CRM and CX Blogs by SAP
Stay up-to-date on the latest developments and product news about intelligent customer experience and CRM technologies through blog posts from SAP experts.
cancel
Showing results for 
Search instead for 
Did you mean: 
SunkariPraveen
Product and Topic Expert
Product and Topic Expert
587

 

In today’s digital landscape, security is more essential than ever. As organisations increasingly move to the cloud, protecting sensitive data while ensuring user accessibility becomes a paramount concern. One effective way to enhance security on SAP Sales and Service version 2 is through Risk-Based Authentication (RBA). In this blog, we will explore how to define RBA rules using the SAP IAS, ensuring a balance between usability and security in SAP Sales and Service version 2.

In this blog, we will explore two crucial sections that can significantly enhance your system's security and user experience.

Section A: Implementing SSO for SAP Sales and Service Version 2 with SAP IAS

Single Sign-On (SSO) is a powerful tool that allows users to access multiple applications with a single set of credentials. In this section, we will guide you through the steps to implement SSO for SAP Sales and Service Version 2 using SAP Identity Authentication Service (IAS).

PrerequisitesTo configure SSO with SAP Sales and Service version 2, you need the following systems:

  • SAP IAS 
  • SAP Sales and Service version 2

Steps Involved 

A. Download the System Metadata (V2 system)
B. Configure System Metadata in Your Identity Provider (IAS)
C. Create a Trusted Identity Provider and Upload IAS Metadata to V2 system

Step A. Download the System Metadata (SAP Sales and Service version 2 )

    • Log in to the system as an administrator.
    • Navigate to the user profile on the top-right corner and access the Settings page.
    • Go to All Settings->Users and Control->IdP Configuration page. 

SunkariPraveen_0-1734618580210.png

    • Click Download Metadata. The tenant metadata XML file will be downloaded to your local drive.

SunkariPraveen_1-1736763548381.png

Step B. Configure System Metadata in Your Identity Provider (IAS)

    • Log on to the SAP Cloud Identity Services -> Identity Authentication (IAS) as an administrator.
    • Navigate to Applications & Resources -> Applications, and click Add to create a new application for V2 system.

SunkariPraveen_2-1736763548387.png

    • In the Add Application pop-up window, enter a name, and click Save. A new application page will open.    

SunkariPraveen_3-1736763548396.png

Under Trust > Single Sign-On, configure the following settings:

    • Click  Type , and select SAML 2.0
    • Click  SAML 2.0 Configuration , and upload the downloaded tenant metadata XML from your local drive.   

SunkariPraveen_4-1736763548402.png

 

    • Click Subject Name Identifier, and configure the attribute that the application uses to identify the users.
    • Navigate to  Tenant Settings , and click   SAML 2.0 Configuration   to open a new screen.
    • Click  Download Metadata File   to download the IdP metadata file.

SunkariPraveen_5-1736763548407.png

Step C. Create a Trusted Identity Provider and Upload IAS Metadata to CNS System

Navigate to your tenant to create a trusted IdP and choose a default IdP.

  1. Log in to your V2 system as an administrator.
  2. Navigate to the user profile on the top-right corner and access the  Settings  page.
  3. Go to All Settings  Users and Control  Configure IDP.
  4. Click the add (+) icon under the Trusted Identity Provider section.

.SunkariPraveen_6-1736763548409.png     

5. Under the  Upload IdP Metadata  quick view, enter an  Alias, and upload the configured metadata XML file (downloaded from your IdP) by either dropping or browsing to upload from the system.

6. Click Save to save your configuration. 

7. Activate your configuration by enabling the Set Active switch. To make it a default option, turn on the Set Default switch.

You've now configured Single Sign-On for your system.

Section B: Restricting Access to CNS System Based on IP Address

In this section, we will discuss how to restrict users' access to the CNS system based on their IP address. This is a crucial step in ensuring that only authorised users can access your system from specific locations.

To achieve this functionality, we need to complete two steps. Below is a visual representation of the implementation process.

SunkariPraveen_7-1736763548423.png

Step 1) Use the IAS system as an IP controller.

With Risk-Based Authentication , you can set different rules for each application based on below key factors:

  • User group membership:Cloud user group or On-premise user group
  • Network IP ranges from which users log into applications

Based on these factors, you can define actions such as:

  • Allow access
  • Enforce Two-Factor Authentication
  • Deny access

The rules are executed by priority, and if none of the defined conditions are met, a default action is performed.

Configuring Risk-Based Authentication

In this section, we will explore two examples of risk-based authentication rule sets:

Example 1. Enable Two-Factor Authentication for All Users

For applications needing higher protection, you can prompt all users to provide a One-Time Password (OTP) generated on a mobile device (SAP Authenticator or any app compatible with RFC 6238). Here are the steps:

Prerequisites:

  • Added your application and configured Trust between your application (SP) and Identity Authentication (SAML IDP). 
  • Administrator account for Identity Authentication service with “Manage Applications” Role enabled.

Steps:

  1. Go to your application in the Administration Console of Identity Authentication service. Navigate to https://.accounts.ondemand.com/admin/ and log in with your administrator credentials.
  2. In the left menu, go to "Applications and Resources" -> "Applications".

SunkariPraveen_8-1736763548433.png

     3. Choose your application from the list on the left side.

     4. Navigate to the "Authentication and Access" tab.

     5. Choose "Risk-Based Authentication".

SunkariPraveen_9-1736763548445.png 

    6. Change Default Action from "Allow" to "Two-Factor Authentication" and click "Save."

SunkariPraveen_10-1736763548457.png

Result: All users will be prompted to provide a One-Time Password when logging into the application.

Example 2. Deny Access from Outside Corporate Network.

Follow steps up to step 5 from the previous example. Define the following rules:

  • Allow access from within the IP range of your corporate network.

SunkariPraveen_11-1736763548462.png

  • Require Two-Factor Authentication for any user who is a member of the Cloud User Group "CNS".

Find more info about Cloud User Groups:

How to create a new user Group
How to Add User Groups

Set the Default Action to "Deny". Rules are executed by order of priority, and if none are met, the default action is performed.

SunkariPraveen_0-1736765455529.png

Result: Users not in the group "CNS" trying to access the application from outside the corporate network receive a denial message.

SunkariPraveen_12-1736763548466.png

Step 2) Block the access to the V2 system using UserID/password. 

  • Block access to the application for users accessing the V2 system using their User ID and password by assigning the security policy.
  • You can assign a security policy by navigating to Settings > Users and Control > Users. Assign the security policy S_BUSINESS_USER_WITHOUT_PASSWORD to ensure that the application cannot be accessed using User ID and password-based authentication.

SunkariPraveen_1-1736765541333.png

 

Troubleshooting:

If any end user is accessing the application, please verify whether the IP address connecting to the IAS application is included in your restriction rules. You can check this under  Monitoring and Reporting > Troubleshooting Logs.

 

SunkariPraveen_13-1736763548476.png

 

 

 

 

3 Comments
Harisha1
Advisor
Advisor

Hello @SunkariPraveen,

Thank you very much for this detailed blog and this will be very helpful to configure IP based access to SAP Sales and Service Version 2.

Best Regards,
Harish

 

Mahaboob1
Advisor
Advisor

Hello Praveen ,

Thanks for the detail blog , it is very useful.. 

Thank you 

Basha SM 

JG_LEE
Explorer

Thank you for the details and good informations on setting up the SSO and IP based connection restriction! @SunkariPraveen 

Please let me know about useful informations about Sales Cloud Version 2 like this!!

You are a TRUE HERO!

Sincerely,

JG_LEE