the login screen.

Second Step:

  • First time login user needs to download and install the Microsoft Authenticator app.

Download and install the app

Sign in with a QR code

  • Add an account by scanning a QR Code
  • Open the Microsoft Authenticator app, select the plus icon Select the plus icon on either iOS or Android devices and select Add account, and then select Work or school account, followed by Scan a QR Code. If you don’t have an account set up in the Authenticator app, you’ll see a large blue button that says Add account.

  • If the user has a device already registered to generate passcodes for the two-factor authentication, she or he just has to enter the passcode from the mobile device, and will log on to the application.

Successful authentication to the application.

 

Technical Step by Step Procedure:

  1. Login IAS with your administrator’s credentials.
  2. Once you enter the Administration Console of Identity Authentication service, in the left menu, go to “Applications and Resources” -> “Applications”
  3. Choose your application from the list of applications on the left side.
  4. Navigate to the “Authentication and Access“tab
  5. Choose “Risk-Based Authentication”

  • Create a group for password users or External users.

Example: PWD_USERS

  • Add a rule for “Two-Factor Authentication” and assign the “PWD_USERS” group click “Save”.

6. Assign password users to “PWD_USERS” group.

Conclusion

Now SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App is completed. We should first implement it in a non-prod system and perform tests before deploying it in Production system.

Hope this information is helpful !

Thank you for taking the time to read and leave your comments below!

Assigned Tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Pavan Srivasta
      Pavan Srivasta

      Nice Blog..!!

      Author's profile photo Divyanshi Shah
      Divyanshi Shah

      Hi Krishna,

      The blog is very helpful.

      I have a query. Suppose If an individual(may be SF LMS SITE user) loses his phone or the phone crashes, what will the impact and what can be done to reset 2FA app in the new device?

      Regards,

      Divyanshi

      Author's profile photo Badri krishna NMS
      Badri krishna NMS
      Blog Post Author

      Hi Divyanshi,

      If an SF LMS SITE user lost his/her mobile or mobile crashes he can report to SAP IAS admin so that the SAP IAS admin can  deactivate/activate the Two - Factor Authentication (TOTP).

      Steps to Deactivate : (Mobile Lost)

      Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status off & TOTP status off

      Steps to Activate :

      Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status on & TOTP status on

      Author's profile photo Divyanshi Shah
      Divyanshi Shah

      Hi Krishna,

      Many thanks for helping with the steps.

      Author's profile photo Nishag Ponnambeth
      Nishag Ponnambeth

      Hi,

      Can you please let us know how to add more people to get passcodes as there are situations when the person who gets the pass code is not available.

      Author's profile photo Dmitry Yasser
      Dmitry Yasser

      Hi,

      How do you add user to the IAS group “PWD_USERS”? Manually in IAS admin console?

      Did you know that running IPS Resync job can remove users from IAS group?

       

      Author's profile photo Ben Ting
      Ben Ting

      You do this through User Management. Note you can import users as well.

      Author's profile photo Ben Ting
      Ben Ting

      There is some missing configuration, as this alone does not work. Appears to be some SuccessFactors Provisioning settings that need to be completed?

       

      The prerequisite is explained here: https://userapps.support.sap.com/sap/support/knowledge/E/2791410

       

      Also, the steps subsequently: https://userapps.support.sap.com/sap/support/knowledge/E/2791410

      Author's profile photo Su San Tan
      Su San Tan

      Hi Krishna,

      For the first time user, if the email link to setup the password & TOTP is expired, how to retrigger new email link to the user?

      Thank you.