Skip to Content
author's profile photo Former Member
Former Member

Two factor authentication for successfactors without implementing single-sign-on


I found a previously posed question regarding if it is possible to implement two factor authentication for SuccessFactors which Donka Dimitrova answered but I could not determine from her answer (or other websites I have found via google) if it is possible to implement 2FA without also implementing SSO.

So basically the scenario we want to realize is the following:

We want to implement 2-factor-authentication using the SAP Single Sign On product but we don’t want to implement Single-sign-on at the same time. Is this possible? So what we would like to see is the user logging in to Successfactor using their username and password and then they would receive an sms from the SAP Single Sign On product containing a code that they have to enter in Successfactor to be able to log in. We could also imagine the secondary code being generated by a token generator that each user has, instead of receiving an SMS from SAP Single On product.


Add comment
10|10000 characters needed characters exceeded

1 Answer

  • Posted on Feb 19, 2017 at 09:32 AM

    Dear Anders,

    the two factor authentication is provided by multiple components part of the SAP Single Sign-On 3.0 product. As SuccessFactors is a cloud based product, i would assume in the most easiest implementation scenario you would need to operate a Identity Provider in your corporate network. This IdP must be based on the SAP IdP (AS Java). You only would need to deploy the SAP Single Sign-On Authentication Library (BC-IAM-SSO-OTP) on the AS Java in order to be able to register mobile devices via SAP Authenticator. If you want to utilize SMS, you would need to have an SMS-gateway in addition, that is also possible but i have no personal experience with that kind of configuration. You also would need to install the iOS, Android or Windows App on the mobile devices of your SuccessFactors users and provide them the user self-service website to easily setup the device for one time passwords. There are multiple ways how to implement this, i don't want to repeat Donka's blog ;)

    So to answer your question, i would say yes it is possible to implement without the need to implement SSO for your whole landscape, but you would need to provide and setup the IdP for MFA, setup your SF for using SAML and setup the mobile devices of employees. Please keep in mind, whenever you use a component of SAP SSO 3.0 like the IdP or the SSO Authentication Library you'll require a license for the product.



    Add comment
    10|10000 characters needed characters exceeded