Configuring an OTP-Related Logon Application

For the proper one-time password (OTP) authentication flow with a browser client, you can configure a custom logon application that uses two steps of the logon process. This OTP-related logon application displays one screen for the first factor and after successful validation of the first credential requires the credential for the second factor.

Context

By setting the OTP-related logon application, you allow users to see the following improvements on the logon pages to any application:

Separate pages for password and passcode

Users enter password and passcode on separate logon screens, but not concatenated.
Policy scripts

The policy scripts developed to show messages on logon pages only work with the OTP-related logon application. That means if you use scopes in your policy script for full access or limited access authorizations, the logon screen works only with the OTP-related logon application.
Require user confirmation for automatic logon setting in the One-Time Password Administration UI.

Users will only see a confirmation screen during automatic logon if the OTP-related logon application is configured. This confirmation serves to protect the application from various attacks.
Trust this computer or Trust this device checkbox

Users can trust their computers or mobile devices during two-factor authentication by selecting a checkbox when the OTP-related logon application is configured. After selecting the checkbox, they will log on to the application with one factor only next time.

You can perform this configuration in the One-Time Password Administration UI by selecting the Require User Consent chekbox under Settings Two-Factor Authentication or by writing a policy script. For more details how to develop a policy script, see Related Information.

Procedure

Log on to SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa.
Choose the Configuration tab.
Choose the Authentication and Single Sign-On link.
Choose the Authentication tab and the Properties link.
Choose the Modify button.
Under the Logon Application section, set the Alias of Application for Customizing Login Pages (ume.logon.application.ui_resources_alias) property with value /otp_logon_ui_resources.
Save your configuration.

Using a Company-Specific Logon Application

To use your own logon application with OTP authentication, you have to customize the OTP-related logon application instead of the default logon UI application. You can find the OTP-related logon application under the following path: <ASJava_Installation>/j2ee/cluster/apps/sap.com/sso~otp~ear/servlet_jsp/otp_logon_ui_resources/sap.com~sso~otp~logon~ui.war

When customizing your OTP logon application, note that you have to update the corresponding .jsp file, depending on how you access the application.

For example:

For HTTP access, update the logonPage.jsp
For HTTPS access, update the certLogonPage.jsp
For access from mobile devices, update certLogonPageMobile.jsp or logonPageMobile.jsp in the folder mobile

For more information how to develop a custom logon screen, see Related Information.

Note

In the <project_name>/EARContent/META-INF/application-j2ee-engine.xml file, change the reference to be to the OTP-related logon application (sso~otp~ear).

Sample Code

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE application-j2ee-engine SYSTEM 'application-j2ee-engine.dtd'>
<application-j2ee-engine
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:noNamespaceSchemaLocation="application-j2ee-engine.xsd">
	<reference reference-type="hard">
		<reference-target
		 provider-name="sap.com"
		 target-type="application">sso~otp~ear</reference-target>
	</reference>
	<provider-name>example.com</provider-name>
	<start-up mode="manual"/>
</application-j2ee-engine>