SAP Knowledge Base Article

3074781 - Multifactor Authentication (MFA) options for Netweaver AS and S/4 Hana
on-premise.
Component: BC-IAM-SSO-OTP (One-Time Passwords and Access Policies), Version: 8, Released On: 22.11.2022

Symptom
This is an informational KBA on supported MFA options for your Netweaver on-premise Application server. The goal is just
to make you aware of MFA options and point you to the Root documentation of the products involved.
By default, Neither Netweaver Abap or Netweaver Java support any MFA solutions directly.
Included in the SAP SSO 3.0 product there exists OTP functionality which includes MFA which can be deployed to the
Netwever Java Stack. This provides MFA directly for the Netweaver Java stack and allows MFA for the Netweaver Abap Stack
(indirectly). An SAP SSO 3.0 License is needed for all SAP Supported Netweaver MFA solutions.

Environment
Netweaver Abap
Netweaver Java
Single Sign On 3.0

Resolution
Netweaver Abap:
This application server has no direct MFA solution, but can involve your Netweaver Java Secure Login Server, OTP
functionality and saml2 functionality to achieve MFA indirectly.
SAPGUI:
With the secure Login Web client, you can log into the secure Login server with MFA (TOTPLoginModule, after configuring
OTP) to obtain a x.509 certificate for login to the SAPGUI via SNC.
Minimum deployment requirements:
Secure Login Client (Operating system install)
Secure Login Server (to be deploy on Java stack)
SSOAUTHLIB (OTP functionality, to be deployed on Java stack)

HTTP services (Webgui, Fiori, etc):

For browser-based services, saml2 is used to connect to the Java stack for MFA login. Netweaver Abap is the saml2 service
provider, Netweaver java is the saml2 identity provider. Then once your OTP is configured add the TOTPLoginModule to the
identity providers Authentication Context.
Minimum deployment requirements:
IDMFEDERATION (saml2 identity provider functionality, to be deploy on Java stack)
SSOAUTHLIB (OTP functionality, to be deployed on Java stack)

Netweaver Java:
Deploy the OTP solution, then configured. Once configured Just add the TOTPLoginModule to the Authentication stack of the
application you are using.
Minimum deployment requirements:
SSOAUTHLIB (OTP functionality, to be deployed on Java stack)

See Also
Root documentation for secure Login (server and client) material:
https://help.sap.com/doc/7d3f26c449524c54b5d8232e11f0a771/3.0/en-US/SecureLoginForSAPSSO3.0_UACP.pdf
Root Documentation for OTP solution:
https://help.sap.com/doc/5e008ecd41234762a9d5a9c33b0ad6fe/3.0/en-US/One-TimePasswordAuthentication_UACP.pdf
Root Documentation for Abap saml2 service provider:
https://help.sap.com/viewer/f118a8960caf41808bd374e28a834f58/7.4.19/en-US
Root Documentation for Java saml2 Identity provider:
https://help.sap.com/doc/339459818c4e4cb881c353e04a037a97/2.15/en-US/IdentityProviderForSAPSingleSign-
OnAndSAPIdentityManagement_uacp.pdf

Keywords
MFA, 2FA, Single Sign on, SLS, SLC, OTP, Passcode, Authenticator, Two Factor

Attributes
Key Value

Other Components BC-IAM-SSO-SL (Secure Login)

Other Components BC-JAS-SEC-LGN (Logon, SSO)

Other Components BC-SEC-LGN-SML (SAML 2.0 for ABAP)

Requires Action 0

Products
Products

SAP NetWeaver all versions

SAP S/4HANA all versions

SAP Single Sign-On 3.0

This document is referenced by

SAP Note/KBA Title