You can define rules for authentication according to different risk factors and apply actions like Allow, Deny, and Two-Factor Authentication.
Authentication Rules
The created rules are displayed sorted by priority. When a user tries to access the application, the rules evaluate if the user meets the criteria of the rule. The evaluation starts with the rule with the highest priority, until the criteria of a rule are met. If the criteria of a rule are met, the rest of the rules aren’t evaluated.
Default Authentication Rule
If none of the authentication rules meets the criteria, the default authentication rule is applied. For the default authentication rule, you can configure a Default Action, which can be Allow, Deny, or Two-Factor Authentication.
If Two-Factor Authentication is selected, additionally, you must specify the two-factor method or methods for the user.
The rule is valid for any IP range, Forwarded IP Range, Group, Authentication Method, or User Type.
-
(For RADIUS Server Two-Factor Authentication) You have requested this feature. For more information how to request and configure RADIUS server in Identity Authentication, see Configure RADIUS Server Settings (Beta).
-
(For SMS Two-Factor Authentication) You have an account in Sinch Service. You have configured Sinch Service in the administration console for SAP Cloud Identity Services. For more information, see Configure Sinch Service in Administration Console.
Sinch Verification account is purchased separately. It isn’t part of the Identity Authentication contract.
-
(For Email OTP Code) An Email OTP Code template for the respective languages must exist in the tenant to apply the email OTP code method. If the template does not exist, the user will see the option but when choosing it, the following message will appear: "Sorry, but you are currently not authorized for access".
For more information how to add email templates, see Edit or Add an Email Template Set.
We recommend you to enable the back-up channels. Thus, the users can use the option as an alternative when they don't have access to the TOTP device or application.. For more information, see Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices.
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Applications and Resources, choose the Applications tile.
-
Choose the list item of the application that you want to edit.
If you do not have a created application in your list, you can create one. For more details, see Related Information.
The list also includes the
Administration Consoleapplication. If you enable risk-based authentication for that application, make sure that you, as a tenant administrator, meet the authentication rules and the default authentication rule. Otherwise when you log out of the administration console you will not be able to log in it again if you don't meet the rules.If
Administration Consoleis not in the list of the applications you may request it. To do this, report an incident with a subject on SAP Support Portal Home under the componentBC-IAM-IDS. -
Choose the Authentication and Access tab.
-
Under AUTHENTICATION, choose Risk-Based Authentication.
-
Optional: Configure the authentication rules. To configure the authentication rules, choose one of the following:
Option
Description
Create a new rule
Edit an existing rule
Choose the
icon next to the rule you want to edit.Delete an existing rule
Choose the delete
icon next to the rule you want to delete.Reprioritize rules
Use the arrows to reprioritize the rules.
By default any user can log on from any IP.
-
Optional: Configure the Default Action:
- Allow - Any user can log on from any IP. This is the default choice.
- Deny - Nobody can log on.
- Two-Factor Authentication - A drop-down appears when this choice is selected. You must specify the two-factor authentication method or methods for the end user.
-
Save your changes.
Once the application has been updated, the system displays the message Authentication rules updated.
Related Information