Freelancers
Cancel
 Sign In
Join Now

As SAP HANA Cloud is a modern database as a service (DBaaS), the end users can access SAP HANA Cloud from anywhere with public internet, whether that’s at home, in the office, or even at a third space like a coffee shop. When an organization wants to move to SAP HANA Cloud, the authentication method is a critical component of an organization’s presence in the cloud. The identity authentication controls access to all cloud data and resources. Organizations need an identity control plane that strengthens their security and keeps their cloud data safe from intruders.

SAP HANA Cloud administration tools includes SAP HANA Cloud Central, SAP HANA cockpit and SAP HANA database explorer. By default, the administrators log into the administration tools using SAP Identity Service. You can also use your bundled SAP Identity Authentication service tenant to log into the administration tools (Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B]). Furthermore, you can configure SAP Identity Authentication tenant as a proxy to delegate authentications to your Corporate Identity Provider, which enables a seamless, flexible integration with your existing identity authentication infrastructure.

How can you log into SAP HANA Cloud cockpit using single sign-on? How can you connect to SAP HANA database without entering user and password? This blog demonstrates a solution that you can enable JSON Web Token single sign-on (JWT SSO) to log into SAP HANA Cloud cockpit, and connect to SAP HANA database in SAP HANA database explorer. The identity of users accessing the SAP HANA database from cockpit or database explorer can be authenticated by tokens issued by a trusted JWT identity provider. The internal database user to which the external identity is mapped is used for authorization checks during the database session.

Architecture%20of%20End-to-end%20Single%20Sign-On%20in%20SAP%20HANA%20Cloud

Architecture of End-to-end Single Sign-On in SAP HANA Cloud

Enable JWT SSO Login

1. Log into SAP HANA Cloud cockpit as database administrator.

Logon%20as%20Database%20Administrator

Logon as Database Administrator

2. On the Database Overview page, click Enable JWT SSO, which is located on the shellbar at the top of the page.

Enable%20JWT%20SSO

Enable JWT SSO

3. Confirm that you want to enable JWT SSO.

Note: JWT SSO has to be enabled on each SAP HANA Cloud database individually.

Confirmation%20of%20JWT%20SSO

Confirmation of JWT SSO

 4. Navigate to the JWT Identity Providers application on the Database Overview page to verify the identity providers. 

JWT%20Identity%20Providers%20Application

JWT Identity Providers Application

5. You can see a JWT identity provider created by the cockpit. The naming convention for identity providers is: XSUAA_JWT_PROVIDER_<uppercase issuer>_<uppercase origin>_<uppercase zone id>.

JWT%20Identity%20Provider

JWT Identity Provider

6. Change the origin value to the origin of your custom identity provider for platform users. If you previously log into the cockpit using your custom IdP before enabling JWT SSO, this value should already be the origin of your custom IdP.

The Origin of Your Custom Identity Provider

Create a Database User

1. Navigate to the User Management application on the Database Overview page to create and manage database users. 

User%20Management%20Application

User Management Application

2. Edit an existing database user to edit their configuration, if the user doesn’t exist, create a new database user.

Database User

3. On the Authentication tab for the database user, click Add JWT Identity

Add%20JWT%20Identity%20Provider

Add JWT Identity Provider

4. Select the identity provider from the dropdown list and then either manually map it to an external identity.

Mapping%20to%20an%20External%20Identity

Mapping to an External Identity

5. Now, you can return to the Database Overview page and click Log in as a Different User.

Log%20in%20as%20a%20Different%20User

Log in as a Different User

6. Choose Log on via single sign on. SAP HANA Cloud Cockpit will create a JWT assertion for the user that is currently logged into the cockpit and use this assertion for login into SAP HANA database. Depending on the roles or privileges that database user has assigned, you only have access to some of the cockpit applications.

Log%20on%20via%20Single%20Sign%20On

Log on via Single Sign On

7. Open SAP HANA database explorer, add a database connection. You can now enable single sign-on to log into your database.

Authenticate%20Using%20Single%20Sign%20On

Authenticate Using Single Sign On

Congratulations! You have successfully enabled JWT SSO and set up mapping between database users and external identities. This configuration allows single sign-on logon to SAP HANA Cloud cockpit and database connections in SAP HANA database explorer. The users no longer need to re-authenticate to SAP HANA Cloud administration tools, and have the authorizations based on the roles or privileges assigned to their database users.

I hope you found this blog post useful. Let me know in the comments if you have any questions.

Tags: SAP HANA Cloud Security
Sara Sampaio

Sara Sampaio

Author Since: March 10, 2022

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x