Human Capital Management Blogs by Members
Gain valuable knowledge and tips on SAP SuccessFactors HCM suite and human capital management market from member blog posts. Share your insights with a post of your own.
cancel
Showing results for 
Search instead for 
Did you mean: 
26,212
Introduction

In this blog post I have shared my experience about how to perform the SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App. Please find the below example where have selected the Microsoft Authenticator.

Two-Factor Authentication (TOTP) is a process where a user is prompted during the sign-in process with password for an additional form of identification. The Microsoft Authenticator application displays the time-based, one-time passwords (TOTP) helps to safeguard access to data and applications of the target system while maintaining password login users. It acts as an extra layer of security check to verify a user’s identity by requiring a second form of authentication. You can also use other authenticators such as SAP or Google Authenticator.


 

The users need to access SuccessFactors via the web application and need to enter correct username and password. As a second step, they are asked to enter a passcode, and then the authentication to the application will be successful.

First Step:

  • User tries to access SuccessFactors via the web application.

  • SuccessFactors checks if user is authenticated within the system and redirects the request to SAP IAS.

  • SAP IAS requests the user to provide a user identifier in the login screen.



Second Step:

  • First time login user needs to download and install the Microsoft Authenticator app.


Download and install the app

Sign in with a QR code

  • Add an account by scanning a QR Code

  • Open the Microsoft Authenticator app, select the plus icon Select the plus icon on either iOS or Android devices and select Add account, and then select Work or school account, followed by Scan a QR Code. If you don't have an account set up in the Authenticator app, you'll see a large blue button that says Add account.





  • If the user has a device already registered to generate passcodes for the two-factor authentication, she or he just has to enter the passcode from the mobile device, and will log on to the application.


Successful authentication to the application.


 

Technical Step by Step Procedure:

  1. Login IAS with your administrator’s credentials.

  2. Once you enter the Administration Console of Identity Authentication service, in the left menu, go to “Applications and Resources” -> “Applications”

  3. Choose your application from the list of applications on the left side.

  4. Navigate to the “Authentication and Access“tab

  5. Choose “Risk-Based Authentication”





  • Create a group for password users or External users.


Example: PWD_USERS




  • Add a rule for “Two-Factor Authentication” and assign the "PWD_USERS" group click “Save”.




6. Assign password users to "PWD_USERS" group.


Conclusion

Now SAP SuccessFactors Two-Factor Authentication (TOTP) for Password user’s integration via SAP Cloud Platform Identity Authentication (IAS) with Microsoft Authenticator App is completed. We should first implement it in a non-prod system and perform tests before deploying it in Production system.

Hope this information is helpful !

Thank you for taking the time to read and leave your comments below!
10 Comments
Pavan9
Participant
0 Kudos
Nice Blog..!!
divyanshishah
Participant
Hi Krishna,

The blog is very helpful.

I have a query. Suppose If an individual(may be SF LMS SITE user) loses his phone or the phone crashes, what will the impact and what can be done to reset 2FA app in the new device?

Regards,

Divyanshi
0 Kudos
Hi Divyanshi,

If an SF LMS SITE user lost his/her mobile or mobile crashes he can report to SAP IAS admin so that the SAP IAS admin can  deactivate/activate the Two - Factor Authentication (TOTP).

Steps to Deactivate : (Mobile Lost)

Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status off & TOTP status off

Steps to Activate :

Login IAS -> User Management -> Select the user -> Authentication -> Multi-Factor Authentication -> Two - Factor Authentication Status on & TOTP status on
divyanshishah
Participant
0 Kudos
Hi Krishna,

Many thanks for helping with the steps.
nishaag
Explorer
0 Kudos
Hi,

Can you please let us know how to add more people to get passcodes as there are situations when the person who gets the pass code is not available.
dyasser
Explorer
0 Kudos
Hi,

How do you add user to the IAS group “PWD_USERS”? Manually in IAS admin console?

Did you know that running IPS Resync job can remove users from IAS group?

 
BenTingAU2153
Discoverer
0 Kudos
You do this through User Management. Note you can import users as well.
BenTingAU2153
Discoverer
0 Kudos

There is some missing configuration, as this alone does not work. Appears to be some SuccessFactors Provisioning settings that need to be completed?

 

The prerequisite is explained here: https://userapps.support.sap.com/sap/support/knowledge/E/2791410

 

Also, the steps subsequently: https://userapps.support.sap.com/sap/support/knowledge/E/2791410

sstan
Explorer
0 Kudos
Hi Krishna,

For the first time user, if the email link to setup the password & TOTP is expired, how to retrigger new email link to the user?

Thank you.
Alex_Martin
Explorer
0 Kudos

Hi,

Thank you for all those information. Is the two factor option only possbile with Microsoft Authenticator app? Are there other options possible outside of using this ?

Thank you !

Best Regards,

Alex

Labels in this area