Using IBM Security Verify as password-less authentication for SAP BTP
2024-1-4 04:14:24 Author: blogs.sap.com(查看原文) 阅读量:5 收藏

In this blog, we will explain how to use IBM Security Verify with SAP BTP and how to configure password-less multi-factor authentication (MFA), requiring users to provide two forms of identification, bolstering protection against unauthorised access.

IBM Verify offers an alternative to traditional password-based authentication. Instead of relying solely on passwords, it leverages factors such as biometrics (like fingerprint scanner, face recognition … etc.) or device authentication to grant access without the need for entering a password.

Using IBM Security Verify as identity provider augments SAP Business Technology Platform (BTP) security through various additional capabilities such as “Adaptive access” with the integration of fraud prevention solution IBM Trusteer or user lifecycle management across hybrid landscapes.

This is a step-by-step guide on how to setup IBM Security Verify as an Identity Provider for SAP BTP via trust configuration using SAML 2.0 and then to use IBM Security Verify to authentication to SAP BTP by configuring password-less multi-factor authentication options including:

  • “QR Code” scanning the provided QR code using IBM Security Verify mobile app
  • “Security / Touch ID” with IBM Security Verify mobile app or Apple iWatch.

Prerequisites

  • SAP BTP
  • IBM Security Verify
  • Apple iPhone or Android smartphone with IBM Security Verify App
  • Apple iWatch – Sync with your iPhone

Configurations and Settings in IBM Security Verify and SAP BTP

Step 1: Log in into IBM Security Verify as an administrator

After login, you will see the home screen:

Step 2: On the left panel click “Applications” under “Applications”. On the right side of the screen, there is a “Add application” button. Click on it.

Step 3: Enter the necessary details under “General” section as below:

Step 4: Before, we go further let’s login into SAP BTP account

Now, click on “SAML Metadata” button which will download the file.

Step 5: Now, Get back to IBM Security Verify and click on “Sign-on” section and select “Use metadata” checkbox. It will allow us to upload the metadata file which we have downloaded from SAP BTP as above.

Step 6: Now, select “Access Policy” under “Security” section from the left panel of the screen to create a new access policy and click on “Add Policy” as suggested below :

Select “Federated sign-on policy” while creating a new policy :

Click on “Add rule” to define the rules within the policy:

Step 7: Now, the policy “MFA for app Test” developed in response to the above proposal will be selected  in the “Applications” section of “Applications” as seen below:

Step 8:  Navigate to “Authentication factors” under “Authentication” and set the details of different authentication factors:

Step 9 : Scroll down and make sure that QR code login configuration feature is enabled.

Step 10 : Navigate to “Sign-in option” under “Security” tab and check that QR code login configuration is enabled for cloud directory identifier as mentioned in the below screenshots.

Follow the same process and enable QR code login configuration for IBMid identity provider.

Step 11: Return to the SAP BTP cockpit and navigate to “Trust Configuration” under “Security” section. Here, click on “New Trust Configuration” button as below :

Step 12: Next, add the details such as “Metadata” which we got from “IBM Security Verify” and fill the details as shown in below screenshots:

You can get the above “Metadata” file from IBM Security Verify. Go to “Sign on” and on the right side of the screen download the file from the given URL and upload the same in SAP BTP as highlighted below:

We now have a custom identity provider called “IBM Verify” that we developed using the techniques outlined above.

We have completed the configurations in IBM Security Verify and SAP BTP. Let’s test it now.

Testing: Multi-Factor Authentication (MFA) in SAP BTP

First, download and install the IBM Verify application on your mobile from “App store” for iPhones “Play Store” for android phones. Refer to IBM Verify help or connect to your local admin to set up the application on your mobile.

App Store

Play Store

Log in to SAP BTP and choose the sub-account you want to use. In the “Services” section, select “Instance and services” as below:

Click on the application you want to access. Here, I want to access “SAP Business Application Studio”.

You will be navigated to a new page and will have multiple options. Select the custom one which you have created. In our case, we’ll select “httpsibmlabs.verify.ibm.comsamlspssa”.

However, you can avoid above screen just by disabling the default identity provider. To disable the same navigate to Trust configuration -> Default identity provider -> Actions and click on edit. Disable the checkbox “Available for User Logon”.

Now, you are on another page and you can scan QR code from IBM Verify application for password-less authentication.

Open the “IBM Verify” mobile application in your mobile and click on scan button on right top corner of the mobile screen and scan the QR code from mobile as displayed below:

After successful QR scanning you will redirect to second factor password-less authentication which gives you following options

You can select any option that you want , I have selected iPhone touch approval from IBM verify application for now so that I will receive notification in my Apple iWatch for touch approval as shown in below screenshots:

Once approved you can access the respective application.

As it’s a password-less authentication user has no need to worry about credential to login and getting it authorised through your mobile application as simple as above.

Conclusion

With the option to add another than the default identity provider in SAP BTP, this allows the use of IBM Security Verify and brings all its capabilities to strengthen the security of SAP BTP applications including the use of additional options for password-less and multi-factor authentication.

More information:

If you have any question or query about SAP BTP please refer to SAP Community and for any question or query about IBM Security Verify refer to IBM Security Verify Community.

Credits :

Jainam Salot, Technology Engineer, IBM India Software Labs.

Tushar Trivedi, SAP Solution Architect, IBM India Software Labs.


文章来源: https://blogs.sap.com/2024/01/03/using-ibm-security-verify-as-password-less-authentication-for-sap-btp/
如有侵权请联系:admin#unsafe.sh