Datawiza
Back to blog
November 17, 2025BlogIndustry

How to Add MFA or 2FA to Any SAP Web App Without Upgrading SAP, Using an IdP, or Integrating AD/LDAP

datawiza mfa 2fa for sap

Why SAP Needs Modern MFA / 2FA

SAP systems power mission-critical operations across finance, HR, supply chain, manufacturing, and more. Yet most SAP environments still depend on legacy username/password authentication, which is insufficient for modern security standards and regulatory requirements such as PCI DSS 4.0, NYDFS 500, SOX, HIPAA, and ISO27001.

Organizations urgently need to add MFA (Multi-Factor Authentication) or 2FA (Two-Factor Authentication) to SAP—but quickly discover that SAP’s legacy architecture makes this extremely difficult.

Legacy SAP Does Not Support Modern MFA or 2FA Natively

Most SAP customers still operate:

  • SAP ECC 6.0
  • SAP Supplier Relationship Management (SRM) portals based on NetWeaver
  • SAP Web GUI (SAP GUI for HTML)
  • SAP Enterprise Portal
  • Web Dynpro ABAP / Java
  • ITS templates
  • BSP applications
  • Custom ABAP web apps

These legacy applications cannot natively enforce:

  • MFA / 2FA
  • TOTP (Google Authenticator, Authy)
  • Email or SMS OTP
  • Push MFA
  • FIDO2 / WebAuthn
  • Modern SSO (OIDC, OAuth2)

They depend entirely on username + password authentication.

Why Not Use SAP’s Native MFA or SSO Solutions?

SAP offers newer identity tools including:

  • SAP Single Sign-On (SSO) 3.0
  • SAP Identity Authentication Service (IAS)
  • SAP Cloud Identity Services
  • Updated SAML2 configurations in Fiori/Gateway

However, enabling these usually requires:

Technical and Architectural Complexity

  • SAP upgrades (NetWeaver, Gateway, Fiori)
  • SAML/OIDC configuration
  • Integrating AD/LDAP
  • Deploying a modern IdP (Okta, Entra, Ping, Keycloak)

Significant Cost and Operational Burden

  • New SAP license costs
  • Basis engineering effort
  • Testing across hundreds of business transactions
  • Risk to production systems
  • Months-long project timelines

Many SAP customers lack AD/LDAP or an IdP—and cannot risk upgrading SAP.

The Datawiza Identity Modernization Platform

Add MFA (2FA) to SAP without SAP upgrades, IdP, AD, LDAP, or SAML/OIDC

The Datawiza Identity Modernization Platform provides a fast, safe, and non-intrusive way to modernize authentication for any SAP web application:

  • SAP Web GUI
  • SAP Fiori Launchpad
  • SAP Enterprise Portal
  • Web Dynpro ABAP / Java
  • BSP apps
  • ITS transactions
  • Custom ABAP web apps

No SAP upgrades

No IdP

No AD/LDAP

No SAML/OIDC

No Basis involvement

No modifications to SAP

If the SAP application loads in a browser, Datawiza can add MFA or 2FA to it.

How the Datawiza Identity Modernization Platform Works

1. Datawiza Access Proxy (DAP)

A lightweight reverse proxy that sits in front of SAP web app, enforcing authentication without modifying SAP.

2. Datawiza Built-In MFA/2FA

A modern authentication engine supporting:

  • TOTP (Google Authenticator, Authy)
  • Email OTP
  • SMS OTP
  • Push MFA (coming soon)
  • Passwordless options

No IdP or directory required

Datawiza does not depend on:

  • AD
  • LDAP
  • Okta
  • Entra
  • Ping
  • Keycloak

Everything works out-of-the-box.

How It Adds MFA to SAP

Using SAP’s Native Login + Datawiza Post-Login MFA Enforcement

Step 1 — User accesses an SAP web application

Examples: /sap/bc/gui/sap/its/webgui /sap/bc/ui5_ui5/ui2/ushell /irj/portal

Step 2 — SAP displays its native login page

The user authenticates using the standard SAP login screen.

Step 3 — User enters SAP username and password

Authentication is handled by SAP itself—just like today.

Step 4 — SAP successfully verifies the credentials

At this point, SAP considers the user authenticated.

Step 5 — Datawiza Access Proxy intercepts the authenticated session

Datawiza applies a post-authentication MFA policy, blocking access until MFA is completed.

Step 6 — Datawiza redirects the user to the Datawiza MFA verification page

The second factor is prompted via:

  • TOTP
  • Email OTP
  • SMS OTP
  • Push MFA (coming soon)

Step 7 — User completes MFA (2FA) successfully

Datawiza confirms the second factor.

Step 8 — Datawiza grants access to SAP

Only users who have passed both SAP authentication and Datawiza MFA are allowed through.

Step 9 — SAP loads normally

  • No SAP upgrades
  • No AD/LDAP
  • No IdP
  • No SAML/OIDC
  • No Basis effort
  • No changes to NetWeaver or ABAP

SAP remains completely unchanged.

Why This Approach Is Better Than SAP’s Native Options

FeatureSAP NativeDatawiza
Requires SAP upgradesYesNo
Modifies SAP configsYesNo
Requires SAML/OIDCYesNo
Requires AD/LDAPYesNo
Requires IdPYesNo
Additional license costHighIncluded
Basis workloadHighMinimal
Deployment timelineMonthsHours
Works with SAP PortalLimitedFull

For SAP environments without AD/LDAP or IdP—or those avoiding upgrades—Datawiza is the fastest path to SAP MFA (2FA).

Conclusion: Add MFA or 2FA to SAP Without Upgrades

Legacy SAP systems were never built for MFA, 2FA, or Zero-Trust authentication. SAP’s native solutions require costly upgrades, identity infrastructure, and heavy Basis involvement.

The Datawiza Identity Modernization enables MFA (2FA) for ALL SAP web apps with:

  • No SAP upgrades
  • No IdP
  • No AD/LDAP
  • No SAML/OIDC
  • No Basis changes
  • No code changes
  • No downtime

For SAP Web GUI, Fiori, Portal, Web Dynpro, ITS, and custom ABAP apps, Datawiza delivers MFA (2FA) modernization in hours—not months.

Book a demo or contact us for more details.

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza