Examples

Example: 1. Setting Up Login Either with Password or with Passcode

John Miller is an administrator at MyCompany corporation. He has an application protected with user e-mail and password. He wants to configure the system to require authentication with a passcode in addition to the password.

John Miller has to do the following:

In SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa, choose Configuration Authentication and Single Sign-On Authentication Components and replace the BasicPasswordLoginModule with TOTPLoginModule in the authentication stack of the application.
Add a login module option for TOTPLoginModule with the name UserMappingMode and the value Email. This allows the customized logon application to correctly visualize the required user principal.
Add a login module option with name BasicPasswordLoginModule.UserMappingMode and the value Email. This instructs the BasicPasswordLoginModule to resolve the user by his/her e-mail.
On the One-Time Password Administration UI at http(s)://<host>:<port>/ssoadmin/otp, Settings tab, specify BasicPasswordLoginModule in the First Factor Login Module field.
Save the configurations.

Once this configuration has been completed, all employees of MyCompany will be able to log on to the system by entering an e-mail address and a password, or an e-mail address and a passcode generated by an authenticator mobile application.

Example: 2. Setting Up Login with Certificate and Passcode

John Miller is an administrator at MyCompany corporation. He has an application protected by X.509 certificate authentication. He wants to add a passcode as a second factor. Assuming the CN field of the employees’ certificates contains their corporate e-mail, and the application is already protected by ClientCertLoginModule, John Miller has to do the following:

In SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa, choose Configuration Authentication and Single Sign-On Authentication Components and replace the existing ClientCertLoginModule with TOTPLoginModule.
Add the login module option ClientCertLoginModule.Rule1.UserMappingMode with value Email.
Add the login module option ClientCertLoginModule.Rule1.AttributeName with value CN.
Add the login module option ClientCertLoginModule.Rule1.getUserFrom with value subjectName.
On the One-Time Password Administration UI at http(s)://<host>:<port>/ssoadmin/otp, Settings tab, specify ClientCertLoginModile in the field First Factor Login Module.
Save the configurations.

Once this configuration has been completed, all employees of MyCompany will be able to log on to the protected application by providing their certificate and by entering a passcode as well.

Example: 3. Setting Up Login with Password, or Password and Passcode According to the Policy Script

John Miller is an administrator at MyCompany corporation. He has an application protected with username and password, and he wants to add a passcode as a second factor. The users in Germany should authenticate with a password only, while users outside of Germany should authenticate with a password and a passcode. John has to do the following for this configuration:

In SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa, choose Configuration Authentication and Single Sign-On Authentication Components and replace the BasicPasswordLoginModule with TOTPLoginModule in the authentication stack of the application.
On the One-Time Password Administration UI at http(s)://<host>:<port>/ssoadmin/otp, Settings tab, specify BasicPasswordLoginModule in the First Factor Login Module field.
Select the Policy checkbox in order to activate the policy.
Log on to the Policy Script Administration Console at http(s)://<host>:<port>/ssoadmin/scripts.
Create a policy script of type Procedure that requires authentication according to the location of the user. You can find an example of a policy script in this step. For more information on how to create a policy script, see Working with Policy Scripts.
Example
```
function onFirstStageLogin(config, context, result) {
  var loginInfo = context.getLoginInfo();
  var user = loginInfo.getUser();
  var userCountry = user.getCountry();
  
  if ("DE".equalsIgnoreCase(userCountry)) {
    result.doNotRequireSecondFactor();
  }
}
```
On the One-Time Password Administration UI, Settings tab, below the Two-Factor Authentication section, press the Policy Script... button and choose the policy script that was just created.
Save the configurations.

Once this configuration has been completed, all users from Germany will be able to log on with their logon ID and password, while all other users log on with basic credentials and a passcode.

Example: 4. Protecting the Default ticket Authentication Template with Two-Factor Authentication Using One-Time Passwords

John Miller is an administrator at MyCompany corporation. He wants to configure the system to require authentication with two factors when accessing applications protected with the ticket authentication template.

