Extending Custom Authentication Options

The main goal of two-factor authentication is to prevent an attacker from accessing a user's account due to a compromised password. If you would like users to provide two independent factors for strong authentication when logging in, then two-factor authentication needs to be enabled.

In our scenario, two-factor authentication is handled by a custom Cloud-based IdP system, so the custom IdP administrator needs to perform the required configuration steps. Cloud Identity Services - Identity Authentication (IAS) is used as a custom cloud-based identity provider for handling the two-factor authentication. This is a cloud-based service for authentication, single sign-on, and user management for SAP cloud and on-premise applications.

User must have a QR code scanner and an authenticator application on their mobile device. Microsoft Authenticator and Google Authenticator apps are used for Two-Factor Authentication in SAP Analytics Cloud. The app generates the passcode that the user must enter as a secondary authentication step to access SAP Analytics Cloud.

Once two-factor authentication is enabled, when users go to log in for the first time, they are prompted to enter their user credentials for the SAP Analytics Cloud tenant as seen below.

When they select Continue, they are presented with a QR code on the screen. They scan it with their mobile device and a new passcode is generated in their authenticator app. They enter the passcode and select Continue.

In the following image, you can see an example passcode from the Microsoft Authenticator app.

For all subsequent log ins, users will then be prompted to enter their password and the automatic generated passcode by the authenticator app with no more QR codes to scan.

For more information on Multi-Factor Authentication in SAP Analytics Cloud, please visit Multi-Factor Authentication | SAP Help Portal.

By configuring a social identity provider, users can log in to SAP Analytics Cloud with their social media credentials by linking their accounts to the user accounts in your custom IdP.

As was the case with two-factor authentication, social single sign-on (social SSO) is handled by your custom IdP, so your custom IdP administrator will need to perform the required configuration steps in the custom IdP.

In our scenario, SAP Cloud Identity Services - Identity Authentication (IAS) is used as a custom identity provider for handling the Social identity Providers. It uses the OAuth protocol for social sign-on on cloud systems. You can see in the following example, Google Sign-On has been enabled.

Once the social identity provider has been enabled, the IdP administrator must turn on Social Sign-On for the tenant, which in the example below is the sacadm23 tenant.

When user access the SAP Analytics Cloud tenant, a new tab called Social is activated in the Sign In dialog.

For more information on Social Single Sign-On for both SAP Cloud Identity Services and SAP Analytics Cloud, please visit:

• SAP Cloud Identity Services | Social Identity Providers | SAP Help Portal
• SAP Analytics Cloud | Social Authentication | SAP Help Portal