Step-by-step guide to integrate IBM Security Verify as custom identity provider for MFA in SAP BTP
Using IBM Security Verify as identity provider augments SAP Business Technology Platform (BTP) security through various additional capabilities such as Adaptive access with the integration of fraud prevention solution IBM Trusteer or user lifecycle management across hybrid landscapes.You may read about the article on capabilities of IBM Security Verify to increase the security of SAP BTP apps published on the internet.
In this blog, we will explain how to use IBM Security Verify with SAP BTP and how to configure multi-factor authentication (MFA), requiring users to provide two forms of identification, bolstering protection against unauthorised access.
This is a step-by-step guide on how to setup IBM Security Verify as an Identity Provider for SAP BTP via trust configuration using SAML 2.0 and then to use IBM Security Verify to authentication to SAP BTP by configure multi-factor authentication options including:
• “Security / Touch ID” with IBM Security Verify mobile app or Apple iWatch
• “QR Code” scanning the provided QR code using IBM Security Verify mobile app
• IBMid with w3id as an option for regular user-id and password authentication
• SAP BTP
• IBM Security Verify
• Apple iPhone or Android smartphone with IBM Security Verify App
• Apple iWatch – Sync with your iPhone (optional)
Configurations and Settings in IBM Security Verify and SAP BTP
Step 1: Log in into IBM Security Verify as an administrator
After login, you will see the home screen:
Step 2: On the left panel click “Applications” under “Applications”. On the right side of the screen, there is a “Add application” button. Click on it.
Step 3: Enter the necessary details under “General” section as below:
Step 4: Before, we go further let’s login into SAP BTP account (Create your SAP free trial account if you don’t have) and you will be navigated on SAP BTP Cockpit. Navigate to “Trust Configuration” which is under “Security” :
Now, click on “SAML Metadata” button which will download the file.
Step 5: Now, Get back to IBM Security Verify and click on “Sign-on” section and select “Use metadata” checkbox. It will allow us to upload the metadata file which we have downloaded from SAP BTP as above.
Step 6: Now, select “Access Policy” under “Security” section from the left panel of the screen to create a new access policy and click on “Add Policy” as suggested below :
Select “Federated sign-on policy” while creating a new policy:
Click on “Add rule” to define the rules within the policy:
You will then see the policy details:
Step 7: Now, the policy “MFA for app Test” developed in response to the above proposal will be selected in the “Applications” section of “Applications” as seen below:
Step 8: Navigate to “Authentication factors” under “Authentication” and set the details of different authentication factors:
Step 9: Return to the SAP BTP cockpit and navigate to “Trust Configuration” under “Security” section. Here, click on “New Trust Configuration” button as below :
Step 10: Next, add the details such as “Metadata” which we got from “IBM Security Verify” and fill the details as shown in below screenshots:
You can get the above “Metadata” file from IBM Security Verify. Go to “Sign on” and on the right side of the screen download the file from the given URL and upload the same in SAP BTP as highlighted below:
We now have a custom identity provider called “IBM Verify” that we developed using the techniques outlined above.
We have completed the configurations in IBM Security Verify and SAP BTP. Let’s test it now.
Testing: Multi-Factor Authentication (MFA) in SAP BTP
First, download and install the IBM Verify application on your mobile from “App store” for iPhones “Play Store” for android phones. Refer to IBM Verify help or connect to your local admin to set up the application on your mobile.
Log in to SAP BTP and choose the sub-account you want to use. In the “Services” section, select “Instance and services” as below:
Click on the application you want to access. Here, I want to access “SAP Business Application Studio”.
You will be navigated to a new page and will have multiple options. Select the custom one which you have created. In our case, we’ll select “httpsibmlabs.verify.ibm.comsamlspssa”.
Now, you are on another page and I will click on “Sign in with IBMid” for further validation.
Approve the login using one of the following options
Option 1: Approve by using “Security Key / Touch ID”.
Approval through Mobile application
Or approval through Apple iWatch
Option 2: Approval using “QR Code” scanning.
Open the “IBM Verify” mobile application in your mobile and click on scan button on right top corner of the mobile screen and scan the QR code from mobile as displayed below:
Option 3: Approval through “w3id Credentials”
Once approved you can access the respective application.
IBM Security Verify assists organisations in adding an extra layer of protection and getting it authorised through your mobile application as simple as above.
With the option to add another than the default identity provider in SAP BTP, this allows the use of IBM Security Verify and brings all its capabilities to strengthen the security of SAP BTP applications including the use of additional options for multi-factor authentication. Please leave your views and opinions in the comments box below, and please follow me for more such content in the future.
If you have any question or query about SAP BTP please refer to SAP Community and for any question or query about IBM Security Verify refer to IBM Security Verify Community.
Jainam Salot, Technology Engineer, IBM India Software Labs.
Tushar Trivedi, SAP Solution Architect, IBM India Software Labs.