John Miller has to do the following:

Log on to SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa and navigate to Configuration tab Authentication and Single Sign-On Authentication tab Components.
Filter for type Template and choose the policy configuration with name ticket.
Replace the BasicPasswordLoginModule with TOTPLoginModule in the authentication stack of the application.
Note

If there are login modules with the Requisite or Required flag below the TOTPLoginModule module, change these flags to Sufficient.
On the One-Time Password Administration UI at http(s)://<host>:<port>/ssoadmin/otp, Settings tab, specify BasicPasswordLoginModule in the First Factor Login Module field.
Save the configurations.

Once this configuration has been completed, all employees of MyCompany will be able to log on to any application protected with the ticket template (for example the portal page) with a one-time password, in addition to the user name and password, or SAP Logon Ticket.

Example: 5. Using RBALoginModule to protect the Portal Page with BasicPasswordLoginModule as First Factor and SAML2LoginModule as Optional Second Factor

John Miller is an administrator at MyCompany corporation. He has a portal application protected by the default ticket authentication template, which authenticates users via SAP Logon Tickets or via basic authentication. For users matching certain criteria, John wants to configure the system to require SAML2 authentication after the successful basic authentication as first factor. To achieve this, John uses the risk based authentication offered by the RBALoginModule.

John Miller has to do the following:

Log on to SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa and navigate to Configuration tab Authentication and Single Sign-On Authentication tab Components.
Filter for type Template and choose the policy configuration with name ticket.
Make sure that the authentication stack has the following login modules and login module options:
1. EvaluateTicketLoginModule with flag Sufficient
2. RBALoginModule with flag Requisite and the following login module options:
  - tfa.first.factor.login.module with value BasicPasswordLoginModule
  - tfa.second.factor.login.module with value SAML2LoginModule
3. CreateTicketLoginModule with flag Optional
Log on to the Policy Script Administration Console at http(s)://<host>:<port>/ssoadmin/scripts.

Create a policy script of type Procedure that checks if SAML2 authentication is required depending on a user attribute defined in the policy script.

Here is an example:

Note

This policy script example is created for the ticket authentication template with authentication stack as mentioned in the steps above.

Example

function disableMobileSSO(logger, loginInfo , config) 
{
  var secondFactor;
  if (loginInfo) 
  {
    secondFactor = "SAML2LoginModule";
  } 
  else 
  {
    secondFactor = "EvaluateTicketLoginModule"; 
  };
  config.setProperty("tfa.second.factor.login.module", secondFactor );
}

function onInitialize(config, context) 
{
  var logger = context.getLogger();
  var loginInfo = context.getLoginInfo();

  disableMobileSSO(logger, loginInfo , config);
}

function onFirstStageLogin(config, context, result) 
{
  var loginInfo = context.getLoginInfo();
  var user = loginInfo.getUser();
  config.setProperty("tfa.second.factor.login.module", "SAML2LoginModule" );

  if (!requireSecondFactor(user)) 
  {
     result.doNotRequireSecondFactor();
  }
}
function requireSecondFactor(user) 
{
  //specify below the user attribute which defines when and if the SAML2LoginModule should be called
  var userCountry = user.getCountry();
  if (userCountry === 'DE') 
  {
     return false;
  }
  else 
  {
     return true;
  }
}

On the One-Time Password Administration UI, Settings tab, below the Two-Factor Authentication section, press the Policy Script... button and choose the policy script that was just created.
Save the configurations.
Select the Policy checkbox in order to activate the policy.

Once this configuration has been completed, all employees of MyCompany will be able to log on to any application protected with the ticket template (for example the portal page) with a BasicPasswordLoginModule as first factor and optionally with SAML2LoginModule. Before SAML2 is required as second factor, the policy script verifies if the second factor is required for this specific user, depending on a user attribute defined in the policy script. If it is not required, the user is able to log in only with user name and password. If a second factor is required, the is SAML2LoginModule triggered.