SAP Knowledge Base Article - Preview

3450316 - Why is MFA/TFA prompted late and on different site?


  • Parent site is an outbound OIDC record for the "Example" app.
  • SAP CDC hosted page is being used as OIDC proxy page (Example 2) which makes use of the ExampleRegistrationLogin screenset.
  • An RBA rule for TOTP is applied for Parent site only, excluding all child sites.
  • Web SDK is being used by the Example app and uses the API key of Parent site

Issue being encountered is when a user logs into the Example app (using credentials and MFA), logs out and then logs back in, after user enter their credentials, it is immediately able to access the Example app, only then is the MFA being prompted in a pop-up window that can be closed. Then, the user is able to access the app without MFA. 

  • Why is the MFA being prompted late in the login flow?
  • It is expected that endpoints should be called by Example2 site since that is the OIDC issuer.



  • SAP Customer Data Cloud
  • OIDC


SAP Customer Data Cloud all versions


Gigya, CDC, OIDC, proxy page, application , KBA , CEC-PRO-PNS , Privacy & Safety (Consent, RBA - Risk-Based Authentication) , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.