Professional Documents
Culture Documents
How To Define Risk-Based Authentication Rules W..
How To Define Risk-Based Authentication Rules W..
How To Define Risk-Based Authentication Rules W..
2016 How to Define RiskBased Authentication Rules w... | SCN
SAP HANA Cloud Platform Developer Center
How to Define RiskBased Authentication Rules with
SAP Cloud Identity Service
Posted by Radost Kasova in SAP HANA Cloud Platform Developer Center on Feb 16, 2016 3:20:34 PM
How do you control the access to your cloud applications?
Being very cautious about the existing risks, you deny access from outside your corporate network or being very
liberal, you allow access from anywhere?
Are you willing to set different rules for different users, for different applications and according to the network from
which the users try to access the protected applications?
If yes, then SAP Cloud Identity can provide you with such flexibility of defining authentication rules, tailored to
your exact business needs.
Let’s take a closer look at the available options and variants to configure RiskBased Authentication.
With the RiskBased Authentication, you are able to set different rules for each application according to the following
factors:
1. User group membership of the authenticating user:
i. Cloud user group, defined in SAP Cloud Identity
or
ii. Onpremise user group(e.g. LDAP User Group, SAP NetWeaver AS UME Group or ABAP Roles as UME
Groups), if you are using Corporate User Store scenario(authentication against onpremise user store(LDAP,
SAP NW AS JAVA, SAP NW AS ABAP).
2. Network IP ranges from which the users are logging into the applications
For the combination of these factors, you can define actions to be performed:
Allow access
Enforce TwoFactor Authentication
Deny access
The set of rules are executed by priority and if none of the conditions of the defined rules are met, then the default
action would be performed.
In this blog you can find four examples of four different riskbased authentication rules sets defined:
1. Enable TwoFactor Authentication for all the users of an application
2. Deny access from outside corporate network for everybody, except a certain group of users that would be
asked to authenticate with TwoFactor Authentication
3. Allow access only for the users that exist in Microsoft Active Directory
4. Deny Access to an application
Enable TwoFactor Authentication for all the users of an application
For an application that needs higher level of protection, you can set all users to be prompted to provide an OneTime
Password(code), generated on a mobile device(SAP Authenticator – available on iOS or Android or any authenticator
app compatible with RFC 6238)
Here are the steps you need to take:
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 1/8
29.09.2016 How to Define RiskBased Authentication Rules w... | SCN
Prerequisites:
1. You have added your application and configured Trust between your application(SP) and SAP Cloud Identity(SAML
IDP). For SAP HCP apps – see here
2. You have SAP Cloud Identity Administrator account with “Manage Applications” Role enabled
Steps:
1. Go to your application in SAP Cloud Identity Administration Console Navigate to https://<your
tenant>.accounts.ondemand.com/admin/ and login with your administrator’s credentials
2. Choose the “Applications” tile
3. Choose your application from the list of applications on the left side
4. Navigate to the „Authentication and Access“ tab
5. Choose “RiskBased Authentication”
6. Change Default Action from “Allow” to “TwoFactor Authentication” and click “Save”
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 2/8
29.09.2016 How to Define RiskBased Authentication Rules w... | SCN
The result for the end users:
All users would be prompted to provide OneTime Password when they log into the application
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 3/8
29.09.2016 How to Define RiskBased Authentication Rules w... | SCN
Deny access from outside corporate network for everybody, except a certain group of users that would
be asked to authenticate with TwoFactor Authentication
Follow all the steps up to step 5 from the previous example, the prerequisites are also the same.
Define the following rules:
1st Rule: Allow access from within the IPrange of your corporate network.
2nd Rule: Require TwoFactor Authentication for any user that is member of the Cloud User Group “Manager“
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 4/8
29.09.2016 How to Define RiskBased Authentication Rules w... | SCN
In addition, deny access to any other users by setting Default Action to “Deny”
The rules are executed by the order of priority until the conditions of a rule are met. If none of the conditions of the
defined rules is met then the default action is performed.
