In this exercise, we will show you how to enable Multi-Factor Authentication (MFA) using Time-based One-Time Passwords (TOTP) for application users. In general, we recommend to configure risk-based authentication methods, such as Multi-Factor Authentication, both for application users and for platform users. Platform users are those that give access to the SAP BTP Cockpit and the SAP Cloud Identity Services administration console. However, in the trial version, it is not possible to set up a custom trust configuration for your BTP account on global account level, which would be required to configure your own Multi-Factor Authentication setup. For that reason, we focus on enabling Multi-Factor Authentication for application users in this exercise. The configuration in the SAP Cloud Identity Services administration console is the same, only for a different application. You will test the Multi-Factor-Authentication with SAP Build Apps as an example for a BTP-based application with configured risk-based authentication.
💡 What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication can be described as “An authentication mechanism that requires more than one distinct authentication factor for successful authentication”. When a user authenticates, the user must provide valid credentials, consisting of either one or multiple factors. It uses a variety of factors and information to verify the user identity. Many earlier systems use a single factor, such as a username and password, which is also known as basic authentication. Today, we strengthen the authentication process by using MFA, which acts as another layer of security for users and reduces the risk of unauthorized access.
💡 What is a Time-based One-Time Password (TOTP)?
A Time-based One-Time Password (TOTP) is a numerical code, which is generated with a standard algorithm that uses the current time and a key as input. It is user friendly and available offline in a generator application of the user’s choice, usually on a mobile device. A TOTP is a six-digit number that is updated every 30 seconds.
- SAP BTP Security Recommendations
- BTP-UAA-0001
Exercise 1.1 - Setup SAP Build Apps and enter the application with your trial identity provider user
-
Open the SAP BTP Cockpit and navigate to your global account. You should have bookmarked the URL in the Getting started exercise.
-
Navigate to Boosters
- Enter SAP Build Apps in the search field. Click on Get started with SAP Build Apps.
- An overview page provides details on the booster. Click on Start.
- Now a wizard opens. On the first page, the prerequisites are checked. Click on Next.
- Select the second option, Select subaccount and click on Next.
- You can leave the default values in place. Click on Next.
- Enter your email address for Administrators and Developers. Then click on Next.
- Review your entries and click on Finish.
- Success! The booster has created the SAP Build Apps setup. Click on the link to navigate to the subaccount.
- Go to Instances and Subscriptions in your Subaccount - Click on the icon to open SAP Build Apps.
- A logon page opens. Use your Trial Account Identity Provider to logon. There is the Default Identity Provider (SAP ID Service ) shown and your Trial Account Identity provider (SAP Cloud Identity Services).
- A pop-up will ask for Email and Password. Enter the email of your SAP Cloud Identity Services user and her password.
- The authorizations should be in place as your user was assigned to the required role collections during the booster creation process. You will see the entry page of the SAP Build App application.
- Sign-out from SAP Build Apps and close the browser window.
In exercise 1.1 we enabled SAP Build Apps, and the configured users are now able to authenticate with the custom identity provider when they try to access the application. However, we want to restrict the access to the application and only allow access with a second authentication factor.
- Logout of the SAP Build application and close the browser window if you haven't done already.
- Open the SAP Cloud Identity Services administration console, either from your bookmark or from the BTP cockpit (In the BTP Cockpit navigate to --> Instances and Subscriptions --> click on the icon next to SAP Cloud Identity Services).
- In the pop-up window, sign-in with your email and password to the SAP Cloud Identity Services administration console.
- In the SAP Cloud Identity Services administration console, navigate to Applications & Resources --> Applications.
- On the left side you see bundled and system applications. In Bundled Applications you find the application SAP BTP subaccount trial. Click on it to see the configuration data of this application.
💡 XSUAA is a service broker for the OAuth authorization server provided by the Cloud Foundry UAA (User Account and Authentication server). It offers authentication and authorization services for microservice-style applications. It is used by almost all applications running on SAP BTP in the Cloud Foundry environment. When we configure two-factor authentication for this application, all applications running on SAP BTP in the Cloud Foundry environment will have to provide a second factor for authentication.
- In the configuration screen of the SAP BTP subaccount trial application, navigate to Authentication and Access.
- Now you can see the line where Risk-Based Authentication can be configured. Click on the little arrow on the right.
- In the Risk-Based Authentication frame you have the possibility to create Authentication Rules, and you can see the Default Authentication Rule, which is Allow.
- Change the Default Authentication Rule to Default Action = Two-Factor Authentication and Two-Factor Method = TOTP. Do not forget to save at the top right of the page the new configuration. Now the access to applications on your SAP BTP subaccount that use the XSUAA for authentication requires a Time-based One-time Password (TOTP) as second factor.
Once the configuration is complete, the system prompts the user to select any of the available MFA options after the initial username and password are provided.
- Navigate to your user's profile page in SAP Cloud Identity Services. You can access it through the following link in the trial environment:
https://"trialtenant-ID".trial-accounts.ondemand.com/ui/protected/profilemanagement
Add ui/protected/profilemanagement in your browser after https://"trialtenant-ID".trial-accounts.ondemand.com/
Your user profile shows you the authentication methods set up for you. Here you can add or remove authentication methods.
- Open the Multi-Factor Authentication section. Click on Activate TOTP Two-Factor Authentication.
- Scan the QR code using the authenticator app (such as Google Authenticator or Microsoft Authenticator) on your device or enter the key manually. Once you have scanned or entered the key, enter the passcode generated by the authenticator app on your device below and click Activate.
- Now you have configured your device for TOTP two-factor authentication.
- Log out of the identity provider.
- Navigate to SAP BTP Cockpit --> Instances and Subscriptions --> SAP Build Apps --> Go to Application
- Select your SAP Cloud Identity Services tenant to logon.
- A pop-up will ask for Email and Password. Enter the email of your SAP Cloud Identity Services user and her password.
- The next pop-up will ask for a passcode. Open the authenticator app you are using on our mobile device. To proceed, please enter the time-based passcode generated by your mobile device for the application. Then continue.
- Success! The SAP Build App opens.
In this exercise you learned how to setup SAP Build and how to enable Multi-Factor Authentication (MFA) using a Time-based One-Time Password (TOTP). You will find the detailed documentation on how to set up Multi-Factor-Authentication in SAP Cloud Identity Services in the help portal.
Continue to - Exercise 2 - Security Recommendations regarding user access and authentication