cancel
Showing results for 
Search instead for 
Did you mean: 

How to Enforce 2 Factor Authentication for BTP Admin Users

SAPSupport
Employee
Employee
0 Kudos
753

Dear SAP

we have a Global BTP Account and have created several Cloud Foundry Subaccounts. Our security guidelines demand a 2 Factor Authentication (2FA) at least for our administrators. How can we enforce that 2FA is required for all global account and subaccount administrators? The identity provider of the administrator users is always the SAP default identity provider so that they login via their S-user and password (or installed SAP passport).

Kind regards


------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.
View Entire Topic
SAPSupport
Employee
Employee
0 Kudos

Hello,

Please see the following KBA:

2787491 - Two-Factor Authentication for SAP BTP Cockpit

In your case, if the users are using the default SAP ID Service, then this documentation should be followed: https://support.sap.com/en/my-support/mfa.html

Best regards

pieterjanssens
Active Participant
0 Kudos
This is not a solution to enforce MFA for all BTP admins.
MatthiasL
Explorer
0 Kudos
This is not possible and is a security oversight.
MatthiasL
Explorer
0 Kudos
This is not possible and is a security oversight. BTP recommends using SSO for all users via your own Custom Identity Provider . We do this. We enforce MFA. BTP also recommends having a global account fallback in case SSO configuration changes / is broken on the Default Identity Provider. You can not enforce MFA there, as per: https://github.com/SAP-docs/btp-cloud-platform/blob/main/docs/50-administration-and-ops/default-iden... Obviously this means you're always going to have a backdoor with just username and password. I suppose there are complex workarounds like configuring IAS/IPS to also provision the BTP global account with users from the DIP, but if your SSO is broken and you can't get on there - this won't work.