cancel
Showing results for 
Search instead for 
Did you mean: 

SAP SSO 2: SAML with multiple login modules

Former Member
0 Kudos

Hi,


we are trying to implement two factor authentication for an ABAP ICF system (finally hopefully for Fiori). So we're trying to get SAML configured as showin in some examples here on SCN (I can provide links, if needed).


Our two factor authentication is based on normal passwords (from UME, using the standard password module) and on radius (using the standard radius module). This works fine for SLS.


But I am stuck on how to configure that for SAML.

Most guides for two factor authentication concentrate on TOTP and let people setup a new Context and configure it for TOTP alone. That doesn't work for us.


Could you please give me some advice?


Cheers


Christian

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member182254
Active Participant
0 Kudos

Hello,

As a first step please check the following SAP note and import the policy scripts from it, or at least "SAP.txt" and "SAP_util_rsa.txt": http://service.sap.com/sap/support/notes/2225027. Afterwards configure the following script for TOTPLoginModule:

#include "SAP";

#include "SAP_util_rsa";

function validatePasscode(config, context, result, username, passcode) {

  SAP.util.rsa.PasscodeValidator.validate(config, context, result, username, passcode);

}

function onFirstStageLogin(config, context, result) {

  result.setLoginInfoMessage("Enter RSA SecurID passcode to log on");

  config.setProperty("otp.use.external.passcode.validation", "yes");

}

The procedure to configure and enable policy script is described here: Configuring the One-Time Password Administration UI for Policy Scripts - One-Time Password Authentic...

The script above will re-use your setup for SLS. In case you do not use the default Radius destination name you may need to modify a bit the script:

#include "SAP";

#include "SAP_util_rsa";

function validatePasscode(config, context, result, username, passcode) {

  config.setProperty("rsa.login.module.option.RadiusDestination", "OtherRSADestination");

  SAP.util.rsa.PasscodeValidator.validate(config, context, result, username, passcode);

}

function onFirstStageLogin(config, context, result) {

  result.setLoginInfoMessage("Enter RSA SecurID passcode to log on");

  config.setProperty("otp.use.external.passcode.validation", "yes");

}

Where "OtherRSADestination" is the name of the destination configured in /slac -> Destination Management.

Let me know if you need any further details.

Best regards,

Dimitar Mihaylov

Former Member
0 Kudos

Hello Dimitar,

just to get this right: While in the SLS way, I can just use the /nwa/auth -> Components way to setup a Login-Module-Stack (marking all modules as REQUISITE) and be done. While for SAML2 I have to go through all the hoops of writing policy scripts?

I don't need such a complex script, because I don't need any extra prompts/etc, because my radius server is happy with the normal user password (it does some complex out of band yes/no-decision, basicly).

Also I am a bit confused by you mentioning TOTP: I don't want to use TOTP at all.

(Still looking at the Note and the references docs…)

Thanks already!

former_member182254
Active Participant
0 Kudos

Hello Christian,

The IDP does not work directly with a pre-configured authentication stack but with SAML2 authentication contexts which are mapped to login modules. Based on the configured authentication contexts it builds a dynamic authentication stack with the corresponding login modules each with flag SUFFICIENT. This means that technically you cannot achieve exactly the same configuration as for SLS.

Please note that the TOTPLoginModule does not support only time-based one-time passwords (TOTP) but also other types of second factor authentication, e.g. random passcodes send via email, SMS or other channel, as well external services like RSA SecureID server. My previous reply describes how to achieve the last one.

Please check the documents that I have sent you and in case you still have any concerns about the proposed approach we can have a call to discuss those. You may contact me at <firstname>.<lastname><AT>sap.com and arrange a suitable time slot for the call.

Best regards,

Dimitar Mihaylov