Skip to Content
Technical Articles
Author's profile photo Yogananda Muthaiah

SAP Commissions – Enable TOTP(2MFA) from IAS

TOTP, or Time-based One-time Passwords, is a way to generate short lived authentication tokens commonly used for two-factor authentication (2FA). The algorithm for TOTP is defined in RFC 6238, which means that the open standard can be implemented in a compatible way in multiple applications.

How does TOTP work?

Inputs to the TOTP algorithm include a secret key and your system time. Those get put through a one-way function that creates a truncated, readable token. Because the inputs are available offline, the whole method works offline. This is a great option for users that may have unstable cellular connections for receiving SMS 2FA or for users who want a more secure channel than SMS 2FA.

What is Multi-Factor Authentication (MFA)?

When a system needs to authenticate that you are who you say you are, it can use a variety of factors, or pieces of information, to verify your identity. Many systems just use one factor, like a single password.

Why Use MFA?

Basically, the strength of multi-factor auth is that it gives you an extra layer of security on top of passwords. More generally, MFA protects you when one of your factors is compromised

How to implement TOTP 2FA in your application

Follow the below steps to configure TOTP in your IAS Tenant .. Below activity will be performed by an Administrator.

Add the below Rule to Risk Based Authentication

Now configuration is completed, Now let’s install the Mobile App (Android or iOS) for TOTP

I would prefer SAP Authenticator app to Install in your Mobile device for 2FA ..
And there’s plenty of TOTP app choices the customers can choose for themselves!

Once you installed, let’s try to login to your SAP Commissions Tenant .. you will be redirected to 2FA (Two factor Authentication) Page for first time ..

We recommend scanning a QR code, but you can also enter the key manually. This is how the account and the authenticator app sync the secret key.

Use the scanner on your mobile device to scan the QR Code.

  1. Tap Done on your mobile device.
  2. Enter the passcode generated by the SAP Authenticator app into the Passcode field provided on the IAS profile page as below.
  3. Press Activate.

Let’s try again to Login ( you will see your own login Page with Single Sign on enabled)

Here’s a look at how the IAS Application prompts a user to enter the pass-code..

Open your SAP Authenticator App or Authenticator app you had configured from above step and enter the pass-code showing in your app with timely based.

Now I am successfully logged into SAP Commissions Home Page through Single Sign on (SSO)  with 2FA

As shown below, Admin can see the Security logs for the users Mechanism for authentication type.

Reference

Activate a Device for TOTP Two-Factor Authentication (Help Portal): https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/ab8a3237cd424a0c97b921100d263b8a.html

Thanks, for reading it till the end. 🙏


Hope you find that helpful! Let me know your thoughts on this in the comments section.
Don’t forget to share this article with your friends or colleagues.
Feel free to connect with me on any of the platforms below! 🚀

Yogananda Muthaiah |Twitter | LinkedIn | GitHub

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Ashok Kumar
      Ashok Kumar

      Hello Yogananda,

      Thank you for detailed blog on TOTP web authentication.

      We have an existing SSO login followed by MFA(Microsoft) authentication in our company for SF or non-SF applications and now we are configuring SAP IAS for SF instance. So do we need to configure Risk based authentication again ? 

      Any inputs on this scenario is highly appreciated.

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Hi Ashok Kumar

      Its not required since its already taken care by your Identitiy Provider.

      If you still want to enable on top of it, yes you can but it would be more difficult for users to sign in and most complicated for authentication but it would be tight security.

       

      Author's profile photo Ashok Kumar
      Ashok Kumar

      Thank you Yogananda