cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Multi Factor Authentication support for NW SSO?

Go to solution
JunyiYu
Associate
Associate

on ‎01-06-2014 3:42 PM

0 Kudos

Hi Experts,

is Multi-Factor Authentication (MFA) supported by NW SSO?

  What i've read is the Secure Login Server has a SecureLoginModule20RADIUS module which can use to integrate with the RSA Server.

  My query is

  1.   Does the RSA token replace the need for a user to enter any passwords while he/she logons to SAP? or
  2. The user enter his/her user id and password as usual, and there will be a pop-up for him/her to enter the code from the RSA token?

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
‎01-07-2014 12:28 PM
0 Kudos

Dear Jiunn,

At the moment with SAP NetWeaver SSO 2.0 it is possible to configure user authentication verification against RADIUS server (RSA). This is one of the authentication mechanisms for Single Sing-on we support. When it is implemented, this authentication is used instead of the basic authentication with UserID and password (example 1. from your question).

With the current version of the SAP NetWeaver SSO 2.0 it is not possible to use the basic authentication (UserID/Pass) together with authentication against the RADIUS server like multi factor (example 2. from your question).

Currently we are in discussions about such capabilities (second factor authentication) and it will most probably become part of the SAP NetWeaver SSO product with one of the next releases.

Kind regards,

Donka Dimitrova

Show replies
Show replies
Former Member
‎07-30-2014 11:52 AM
0 Kudos

HI Donka,

In your above reply you mentioned that "At the moment with SAP NetWeaver SSO 2.0 it is possible to configure user authentication verification against RADIUS server (RSA)." .

Does it mean that SAP NW SSO 2.0 support RADIUS server authentication for enabling 2FA only with RSA or it can support any 2FA which support Radius Server .

regards

gaurav

donka_dimitrova
Contributor
‎07-30-2014 4:16 PM
0 Kudos

Hello Gaurav,

Yes, with our product SAP SSO we support 2FA with RADIUS server in general and not only the RSA.

We also support 2FA with Time based One Time Passwords (OTP) with the latest release - SAP SSO 2.0 SP03. This is a solution for customers who would like to enforce stronger authentication but do not want to implement and support full RADIUS server. Using this solution the employees could generate OTPs simply using their mobile phones. This solution is cheaper and requires almost no support. More details you will be able to find in this article:

Best regards,

Donka Dimitrova

Former Member
‎11-24-2015 4:24 PM
0 Kudos

Hi Donka Dimitrova,

you said, that there are plans to add two factor authentication.

We're interested in using exactlly that: Leave the first channel (UserID/Pass) like it is and add another one.

  • Is this possible at all? Or when is this going to be implemented?
  • Would it be possible to use RADIUS for the second method, or is SAML required?
  • Could the second method be made to only send the username/userid? Our second method is completely disjoined from the main communications, so that we can just answer "Yeah, go ahead".
  • Could you point me at relevant docs?

Thanks in advance!

Cheers

donka_dimitrova
Contributor
‎11-25-2015 8:26 AM
0 Kudos

Hello Christian,

Yes, the SAP Single Sign-On product supports dual authentication and RSA (RADIUS) could be configured for the second authentication. In your case (because you want to keep the basic authentication for the first authentication phase) the behavior of the system will be the following: the user will be prompted first to provide his UserID&Password and if the password is correct then the user will be prompted to provide also a passcode (RSA). Here the user will have no chance to type another username, he will be able to type only a passcode and if the passcode is valid then the user will be authenticated successfully.

It is possible for example also to combine Kerberos (first authentication stage) & RSA/OTP/SMS (second authentication stage).

You can implement now such dual authentication also using X.509 client certificates issued by the Secure Login Server (not only with SAML) but you have to use the latest SP06 for SAP Single Sign-On 2.0 version.

See more detains in the implementation guide:

http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf

If you have any further questions just let me know.

Regards,

Donka Dimitrova

Answers (0)

Ask a Question