Customizing the Login process

Objective

After completing this lesson, you will be able to undderstanding Securiy Options

SAP Cloud Identity Authentication Service (IAS)

SAP Cloud Identity Authentication Service provides simple and secure access to Web-based applications with a variety of authentication methods at anytime and from anywhere.

Authentication and Single Sign-On in the Cloud

A diagram illustrates secure access and user management features using cloud identity and authentication services.

The Identity Authentication service provides secure and simple access based on the following factors:

  • Identity federation based on SAML 2.0
  • Web Single Sign-On SSO and desktop SSO
  • Secure on-premise integration to reuse existing authentication systems
  • Social login and two-factor authentication
  • Risk-based authentication

The Identity Authentication service provides user and access management based on the following factors:

  • User administration and integration with on-premise user stores
  • User groups and application access management
  • User self-service, for example, password reset, registration, and user profile maintenance
  • System for Cross-domain Identity Management (SCIM) API

The Identity Authentication service provides the following enterprise features:

  • Branding of end user UIs
  • Password and privacy policies
The diagram focuses on Identity Authentication. It illustrates customers, partners, and employees connecting through SAML/OpenID to SAP services and cloud platforms via an on-premise user store or a corporate identity provider.

Open Security Standards

The diagram shows how users authenticate via Identity Authentication or a Corporate Identity Provider using SAML or OIDC. Secure access is provided to SAP Cloud and on-premise applications.

The Identity Authentication service is interoperable with all application supporting SAML* 2.0 standard or OpenID Connect (OIDC).

Delegated Authentication- Identity Authentication Service as a Proxy to a Corporate Identity Provider (IdP)

The diagram illustrates the flow of identity authentication: A user interacts with a corporate identity provider, which uses SAML for identity authentication. This results in access to applications in the cloud.

The Identity Authentication service has the following IdP proxy features:

  • Authentication that is delegated to corporate IdP login
  • Reuse of existing SSO infrastructure
  • Easy and secure authentication for employee scenarios
  • Federation based on the SAML 2.0 standard

Delegated Authentication - Authentication with an On-Premise User Store

The diagram illustrates how the user uses Identity Authentication to access Applications, connecting through Cloud Connector, LDAP, and Active Directory.

The Identity Authentication service can connect to an on-premise user store.

  • Users' credentials are taken from:
    • Active Directory (through LDAP)
    • AS Java (which can be either local UME, ABAP store or AD)
  • There is no user replication required to the cloud
  • Internal network ports do not need to be exposed to the Internet
  • Other Identity Authentication product features can be used, including UI configuration policies and two-factor authentication

Delegated Authentication Re-use of Windows Domain Authentication (SPNEGO)

The diagram illustrates the user's access flow: The user gets a Kerberos token from Active Directory, requests access via SPNEGO, proceeds to Identity Authentication, and then accesses Applications

SPNEGO authentication provides the following:

  • Users authenticated with Microsoft Active Directory can utilize SSO for Cloud applications without re-authentication.
  • Reuse of existing corporate identity infrastructure
  • Secure authentication and SSO for Cloud and on-premise Web applications

Delegated Authentication Conditional Authentication

The diagram shows how partners, externals, and employees connect via IP address range, email domain, as a member of a user group and user type to authenticate their identity. Once authenticated, they connect to partner identity providers and corporate identity providers.

Depending on several factors, different types of users can be re-rerouted to different IDPs for authentication.

The diagram shows two identity providers (IdP 1 and IdP 2) with login icons, both connecting to the IAS, which in turn connects to an application in a cloud.

As a proxy to multiple IdPs, the Identity Authentication service provides:

  • A secure business network and allows partner users to login via their corporate IdP
  • Authentication that is initiated by the corporate IdP
  • An optional check for correct user group assignment can be configured upon successful authentication; a sync of users from IdPs to groups in the Identity Authentication service is required

User Creation Sources

Diagram shows identity authentication with methods: self-registration, syncing through IPS, CSV upload, manual creation, and programmatically through SCIM.

Branding and Customization

Customization and product features are listed. Customization includes company logo, app name and logo, color style, terms of use and privacy policy, UI text adjustment via API, and e-mail templates. Product features include responsive UIs and multilanguage support. Two ample screenshots show login and terms and conditions screens.
There are six sample logon screens of different styles shown.

User Self-Services

There are three sample screenshots: an SAP Cloud Identity interface showing a profile with personal details, a registration form , and a dialog-box entitled Forgot my Password prompting the user to reset the password.

The Identity Authentication service provides convenient user self-service that includes the following features:

  • Self-registration
  • Account confirmation via e-mail
  • Forgotten password reset
  • Editing of account details or password change
  • Activation of 2-factor authentication
  • Linking or unlinking of social accounts

Access Protection for Applications

There are three sample screenshots: a registration form showing fields for personal details, a reCAPTCHA with vehicle image selection, and a prompt to verify your phone number. The header reads Access Protection for Applications.

The following access protection is provided for applications:

  • Protecting the registration to applications from spam and abuse
  • Preventing bots from automated fake user registrations to your applications
  • Google reCAPTCHA and phone verification provide further protection through self-registration

Logon Overlays in Customer Applications

The screenshot shows the logon screen as an overlay.

The customer application logon screen can be programmed to integrate with the application. It has out-of-the-box integration with SAP Cloud portal.

Authentication Options

Four authentication methods are listed: basic authentication, reuse of the windows domain logon, two-factor authentication, and delegated logon. The diagram illustrates the user accessing applications via identity authentication, displaying a login screen, code, social media icons, and an applications cloud.

The Identity Authentication service provides the following authentication features:

  • Basic authentication
  • Based on user ID/email and password
  • Re-use of Windows domain logon
  • Kerberos token used for SSO
  • Two-factor authentication
  • Second factor authenticated on mobile device
  • Delegated logon i. Social IdPs ii. Corporate IdP

Two-Factor Authentication with SAP Authenticator

There are sample instructions for two-factor authentication, using a QR code and secret key. Separately, a smartphone screen shows the app displaying a current passcode for verification.

A one-time password (OTP) is required for login in addition to the password or security token. The second factor authentication is used in high security scenarios.

The SAP Authenticator mobile app creates a one-time password (6-digit) on a mobile device. It is available for iOS and Android and is RFC 6238 compatible (with authenticator apps from Google and Microsoft).

Control Access to the Application

In the flowchart, the user connects to the Identity Authentication service, and then completes two-factor authentication, before reaching the application.

Custom Password Policy Configuration

The screenshot shows the interface for configuring custom password policies. Options include setting password length, password lifetime, the maximum duration of inactivity, the number of reusable old passwords,the number of allowed failed login attempts, and the duration of the locked period.

OAuth

The image includes four statements about OAuth, sometimes specifically OAuth 2.0. The source is https://oauth.net/2/.

OAuth Authorization Flow

The flowchart of OAuth Authorization shows how the resource owner, the authorization server, and the resource server exchange authorization codes and tokens for resource access. The text that follows provides more details.

The OAuth authorization process is as follows:

  1. The resource owner makes a call to protected resources using the OAuth 2.0 client.
  2. The OAuth 2.0 client doesn't have an access token for the target system and redirects the browser to the authorization endpoint of the authorization server. This redirection is called authorization code request. At the authorization server, the resource owner is authenticated and can further restrict access or grant access to the preselected scopes.
  3. The authorization server sends the authorization code back to the OAuth 2.0 client by redirecting the resource owner's user agent back to the redirection URI (which was defined during OAuth 2.0 client registration).
  4. The OAuth 2.0 client sends an access token request to the authorization server's token endpoint. This access token request contains the authorization code.
  5. The authorization server receives the access token request at its token endpoint and validates the authorization code. After a successful validation, the authorization server returns an access token to the OAuth 2.0 client.
  6. The OAuth 2.0 client uses the access token to request resources.
  7. The resource server grants the OAuth 2.0 client access to protected resources in accordance with the access token.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn