Single Sign-On has been especially important for live HANA connections in SAP Analytics Cloud (SAC), as the live HANA connection does NOT persist any user credential due to its working mechanism. In the past, the only option for Single Sign-On (SSO) was SAML 2, which requires a good amount of implementation work, especially if a SAML 2.0 Identity Provider is not already present or if the HANA system has not been configured for SAML 2.0 SSO yet.
With SAC release 2017.08, we are offering a new feature named “No Authentication”, which means that you can use any authentication option supported by the on-prem HANA system, including X.509 Client Certificate authentication, Kerberos/SPNego authentication, etc.
In other words, by enabling X.509 Client Certificate authentication or Kerberos/SPNego authentication, you can achieve the same SSO user experience as SAML 2 SSO. This new authentication/SSO option works in both Direct and Path (i.e. reverse proxy based) connectivity types. The following diagram illustrates how this new authentication/SSO option works in the Direct live HANA connection scenario:
Here are the pros and cons of each option:
– SSO based on SAML 2.0
- Single Sign-on with one central Identity Management system, i.e. SAML 2 Identity Provider.
- Works across both intranet and Internet
- Works on all devices with a supported web browser
- A SAML 2 Identity Provider must be setup to manage identities for both SAC and HANA
– SSO based on automated authentication by HANA
- Offers the same SSO user experience without purchasing a SAML 2 Identity Provider and implementing SAML 2
- Slight performance improvement brought by reducing landscape complexity.
- HANA needs to configured with an automated authentication option, if not done already.
- Although providing an SSO user experience, identities on SAC and HANA are not centrally managed. The user logged on to SAC may not necessarily be the same user logged on to on-prem HANA.
- The authentication option may not work in all use cases. For example:
- X.509 Client Certificate authentication requires that an existing PKI infrastructure be in place in the corporate network, and the end user’s browser has access to the user’s certificate.
- Kerberos/SPNego authentication only works in the intranet scenario, as Kerberos is an intranet authentication protocol.
- SAP Logon Ticket authentication can only be used in embedding scenarios, and the portal that embeds the SAC content must be able to issue SAP Logon Ticket beforehand. Additionally, the portal and the HANA system must be in the same DNS sub-domain.
When it comes to Single Sign-On options, we understand there is no such thing as “one size fits all”, since every customer’s security landscape is different. We hope this new authentication/SSO option provides more flexibility and lowers TCO for your SAC project.
For details on how to setup automated authentication on SAP HANA, refer to the following documents:
- Setup X.509 Client Certificate authentication for SAP HANA XS
- Setup Kerberos/SPNego authentication for SAP HANA XS
- Setup SAP Logon Ticket SSO for SAP HANA XS