Once the users who are not members of the Cloud User Group “Manager” try to access the application from outside of
the corporate network, they would get the following message:
Find more info about Cloud User Groups:
How to Add User Groups
Assign User Groups to an user
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 5/8
29.09.2016 How to Define RiskBased Authentication Rules w... | SCN
Allow access only for onpremise users that exist in Microsoft Active Directory
Prerequisites:
1. You have configured authentication against Corporate User Store(with Microsoft Active Directory), additionally see
this blog
2. You have added your application and configured Trust between your application(SP) and SAP Cloud
Identity(SAML IDP). For SAP HCP apps – see here
3. You have SAP Cloud Identity Administrator account with “Manage Applications” Role enabled
Steps:
Follow all the steps up to step 5 from example 1.
Assign all the users to a Microsoft Active Directory group (e.g. called “MSAD Everybody”) so that you enable them to
authenticate in your cloud application and deny access for all other users.
You can define other more complex rules for other Microsoft Active Directory Groups, for example:
An administrator would have access only from within corporate network and would be required to provide 2
means of authentication(TwoFactor Authentication).
Partners outside of their corporate network would also be required to authenticated with TwoFactor
Authentication.
All the users of this applications shall belong to an onpremise Microsoft Active Directory User Group – “MSAD
Everybody”.
For all other users the access will be denied.
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 6/8
29.09.2016 How to Define RiskBased Authentication Rules w... | SCN
If you have configured Corporate User Store scenario of SAP Cloud Identity to authenticate against SAP NetWeaver
AS JAVA server, you can define the same type of rules for other types of Onpremise User Groups – depending on the
different options UME Groups, User Groups of the connected multiple LDAP Directories or ABAP Roles as UME
Groups, see documentation about UME Groups
Deny access to an application
Steps:
Follow all the steps up to step 5 from example 1, the prerequisites are also the same.
Before going live of your application you can deny access to everybody by setting Default Action “Deny”
Once you are ready to go live, you just change the Default Action to “Allow”
In a nutshell, you have the freedom to flexibly configure the authentication to your application based on your security
requirements and corporate needs.
Enjoy your journey with SAP Cloud Identity RiskBased Authentication.
2344 Views
Topics: security Tags: sap, cloud, sso, authentication, identity, risk, based, two, factor, hcp, authentication;, hanacloud,
cloudidentity
Average User Rating
(4 ratings)
5 Comments
Thorsten Schneider Feb 28, 2016 10:25 PM
Did not follow stepbystep. But nice blog about riskbased authentication. Thanks
Like (0)
Anurag Kulkarni Jul 20, 2016 11:40 AM
Hi Thorsten,
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 7/8
29.09.2016 How to Define RiskBased Authentication Rules w... | SCN
How to configure my onpremise web application developed using java language and provide my on
premise users with single sign on and OTP on the HANA Cloud platform???
Is it mandatory that my web application should be deployed on the HCP ???
Thanks,
Anurag
Like (0)
Radost Kasova Jul 21, 2016 9:30 AM (in response to Anurag Kulkarni)
If you run applications on NW AS Java, you can configure trust with SAP Cloud Identity and
then the authentication would happen against the SAP Cloud Identity SAML IDP, and you
will benefit from the SSO and OTP capabilities.
Like (1)
Anurag Kulkarni Jul 21, 2016 11:34 AM (in response to Radost Kasova)
Hi Radostina,
My onpremise web application is hosted on godaddy , and it runs on apache
tomcat server.....
Is it mandatory that my application should run on SAP NW AS Java , SAP Server
only???
Like (0)
Anurag Kulkarni Jul 22, 2016 9:26 AM (in response to Radost Kasova)
Hi Radostina,
Thanks for the reply , I have a client and whose website is developed using PHP
language
and how do i enable SAML 2.0 trust on the website and how do i integrate it with
SAP Cloud Identity , Can you please help me on this.some prototype
Thanks,
Anurag
Like (0)
http://scn.sap.com/community/developercenter/cloudplatform/blog/2016/02/16/howtodefineriskbasedauthenticationruleswithsapcloudidentity 8/8