on 2023 Sep 20 12:53 PM
Hi,
From our security team I have a requirement that a group if users login to SAP SuccessFactors using 2FA once per day. Once they have logged in with 2FA they need to login using username/password only for the rest of the day. The rest of the employees login using username/password every single login.
For some reason the first scenario is working as required, but the second isn't. We have setup the IAS session to stay alive for 8 hours. When a user in the 2FA group logs in after the 30 minute time out in SuccessFactors expires they only need to enter username/password (seems like a bug to me). But the secord group (not using 2FA, only username/password) doesn't have to login again and can keep on using SuccessFactors for the entire 8 hours.
Is it possible to configure this in Identity Access Services (IAS)? As far as I know you can only configure how long the IAS session remains alive, so if the session ends the user will need to login again with 2FA. No way to switch between 2FA and username/password depending on last time 2FA was used.
Hope someone can point me in the right direction. @haidongsong @harjeetjudge
Arjen
Request clarification before answering.
There are couple settings in IAS that you should explore further:
1) Under Application & Resources >> Application >> <select your SFSF app> >> Authentication and Access tab >> Force Authentication. This will require the user to specify password each time the login.
2) Under Application & Resources >> Tenant Settings >> Authentication tab>> Multi-Factor Authentication >> Trust this browser option for users: Set the number of days for which the users will not get prompted for second-factor authentication, if they sign in from the same browser.
With the combinations of these 2 settings you should able achieve the desired behavior.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Great, thanks! Do you know the definition of a day in the Multi-Factor Authentication tab? Does that look at the calendar day or a 24 hour counter from when you login?
Would it be possible to automatically tick the "Trust This Browser" box (same way you can configure the system to remember your login)? Or is it always a manual tick by the user?
you are correct that we can not set up a conditional rules to switch between 2FA and username/pwd depending on the last time 2FA login.
BTW, what are the issue with a 8hr timeout period for regular users using username/pwd?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
4 | |
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.