cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Single Sign-On 3.0 - OTP for non-SAP systems

former_member533068
Discoverer
0 Kudos
445

We are researching the different capabilities that SSO 3.0 has in terms of multi-factor authentication. My understanding is that the triggering of MFA can take place for SAP systems (ABAP and applications running on the NW Java stack), but how would it work if we wanted to implement it for applications NOT running on SAP? For example, if a user were to launch outlook or even just log on to the network, could we use TOTP to force 2 factor authentication or does it just work within the SAP environment?

Accepted Solutions (0)

Answers (3)

Answers (3)

tim_alsop
Active Contributor
0 Kudos

Eric

The SAP SSO product is not sold as or supposed to be used as an enterprise MFA product. It is primarily an SSO product that has some MFA capabilities for use when you logon to SAP systems. If your customer wants an MFA product then I suggest they look at Azure MFA, Duo, PingID, Okta etc.

Thanks

Tim

tim_alsop
Active Contributor
0 Kudos

Eric, I understand what you are suggesting, but I don't think it is a good solution and I don't think it will work as well as you think. I am a firm believer of keeping the architecture simple so it is easier to troubleshoot if something stops working and easier to implement. Sounds like you are trying to find a complex solution to a simple problem.

former_member533068
Discoverer
0 Kudos

Yep. I agree with you, it is definitely more complicated than it needs to be. The issue is that our customer is trying to make due with the products they already own and were sold SSO 3.0 as a solution specifically for enterprise MFA, but when looking into actually setting up, turns out it doesn't seem to be the right tool for the job. We were looking into whether or not we could make it work without purchasing additional software, but it doesn't sound like it from what I gather.

tim_alsop
Active Contributor
0 Kudos

I suggest you use a product such as Microsoft Azure MFA and then you can use it with Outlook, since Azure MFA is integrated with Azure AD that is used by Microsoft 365 (aka Office 365). You can also use ADFS with an MFA plugin - most MFA vendors provide plugin for ADFS. The MFA functionality in SAP SSO product is designed for use with SAP SSO product, not for use with other applications like Office.

former_member533068
Discoverer
0 Kudos

tim.alsop Thanks for the response. Let's say for a minute that we HAD to use SAP SSO, could we use the Secure Login Server to authenticate against (using Active Directory credentials), force an MFA against the Secure Login Server, and then use that certificate from the Secure Login Server for SSO to Exchange/other non-SAP applications? My understanding is that the use of those certificates for SSO kind of defeats the purpose of the application by application MFA, but maybe we do in fact feel better that the user confirmed their identity first with the SLS and in turn should be able to use our corporate resources?