Configuring Authentication with a Random Passcode Sent by SMS, E-Mail, or Another Channel

For users who cannot install an authenticator application on their mobile devices, you can configure the passcode to be sent by SMS.

Note

The SMS configuration works out-of-the-box with an SAP Messaging Service, which you need a separate contract for. If you would like to use a third-party Short Message Service (SMS) Gateway, you have to write a policy script that implements the API of the third-party SMS Gateway. For an example script, see SAP Note 2225027 Information published on SAP site.

You can also write a policy script so that the passcode is sent by e-mail. For more information about the out-of-band methods, see Related Information..

Prerequisites

The application is configured to use two-factor authentication, which is the default setting. For more information, see Configuring TOTPLoginModule and RBALoginModule.

Procedure

  1. Log on to SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa.
  2. Configure system VM parameters.

    For more information about the Java system properties, see Related Information.

  3. Configure the SMS destination.

    For more information about the HTTP destination, see Related Information.

  4. Log on to the One-Time Password Administration UI at http(s)://<host>:<port>/ssoadmin/otp.
  5. Choose the Edit button under the Settings tab.
  6. Under the Two-Factor Authentication section, specify the first factor login module, whether the persistent cookie will be issued, and the cookie's options.
  7. Select the Send passcode by SMS checkbox.
  8. To use a policy script, choose the Policy Script... button, enter the script in the new pop-up window, and select the Policy checkbox.

    For information about how to develop policy scripts, see Related Information.

  9. Under the SMS Gateway section, specify the destination, group and UME attribute for mobile number configured in SAP NetWeaver Administrator.
    Note

    The group and the phone number are configured under the Identity Management section..

    You also have to define a message text that includes the [passcode] placeholder.

    Recommendation

    For the SMS message, you should use Latin alphanumeric characters. Some mobile devices do not support characters from other alphabets.

  10. Save your configuration.

Example

As an administrator at Company A, Donna Moore would like to configure the system to send passcodes to partner users who cannot install an authenticator application and cannot set up their mobile devices. To do this, she proceeds as follows:
  1. She logs on to SAP NetWeaver Administrator and goes to Java System Properties: Overview, chooses the System VM Parameters tab and configures the following properties for the selected SMS template:

    Name

    Custom Calculated Value

    http.nonProxyHosts

    localhost|*.companya.corp

    http.proxyHost

    proxy

    http.proxyPort

    8080

    https.nonProxyHosts

    localhost|*.companya.corp

    https.proxyHost

    proxy

    https.proxyPort

    8080

  2. Donna goes to the Destinations: Destinations section and creates a new HTTP destination with name SMS_GATEWAY as she sets the destination URL, username, and password.

  3. She sets a phone number for user Michael Adams with logon ID m_adams under Start of the navigation pathIdentity Management: Overview Next navigation step m_adams Next navigation step Contact InformationEnd of the navigation path by choosing the Modify button and entering the number in the mobile field.

  4. She assigns this user to the Partners group under the Assigned Groups tab.

  5. Donna goes to Authentication and Single Sign-On: Authentication and sets the following TOTPLoginModule option for her policy configuration (application):

    Name

    Value

    tfa.first.factor.login.module

    BasicPasswordLoginModule
  6. She logs on to the One-Time Password Administration UI, selects the Send passcode by SMS checkbox, and enters values in the following fields:

    Field Label

    Field Value

    Destination Name:

    SMS_GATEWAY

    Send SMS to Members of Group:

    Partners

    UME Attribute for Mobile Number:

    mobile

    Message Template:

    Please log on with the following passcode: [passcode].

After completing the configuration, Donna informs Michael that he can log on with passcodes sent by SMS. When Michael accesses the logon page, he first enters his username and password. After successful authentication with the password, a new page appears prompting Michael to enter the passcode he has just been sent by SMS. Michael retrieves the passcode from his phone and logs on to the application.

Related Information