
In today’s digital landscape, security is more essential than ever. As organisations increasingly move to the cloud, protecting sensitive data while ensuring user accessibility becomes a paramount concern. One effective way to enhance security on SAP Sales and Service version 2 is through Risk-Based Authentication (RBA). In this blog, we will explore how to define RBA rules using the SAP IAS, ensuring a balance between usability and security in SAP Sales and Service version 2.
In this blog, we will explore two crucial sections that can significantly enhance your system's security and user experience.
Single Sign-On (SSO) is a powerful tool that allows users to access multiple applications with a single set of credentials. In this section, we will guide you through the steps to implement SSO for SAP Sales and Service Version 2 using SAP Identity Authentication Service (IAS).
Steps Involved
A. Download the System Metadata (V2 system)
B. Configure System Metadata in Your Identity Provider (IAS)
C. Create a Trusted Identity Provider and Upload IAS Metadata to V2 system
Click Download Metadata. The tenant metadata XML file will be downloaded to your local drive.
Step B. Configure System Metadata in Your Identity Provider (IAS)
Under Trust > Single Sign-On, configure the following settings:
Step C. Create a Trusted Identity Provider and Upload IAS Metadata to CNS System
Navigate to your tenant to create a trusted IdP and choose a default IdP.
.
5. Under the Upload IdP Metadata quick view, enter an Alias, and upload the configured metadata XML file (downloaded from your IdP) by either dropping or browsing to upload from the system.
6. Click Save to save your configuration.
7. Activate your configuration by enabling the Set Active switch. To make it a default option, turn on the Set Default switch.
You've now configured Single Sign-On for your system.
Section B: Restricting Access to CNS System Based on IP Address
In this section, we will discuss how to restrict users' access to the CNS system based on their IP address. This is a crucial step in ensuring that only authorised users can access your system from specific locations.
To achieve this functionality, we need to complete two steps. Below is a visual representation of the implementation process.
Step 1) Use the IAS system as an IP controller.
With Risk-Based Authentication , you can set different rules for each application based on below key factors:
Based on these factors, you can define actions such as:
The rules are executed by priority, and if none of the defined conditions are met, a default action is performed.
Configuring Risk-Based Authentication
In this section, we will explore two examples of risk-based authentication rule sets:
Example 1. Enable Two-Factor Authentication for All Users
For applications needing higher protection, you can prompt all users to provide a One-Time Password (OTP) generated on a mobile device (SAP Authenticator or any app compatible with RFC 6238). Here are the steps:
Prerequisites:
Steps:
3. Choose your application from the list on the left side.
4. Navigate to the "Authentication and Access" tab.
5. Choose "Risk-Based Authentication".
6. Change Default Action from "Allow" to "Two-Factor Authentication" and click "Save."
Result: All users will be prompted to provide a One-Time Password when logging into the application.
Example 2. Deny Access from Outside Corporate Network.
Follow steps up to step 5 from the previous example. Define the following rules:
Find more info about Cloud User Groups:
How to create a new user Group
How to Add User Groups
Set the Default Action to "Deny". Rules are executed by order of priority, and if none are met, the default action is performed.
Result: Users not in the group "CNS" trying to access the application from outside the corporate network receive a denial message.
Step 2) Block the access to the V2 system using UserID/password.
Troubleshooting:
If any end user is accessing the application, please verify whether the IP address connecting to the IAS application is included in your restriction rules. You can check this under Monitoring and Reporting > Troubleshooting Logs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
4 | |
3 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |