Extending Custom Authentication Options

Objectives

After completing this lesson, you will be able to:

  • Enable Multi-Factor Authentication on the Identity Provider
  • Enable Social Single Sign-On on the Identity Provider

Multi-Factor Authentication

Two-Factor Authentication

The main goal of two-factor authentication is to prevent an attacker from accessing a user's account due to a compromised password. If you would like users to provide two independent factors for strong authentication when logging in, then two-factor authentication needs to be enabled.

In our scenario, two-factor authentication is handled by a custom Cloud-based IdP system, so the custom IdP administrator needs to perform the required configuration steps. Cloud Identity Services - Identity Authentication (IAS) is used as a custom cloud-based identity provider for handling the two-factor authentication. This is a cloud-based service for authentication, single sign-on, and user management for SAP cloud and on-premise applications.

The SAP Cloud Identification Services page with Risk-Based Authentication on the right. Default Authentication Rules have been sent to two-factor authentication TOTP.

Prerequisites for Use

User must have a QR code scanner and an authenticator application on their mobile device. Microsoft Authenticator and Google Authenticator apps are used for Two-Factor Authentication in SAP Analytics Cloud. The app generates the passcode that the user must enter as a secondary authentication step to access SAP Analytics Cloud.

App icon followed by app name. Left Google Authenticator. Right Microsoft Authenticator.

Logging in With Two-Factor Authentication

Once two-factor authentication is enabled, when users go to log in for the first time, they are prompted to enter their user credentials for the SAP Analytics Cloud tenant as seen below.

When they select Continue, they are presented with a QR code on the screen. They scan it with their mobile device and a new passcode is generated in their authenticator app. They enter the passcode and select Continue.

The QR code and message that users see on screen when logging in to SAP Analytics Cloud when logging on the first time after MFA has been enabled. Step 1 - Scan QR code. Step 2 Enter passcode from the authentication app.

In the following image, you can see an example passcode from the Microsoft Authenticator app.

Two-Factor generated passcode by the custom IdP SAP Cloud Identity Authentication Service entry (IAS) in the Microsoft Authenticator app.

For all subsequent log ins, users will then be prompted to enter their password and the automatic generated passcode by the authenticator app with no more QR codes to scan.

Two-Factor Authentication screen for all subsequent log ins in SAP Analytics Cloud using a custom IdP SAP Cloud Identity Authentication Service (IAS)

Additional Information

For more information on Multi-Factor Authentication in SAP Analytics Cloud, please visit Multi-Factor Authentication | SAP Help Portal.

Enable Multi-Factor Authentication on the Identity Provider

Business Scenario

You have been asked to enable multi-factor authentication for The Mock Company's SAP Analytics Cloud tenants.

As two-factor authentication is handled by the custom SAML IdP SAP Cloud Identity Services - Identity Authentication (IAS), you work with the custom IdP IAS administrator to configure two-factor authentication for the SAP Analytics Cloud tenant (sacadm23) in the custom IdP IAS Administration Console.

In this practice exercise, you will:

  • Enable MFA for SAP Analytics Cloud tenants.
  • Configure two-factor authentication to provide two independent factors for strong authentication.

Social Single Sign-On

Social Identity Providers

By configuring a social identity provider, users can log in to SAP Analytics Cloud with their social media credentials by linking their accounts to the user accounts in your custom IdP.

As was the case with two-factor authentication, social single sign-on (social SSO) is handled by your custom IdP, so your custom IdP administrator will need to perform the required configuration steps in the custom IdP.

In our scenario, SAP Cloud Identity Services - Identity Authentication (IAS) is used as a custom identity provider for handling the Social identity Providers. It uses the OAuth protocol for social sign-on on cloud systems. You can see in the following example, Google Sign-On has been enabled.

The SAP Cloud Identification Services page with Google selected from the list of Social Identity Providers (left). Social Single-Sign On has been enabled for Google.

Once the social identity provider has been enabled, the IdP administrator must turn on Social Sign-On for the tenant, which in the example below is the sacadm23 tenant.

The SAP Cloud Identification Services page with Authentication on the right. Social Single-Sign On has been enabled for the tenant.

Logging In With Social Single Sign On

When user access the SAP Analytics Cloud tenant, a new tab called Social is activated in the Sign In dialog.

Social SSO has been enabled for the SAP Analytics Cloud tenant. The Social tab (highlighted) is available to users. If they select it, they are shown the available social identity providers (in this example, on then left, you can see Google is available for social SSO.)

Additional Information

For more information on Social Single Sign-On for both SAP Cloud Identity Services and SAP Analytics Cloud, please visit:

Enable Social Single Sign-On on the Identity Provider

Business Scenario

You have been asked to enable social single sign-on for Google for The Mock Company's SAP Analytics Cloud production tenant so that users can use their Google account to log in to SAP Analytics Cloud.

As social single sign-on is handled by the custom IdP IAS system, you work with the custom IdP IAS Administrator to configure it in the custom IdP IAS Administration Console.

In this practice exercise, you will:

  • Enable Google as a social identity provider and enable social SSO in the IdP.
  • Test the social SSO in SAP Analytics Cloud by logging in with Google.

Log in to track your progress & complete quizzes