Configuring TOTPLoginModule and RBALoginModule

SAP Single Sign-On provides two login modules which perform two-factor authentication. These are TOTPLoginModule and RBALoginModule. You can use the TOTPLoginModule when you want the first factor to be one of the login modules available on the AS Java, and the second factor to be a one-time password (passcode). You can use the RBALoginModule when you want to use the login modules available on the AS Java as first and second factor. This topic handles mainly the TOTPLoginModule, but most of these concepts are also valid for the RBALoginModule. You can find more examples in the Examples topic.

How to Use the TOTPLoginModule

If you want to use the TOTPLoginModule, you need to add it to the authentication stack of your application. For more information, see Policy Configurations and Authentication Stacks. The TOTPLoginModule can use one or more login modules available in AS Java as the first authentication factor. For more information about the login modules, see Login Modules. You can specify the first factor login module or modules on the One-Time Password Administration UI at http://<host>:<port>/ssoadmin/otp, Settings tab, below the Two-Factor Authenticationsection.

How the Authentication Works

  1. When a user tries to open the protected application, the TOTPLoginModule is triggered as part of the corresponding authentication stack, which protects the application.
  2. The TOTPLoginModule is now at the first stage and calls its first factor login module or modules, until a login module finds a user principal (for example username) that correspond to the authenticating user.
  3. The TOTPLoginModule fails the authentication in order to trigger the second stage, where the user is requested to provide a passcode as second factor.
  4. The user provides the passcode, the TOTPLoginModule succeeds and, depending on the rest of the login modules in the authentication stack and their flags, the overall authentication either succeeds or fails.

Interaction Between the TOTPLoginModule and Other Login Modules

If you have an authentication stack with login modules, the TOTPLoginModule can replace this whole authentication stack (with some limitations), or it can replace a single login module from this authentication stack.

  • Replacing the whole authentication stack

    If you have configured an authentication stack with a few login modules, you can replace all these login modules only with one TOTPLoginModule. This TOTPLoginModule should have the same initial login modules configured as first factor login module. For more information on how to configure the first factor login module, see Configuring Two-Factor Authentication.

    The login module options for the first factor login modules must be specified as TOTPLoginModule login module options. For more information, see the handling of login module options in the format <login module>.<login module option> in One-Time Password Login Module Options.
    Caution

    When using only the TOTPLoginModule instead of a login module stack, keep in mind that the first factor login modules set to the TOTPLoginModule will be handled as with the Sufficient flag.

  • Replacing one login module in the authentication stack
    If you want to enhance a single login module from your authentication stack with one-time password as a second factor, you need to replace this login module with the TOTPLoginModule and set the replaced login module as a first factor login module.
    Note

    If you are combining several login modules to create your authentication stacks, keep in mind that the order and flags of these login modules are very important for the authentication. If you use the TOTPLoginModule, there should be no other login modules with the Requisite, or Required flag after the TOTPLoginModule. For more information, see Policy Configurations and Authentication Stacks.

For more examples, see Examples.