Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Re-authenticate or provide additional credentials to access sensitive data

Go to solution
Former Member

‎02-24-2014 9:51 PM

0 Kudos

Hi,

I am wondering if anyone has ever come across a scenario in SAP where a user is asked to provide an additional logon (perhaps a PIN number or asked to re-enter their password) in order to access sensitive data in the system? I was recently asked this question and in my 15 years of working with SAP I can't recall ever seeing such a scenario.

An equivalent scenario which I see in my daily life is when I use my internet banking and I want to increase my daily transfer limits. When I go to this part of the site it asks me to provide a special code that they send to me via SMS.

The only thing that came to my mind was Firefighter, where you can get temporary higher level privileges but this is more in a technical support role.

Does anyone have any thoughts on this?


Thanks in advance,

Simon

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎02-24-2014 10:07 PM

0 Kudos

Yes, it's called Digital Signature and it is used at least in PLM. The funny thing is that if customers happen to implement SSO, they will still need to remember their backend passwords because of Digital Signature.

7 REPLIES 7

Go to solution
Former Member

‎02-24-2014 10:07 PM

0 Kudos

Yes, it's called Digital Signature and it is used at least in PLM. The funny thing is that if customers happen to implement SSO, they will still need to remember their backend passwords because of Digital Signature.

Go to solution
tim_alsop
Active Contributor
In response to Former Member

‎02-24-2014 10:25 PM

0 Kudos

You don't need to use SAP password, since it is possible to re-authenticate the user using an Active Directory password when electronic signatures are used. A video at SAP ERP Electronic Signatures + Secure Single Sign-On - YouTube shows an example of how this works.

I think it would be nice if SAP was able to re-authenticate users in more situations, not just for e-signature. As Simon mentioned, it might be useful to re-authenticate the user (using the same credentials they logged on to the system with) when they access sensitive data.

Thanks

Tim

Go to solution
Former Member
In response to Former Member

‎02-24-2014 10:31 PM

0 Kudos

Thanks Samuli, can you point me to any info on it? Searching for "Digital Signature" isn't proving to be all that fruitful, since digital signatures apply to signing documents and get a lot of results back

Go to solution
Former Member
In response to Former Member

‎02-24-2014 10:41 PM

0 Kudos

In that case an external security product is used in Signature Strategy so it's not something SAP provides. As far as I know, even NWSSO doesn't have anything in this context which is a big gap if you ask me.

Go to solution
Former Member
In response to Former Member

‎02-24-2014 10:44 PM

0 Kudos

This is the best document I know. As Martin writes, one could extend it to other scenarios as well, not just for digital signing of documents. I have implemented it in a custom Web Dynpro.

Go to solution
martin_voros
Active Contributor

‎02-24-2014 10:32 PM

0 Kudos

Hi,

I've seen this in slightly different scenario. It's not that hard to implement. The logic must be baked into an app. In my scenario the apps were custom apps. There are standard function modules that allow you to check username/password. If you want to have a second factor (e.g. SMS with auth. code) then you could build this as well. The main issue is to protect against a user with broader authorizations (e.g. developer with access to debugger).

Cheers

Go to solution
former_member182254
Active Participant

‎03-07-2014 10:12 AM

0 Kudos

Hello Simon,

If you are talking about web access to the system then this scenario can be implemented when SAML 2.0 is used. For a web application which provides sensitive data you can either force re-authentication with a password or require specific SAML 2.0 authentication context means authentication method, e.g. PIN. In this case even the user is authenticated with the ABAP system when he navigates to such application he will be redirected to the SAML 2.0 identity provider (IDP) to re-authenticate, either with a password or with a PIN. If you are interested in further details let me know.

http://help.sap.com/saphelp_ca_cpd102/helpdata/en/4a/b5ef3222526d6de10000000a42189c/content.htm?fram...

Regards,

Dimitar

P.S. SAP provides SAML 2.0 compliant IDP which can easily be extended to support any authentication method using JAAS login modules: http://scn.sap.com/community/netweaver-sso/blog/2013/02/28/competitive-advantages-of-sap-identity-pr.... With the next SP of NW SSO we plan to support by default also authentication with time-based one-time passwords (TOTP) - http://tools.ietf.org/html/rfc4226.