One-Time Password Authentication Administration Guide
This section provides information about the installation and configuration of one-time password (OTP) authentication.
Types of Passcodes
-
Passcode generated by an authenticator mobile application
This configuration is possible if users can install an authenticator application on their mobile devices. For more information, see Configuring Authentication with a Passcode Generated by an Authenticator App
-
Random passcode sent by SMS, e-mail, or another channel
This configuration is for users who cannot install an authenticator mobile application. The passcode can be sent to the users by SMS or e-mail. For more information about this configuration, see Configuring Authentication with a Random Passcode Sent by SMS, E-Mail, or Another Channel.
-
External passcode generated by a third-party passcode provider
This configuration is for passcodes from a third-party provider (for example, RSA SecureID passcodes) that need to be validated before the user is authenticated. For authentication with these passcodes, developers have to implement a policy script written in JavaScript. For more information about this configuration, see Configuring External Passcode Validation.
Operations in SAP NetWeaver Administrator
You access SAP NetWeaver Administrator at http://<host>:<port>/nwa and can use it for the following operations:
|
Operation |
Reference |
|---|---|
|
Setting OTP-related login modules |
|
|
Specifying OTP roles, groups, or users |
|
|
Configuring passcode provisioning for users with unsupported mobile devices |
Configuring Authentication with a Random Passcode Sent by SMS, E-Mail, or Another Channel |
|
Configuring the use of external passcodes |
|
|
Setting an OTP-related logon application |
|
|
Getting OTP logs and traces |
|
|
Configuring logon to supported systems |
Operations in One-Time Password Administration UI
You access the One-Time Password Administration UI at http://<host>:<port>/ssoadmin/otp and can use it for the following:
|
Operation |
Reference |
|---|---|
|
Configuring specifics for single-factor authentication |
|
|
Configuring specifics for two-factor authentication |
|
|
Disabling user accounts |
|
|
Setting a policy for locking of user accounts |
|
|
Unlocking user accounts |
|
|
Setting the validity of user accounts |
|
|
Advanced user search |
|
|
Setting passcode length |
|
|
Setting passcode digest algorithm |
|
|
Configuring passcode provisioning for users with unsupported mobile devices |
Configuring Authentication with a Random Passcode Sent by SMS, E-Mail, or Another Channel |
|
Configuring the use of external passcodes |
|
|
Customizing the Mobile Device Setup UI |
|
|
Setting an expiration warning period for all user accounts |
Required Role Assignments
Users can only access OTP tools if they have been assigned the corresponding roles. Provided you have permission to access SAP NetWeaver Administrator, you can assign OTP roles to the corresponding user management engine (UME) groups, roles, or users. For more information, see Assigning Principals to UME Roles or Groups.
You should assign the following OTP roles to the UME groups or users that use OTP authentication:
- OTP_ADMINISTRATOR
This role is assigned to administrators to use One-Time Password Administration UI.
- OTP_USER
This role is assigned to users to set up their authenticator apps for OTP authentication.
- OTP_ONLINE_USER
This role is assigned to users for online account setup, which requires a confirmation code.
If you decide not to use the OTP roles mentioned above, you need to assign the following actions to the UME roles that you will use for OTP authentication:
- OTP_ADMINISTRATION
This is an action for administrators using One-Time Password Administration UI.
- OTP_ACTIVATION
This is an action for users setting up their authenticator apps.
- OTP_ONLINE_ACTIVATION
This is an action for authenticator users for online account setup.