You can define rules for authentication according to different risk factors and apply actions like Allow, Deny, and Two-Factor Authentication for all applications in a tenant.
-
You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
-
(For RADIUS Server Two-Factor Authentication) You have requested this feature. For more information how to request and configure RADIUS server in Identity Authentication, see Configure RADIUS Server Settings (Beta).
-
(For SMS Two-Factor Authentication) You have an account in Sinch. You have configured Sinch Verification in the administration console for Identity Authentication. For more information, see Configure Sinch Service in Administration Console.
Sinch Verification account is purchased separately. It is not part of the Identity Authentication contract.
-
(For Email OTP Code) An Email OTP Code template for the respective languages must exist in the tenant to apply the email OTP code method. If the template does not exist, the user will see the option but when choosing it, the following message will appear: "Sorry, but you are currently not authorized for access".
For more information how to add email templates, see Edit or Add an Email Template Set.
Be careful when you set rules for authentication for the tenant. The rules apply to all applications in the tenant, including the
Administration Console, if those applications have default risk-based authentication (no rules created; default action - Allow). The changes apply immediately when saved, and you may not be able to log in theAdministration Consoleagain if you don't meet the rules.
On the other hand, if a specific application has risk-based authentication different from the default one (no rules created; default action - Allow), and you apply default risk-based authentication for the tenant, the rules for the tenant won't apply to that specific application.
For more information, how to apply risk-based authentication for a specific application, see Configure Risk-Based Authentication for an Application.
The configured rules manage authentication according to IP range (specified in CIDR notation), group membership, authentication method, and type of the authenticating user.
Authentication Rules
The created rules are displayed sorted by priority. When a user tries to access the application, the rules evaluate if the user meets the criteria of the rule. The evaluation starts with the rule with the highest priority, until the criteria of a rule are met. If the criteria of a rule are met, the rest of the rules are not evaluated.
Default Authentication Rule
If none of the authentication rules meets the criteria, the default authentication rule is applied, For the default authentication rule, you can only configure Default Action, which can be Allow, Deny, or Two-Factor Authentication.
If Two-Factor Authentication is selected, additionally, you must specify the two-factor method or methods for the user.
The rule is valid for any IP range, Forwarded IP Range, Group, Authentication Method, or User Type.
We recommend you to enable the back-up channels. Thus, the users can use the option as an alternative when they don't have access to the TOTP device or application. For more information, see Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices.
It takes 2 minutes for the configuration changes to take place.
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Applications and Resources, choose the Tenant Settings tile.
At the top of the page, you can view the administrative and license relevant information of the tenant.
-
Under Authentication, choose Risk-Based Authentication.
-
Optional: Configure the authentication rules. Choose one of the following (optional):
Option
Description
Create a new rule
See Create a New Rule for Risk-Based Authentication on Tenant Level.
Edit an existing rule
Choose the
icon next to the rule you want to edit.Delete an existing rule
Choose the delete
icon next to the rule you want to delete.Reprioritize rules
Use the arrows to reprioritize the rules.
By default any user can log on from any IP.
-
Optional: Configure the Default Action:
- Allow - Any user can log on from any IP. This is te default choice.
- Deny - Nobody can log on.
- Two-Factor Authentication - A drop-down appears when this choice is selected. You must specify the two-factor authentication method or methods for the end user.
-
Save your changes.
Once the tenant has been updated, the system displays the message Authentication rules updated.
Related Information
Tenant OpenID Connect Configurations
Change Tenant Texts Via Administration Console
Configure Master Data Texts Via Administration Console
Configure Links Section on Sign-In Screen
Add Instructions Section on Sign-In Screen
Configure X.509 Client Certificates for User Authentication
Configure Allowed Logon Identifiers
Configure User Identifier Attributes
Configure Trust this browser Option
Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices
Enable Users to Recover Password with Security Questions
Enable Users to Recover Password with PIN Code
Configure Initial Password and Email Link Validity
Use Custom Domain in Identity Authentication
Change a Tenant's Display Name
Configure Sinch Service in Administration Console
Configure RADIUS Server Settings (Beta)
Configure Mail Server for Application Processes
Send System Notifications via Emails
Configure Customer-Controlled Encryption Keys in Administration Console (Restricted Availability)
Configure Default Language for End User Screens
Reuse SAP Cloud Identity Services Tenants for Different Customer IDs
You can create rules for authentication according to different risk factors.
The rules apply on all applications in the tenant, including the
Administration Consoleapplication. If you enable risk-based authentication for the tenant, make sure that you, as a tenant administrator, meet the authentication rules and the default authentication rule. The changes apply immediately when saved, and you may not be able to log in it again if you don't meet the rules.
Each rule contains the following information:
-
Authentication Action
This action is performed if the rule conditions meet the defined criteria.
You can choose one of the following authenticating actions:
-
Allow
Identity Authentication allows the authentication of the user in accordance with the rule conditions.
-
Deny
Identity Authentication denies the authentication of the user in accordance with the rule conditions. You can set this action for a test application for example, or before an application goes live.
As long as this rule is valid, when users try to log on to the application, they get the following message: Sorry, but you are currently not authorized for access.
-
Two-Factor Authentication
If Two-Factor Authentication is selected, additionally, you must specify the two-factor method or methods for the user:
-
TOTP Two-Factor Authentication
Identity Authentication asks two factors to authenticate the user.
If you set TOTP two-factor authentication, users are required to provide a time-based one-time password (TOTP) called a passcode in addition to their primary credentials. Users also has to install an authenticator application on their mobile devices to generate TOTP passcodes.
TOTP passcodes are time-based and valid for one logon attempt only.
-
SMS Two-Factor Authentication
Identity Authentication asks two factors to authenticate the user.
If you set SMS two-factor authentication, users are required to provide an SMS code sent to their mobile devices in addition to their primary credentials.
To use SMS Two-Factor Authentication, you must have configured Sinch Verification in the administration console for SAP Cloud Identity Services. For more information, see Configure Sinch Service in Administration Console.
Users must have their mobile phone numbers verified. The tenant administrator can verify phone numbers manually in the administration console or via the SCIM API. For more information, see List and Edit User Details and Update User Resource (Deprecated).
If the user does not have a verified phone number, the number is verified during the first log on when SMS code is required. After the user provides user name and credentials, he or she should provide the phone number in the field and request a code. Then provide the received code in the respective field and choose Continue. If the submitted code is correct, the user is allowed access, and the telephone number is verified.
-
Web Two-Factor Authentication
Identity Authentication asks two factors to authenticate the user.
If you set web two-factor authentication, users are required to authenticate with a device such as the built in biometric scanners or USB, Bluetooth or Near-Field Communication (NFC) devices in addition to their primary credentials.
-
Email OTP Code
For security reasons, the Email OTP code is not a recommended two-factor authentication method. You may consider using some of the other methods instead.
Identity Authentication asks two factors to authenticate the user.
If you set Email OTP Code, users are required to provide the code sent to their email in addition to their primary credentials.
An Email OTP Code template for the respective languages must exist in the tenant to apply the email OTP code method. If the template does not exist, the user will see the option but when choosing it, the following message will appear: "Sorry, but you are currently not authorized for access".
For more information how to add email templates, see Edit or Add an Email Template Set.
-
RADIUS Server Two Factor Authentication
If you set RADIUS Server Two Factor Authentication, users are required to provide a RADIUS passcode in addition to their primary credentials. Users must have a RADIUS token (hard or soft) configured for them to generate passcodes. For more information about how to configure RADIUS server in Identity Authentication, see Configure RADIUS Server Settings (Beta).
-
The Action filed is mandatory.
-
-
IP Range
Define a range of IP addresses that authentication requests to Identity Authentication can be sent from. The value has to be specified in Classless Inter-Domain Routing (CIDR) notation.
By default the field is empty, meaning that any IP is allowed.
Enter 123.45.67.1/24 to allow users to log on from any IP starting with 123.45.67.
If no IP range is defined, the rule is valid for all IP ranges.
-
Forwarded IP Range
Define a range of IP addresses for the original IP addresses that authentication requests to Identity Authentication can be sent from. This range is used in conjunction with IP Range in scenarios where authentication requests to Identity Authentication are made by a proxy on-behalf of the user/client. The value has to be specified in Classless Inter-Domain Routing (CIDR) notation.
To specify the Forwarded IP Range, the IP Range must be defined first.
-
Authentication Method
Specify the authenticating method, which the authenticating user has to use. If no method is selected, the rule is valid for any of the methods.
-
User Type
Specify the type, which the authenticating user must have. If no user type is selected, the rule is valid for any of the types.
-
Group Type
- Cloud Group - default choice
- On-Premise Group
-
Group
Specify a cloud or on-premise group, which the authenticating user has to be a member of. If no group is selected, the rule is valid for all users.
If the rule is valid for an on-premise group, type in the name of the corporate user store group, for which this rule should be valid.
The cloud groups have to be configured in the administration console for Identity Authentication. For more information, see Managing Groups.
-
Corporate Attribute
Specify an attribute from the corporate identity provider (IdP) assertion, based on which the rule action will be applied.
The rule must include the attribute name and value. It is valid only when the specified name and value are found in the assertion from the corporate IdP.
For this rule, the Apply Application Configurations option of Identity Federation must be enabled. For more information, see Configure Identity Federation.
-
Email Domain
Specify a domain for the email of the authenticating user.
The fields IP Range, Forwarded IP Range, Group, Authentication Method, and User Type are not mandatory, but at least one of them has to be specified.
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Applications and Resources, choose the Tenant Settings tile.
At the top of the page, you can view the administrative and license relevant information of the tenant.
-
Under Customization, choose Risk-Based Authentication.
-
Choose Create Rule.
-
Fill in the fields on the New Risk-Based Authentication Rule window.
-
Choose Create.
-
Save your changes.