From our security team I have a requirement that a group if users login to SAP SuccessFactors using 2FA once per day. Once they have logged in with 2FA they need to login using username/password only for the rest of the day. The rest of the employees login using username/password every single login.
For some reason the first scenario is working as required, but the second isn't. We have setup the IAS session to stay alive for 8 hours. When a user in the 2FA group logs in after the 30 minute time out in SuccessFactors expires they only need to enter username/password (seems like a bug to me). But the secord group (not using 2FA, only username/password) doesn't have to login again and can keep on using SuccessFactors for the entire 8 hours.
Is it possible to configure this in Identity Access Services (IAS)? As far as I know you can only configure how long the IAS session remains alive, so if the session ends the user will need to login again with 2FA. No way to switch between 2FA and username/password depending on last time 2FA was used.
There are couple settings in IAS that you should explore further:
1) Under Application & Resources >> Application >> <select your SFSF app> >> Authentication and Access tab >> Force Authentication. This will require the user to specify password each time the login.
2) Under Application & Resources >> Tenant Settings >> Authentication tab>> Multi-Factor Authentication >> Trust this browser option for users: Set the number of days for which the users will not get prompted for second-factor authentication, if they sign in from the same browser.
With the combinations of these 2 settings you should able achieve the desired behavior.