How to Add MFA or 2FA to Any SAP Web App Without Upgrading SAP, Using an IdP, or Integrating AD/LDAP

Why SAP Needs Modern MFA / 2FA
SAP systems power mission-critical operations across finance, HR, supply chain, manufacturing, and more. Yet most SAP environments still depend on legacy username/password authentication, which is insufficient for modern security standards and regulatory requirements such as PCI DSS 4.0, NYDFS 500, SOX, HIPAA, and ISO27001.
Organizations urgently need to add MFA (Multi-Factor Authentication) or 2FA (Two-Factor Authentication) to SAP—but quickly discover that SAP’s legacy architecture makes this extremely difficult.
Legacy SAP Does Not Support Modern MFA or 2FA Natively
Most SAP customers still operate:
- SAP ECC 6.0
- SAP Supplier Relationship Management (SRM) portals based on NetWeaver
- SAP Web GUI (SAP GUI for HTML)
- SAP Enterprise Portal
- Web Dynpro ABAP / Java
- ITS templates
- BSP applications
- Custom ABAP web apps
These legacy applications cannot natively enforce:
- MFA / 2FA
- TOTP (Google Authenticator, Authy)
- Email or SMS OTP
- Push MFA
- FIDO2 / WebAuthn
- Modern SSO (OIDC, OAuth2)
They depend entirely on username + password authentication.
Why Not Use SAP’s Native MFA or SSO Solutions?
SAP offers newer identity tools including:
- SAP Single Sign-On (SSO) 3.0
- SAP Identity Authentication Service (IAS)
- SAP Cloud Identity Services
- Updated SAML2 configurations in Fiori/Gateway
However, enabling these usually requires:
Technical and Architectural Complexity
- SAP upgrades (NetWeaver, Gateway, Fiori)
- SAML/OIDC configuration
- Integrating AD/LDAP
- Deploying a modern IdP (Okta, Entra, Ping, Keycloak)
Significant Cost and Operational Burden
- New SAP license costs
- Basis engineering effort
- Testing across hundreds of business transactions
- Risk to production systems
- Months-long project timelines
Many SAP customers lack AD/LDAP or an IdP—and cannot risk upgrading SAP.
The Datawiza Identity Modernization Platform
Add MFA (2FA) to SAP without SAP upgrades, IdP, AD, LDAP, or SAML/OIDC
The Datawiza Identity Modernization Platform provides a fast, safe, and non-intrusive way to modernize authentication for any SAP web application:
- SAP Web GUI
- SAP Fiori Launchpad
- SAP Enterprise Portal
- Web Dynpro ABAP / Java
- BSP apps
- ITS transactions
- Custom ABAP web apps
No SAP upgrades
No IdP
No AD/LDAP
No SAML/OIDC
No Basis involvement
No modifications to SAP
If the SAP application loads in a browser, Datawiza can add MFA or 2FA to it.
How the Datawiza Identity Modernization Platform Works
1. Datawiza Access Proxy (DAP)
A lightweight reverse proxy that sits in front of SAP web app, enforcing authentication without modifying SAP.
2. Datawiza Built-In MFA/2FA
A modern authentication engine supporting:
- TOTP (Google Authenticator, Authy)
- Email OTP
- SMS OTP
- Push MFA (coming soon)
- Passwordless options
No IdP or directory required
Datawiza does not depend on:
- AD
- LDAP
- Okta
- Entra
- Ping
- Keycloak
Everything works out-of-the-box.
How It Adds MFA to SAP
Using SAP’s Native Login + Datawiza Post-Login MFA Enforcement

Step 1 — User accesses an SAP web application
Examples: /sap/bc/gui/sap/its/webgui /sap/bc/ui5_ui5/ui2/ushell /irj/portal
Step 2 — SAP displays its native login page
The user authenticates using the standard SAP login screen.
Step 3 — User enters SAP username and password
Authentication is handled by SAP itself—just like today.
Step 4 — SAP successfully verifies the credentials
At this point, SAP considers the user authenticated.
Step 5 — Datawiza Access Proxy intercepts the authenticated session
Datawiza applies a post-authentication MFA policy, blocking access until MFA is completed.
Step 6 — Datawiza redirects the user to the Datawiza MFA verification page
The second factor is prompted via:
- TOTP
- Email OTP
- SMS OTP
- Push MFA (coming soon)
Step 7 — User completes MFA (2FA) successfully
Datawiza confirms the second factor.
Step 8 — Datawiza grants access to SAP
Only users who have passed both SAP authentication and Datawiza MFA are allowed through.
Step 9 — SAP loads normally
- No SAP upgrades
- No AD/LDAP
- No IdP
- No SAML/OIDC
- No Basis effort
- No changes to NetWeaver or ABAP
SAP remains completely unchanged.
Why This Approach Is Better Than SAP’s Native Options
| Feature | SAP Native | Datawiza |
|---|---|---|
| Requires SAP upgrades | Yes | No |
| Modifies SAP configs | Yes | No |
| Requires SAML/OIDC | Yes | No |
| Requires AD/LDAP | Yes | No |
| Requires IdP | Yes | No |
| Additional license cost | High | Included |
| Basis workload | High | Minimal |
| Deployment timeline | Months | Hours |
| Works with SAP Portal | Limited | Full |
For SAP environments without AD/LDAP or IdP—or those avoiding upgrades—Datawiza is the fastest path to SAP MFA (2FA).
Conclusion: Add MFA or 2FA to SAP Without Upgrades
Legacy SAP systems were never built for MFA, 2FA, or Zero-Trust authentication. SAP’s native solutions require costly upgrades, identity infrastructure, and heavy Basis involvement.
The Datawiza Identity Modernization enables MFA (2FA) for ALL SAP web apps with:
- No SAP upgrades
- No IdP
- No AD/LDAP
- No SAML/OIDC
- No Basis changes
- No code changes
- No downtime
For SAP Web GUI, Fiori, Portal, Web Dynpro, ITS, and custom ABAP apps, Datawiza delivers MFA (2FA) modernization in hours—not months.
Book a demo or contact us for more details.



