Technical Articles
Setup Single Sign-On in SAP HANA Cloud Administration Tools
As SAP HANA Cloud is a modern database as a service (DBaaS), the end users can access SAP HANA Cloud from anywhere with public internet, whether that’s at home, in the office, or even at a third space like a coffee shop. When an organization wants to move to SAP HANA Cloud, the authentication method is a critical component of an organization’s presence in the cloud. The identity authentication controls access to all cloud data and resources. Organizations need an identity control plane that strengthens their security and keeps their cloud data safe from intruders.
SAP HANA Cloud administration tools includes SAP HANA Cloud Central, SAP HANA cockpit and SAP HANA database explorer. By default, the administrators log into the administration tools using SAP Identity Service. You can also use your bundled SAP Identity Authentication service tenant to log into the administration tools (Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B]). Furthermore, you can configure SAP Identity Authentication tenant as a proxy to delegate authentications to your Corporate Identity Provider, which enables a seamless, flexible integration with your existing identity authentication infrastructure.
How can you log into SAP HANA Cloud cockpit using single sign-on? How can you connect to SAP HANA database without entering user and password? This blog demonstrates a solution that you can enable JSON Web Token single sign-on (JWT SSO) to log into SAP HANA Cloud cockpit, and connect to SAP HANA database in SAP HANA database explorer. The identity of users accessing the SAP HANA database from cockpit or database explorer can be authenticated by tokens issued by a trusted JWT identity provider. The internal database user to which the external identity is mapped is used for authorization checks during the database session.
Architecture of End-to-end Single Sign-On in SAP HANA Cloud
Enable JWT SSO Login
1. Log into SAP HANA Cloud cockpit as database administrator.
Logon as Database Administrator
2. On the Database Overview page, click Enable JWT SSO, which is located on the shellbar at the top of the page.
Enable JWT SSO
3. Confirm that you want to enable JWT SSO.
Note: JWT SSO has to be enabled on each SAP HANA Cloud database individually.
Confirmation of JWT SSO
4. Navigate to the JWT Identity Providers application on the Database Overview page to verify the identity providers.
JWT Identity Providers Application
JWT Identity Provider
6. Change the origin value to the origin of your custom identity provider for platform users. If you previously log into the cockpit using your custom IdP before enabling JWT SSO, this value should already be the origin of your custom IdP.
The Origin of Your Custom Identity Provider
Create a Database User
1. Navigate to the User Management application on the Database Overview page to create and manage database users.
User Management Application
2. Edit an existing database user to edit their configuration, if the user doesn’t exist, create a new database user.
Database User
3. On the Authentication tab for the database user, click Add JWT Identity.
Add JWT Identity Provider
4. Select the identity provider from the dropdown list and then either manually map it to an external identity.
Mapping to an External Identity
Test Logon via Single Sign On
1. Now, you can return to the Database Overview page and click Log in as a Different User.
Log in as a Different User
Log on via Single Sign On
3. Now you will be logged in as your database user instead of DBADMIN. In the cockpit, you will notice some of the applications are missing due the lack of the privileges.
SAP HANA Cloud Cockpit
4. Log on as a database administrator.
Log on as a Database Administrator
5. Navigate to the Privilege Assignment application. Assign your user the CATALOG READ system privilege. This privilege will provide monitoring on memory usage, disk usage, CPU usage, etc. For more authorizations, please see Authorizations Needed for Monitoring and Administration.
Privilege Assignment
6. Navigate back to the Database Overview, and log on via single sign on. You now have access to memory usage, CPU usage, etc.
Database Overview with Monitoring Privilege
7. Open SAP HANA database explorer, add a database connection. You can now enable single sign-on to log into your database.
Authenticate Using Single Sign On
8. Open a SQL console of this database.
The SQL console of HANA Database
9. Confirm the current user and schema for the database connection in the status bar. You can also execute the following SQL statement to confirm the current user and schema:
SELECT CURRENT_USER, CURRENT_SCHEMA FROM DUMMY;
The current user and schema for the database connection
10. Choose the user of SAP HANA database explorer, and confirm the current user and schema are mapped to the correct external identity from the custom identity provider.
Extremal Identity Mapping
Congratulations! You have successfully enabled JWT SSO and set up mapping between database users and external identities. This configuration allows single sign-on logon to SAP HANA Cloud cockpit and database connections in SAP HANA database explorer. The users no longer need to re-authenticate to SAP HANA Cloud administration tools, and have the authorizations based on the roles or privileges assigned to their database users.
I hope you found this blog post useful. Let me know in the comments if you have any questions.
Hi Kevin,
Nice Blog!
I see JWT tokens seem to be a simple option to authenticate users with Hana Cloud but I've looking for feasible options to Authorize users. I see LDAP as an option for authorization and we've used for on-prem databases but for HANA Cloud ii just doesn't make sense because requires a LDAP server to be accessible from HANA Cloud instance and we should also consider that LDAP is already a "legacy protocol". Are you aware of any option to use the same JWT tokens but to authorize the users based on roles granted via IAS/customer IDP?
Thanks
Diego
Hi Diego,
Thank you for your question. JWT SSO supports automatic user creation with LDAP. The database users can be created and roles/privileges can be assigned based on the LDAP group information.
Best,
Kevin
Hi Kevin Li ,
After perform the indicated steps I am still getting the logon page.
This page was supposed to be bypassed if everything worked fine right?
Regards,
Mauricio
Hi Mauricio,
Do you get this from opening the database explorer from the browser? If you open database explorer or cockpit in a new browser session, this logon screen will show up..
Thanks,
Kevin
Hi Kevin Li
Hi Kevin,
after creating the JWT Identity Provider the origin = sap.custom (Custom Identity Provider for Applications) and zid = 9xxxxxxb-6c30-4e3b-9b31-dxxxxxxxxxx0 .
Can we also use the "Custom Identity Provider for Applications" or must we use the "Custom Identity Provider for Platform Users"?
And how can find the value for "zid"?
Thx Thomas
Yes, the custom IDP for application users can be configured as JWT IDP.
"zid" refers Zone ID. It should be one of the parameters in JWT token. https://docs.cloudfoundry.org/api/uaa/version/76.21.0/index.html#list-all-tokens-for-a-client
Hello Kevin,
thank you.
Now the authentication with the "custom IDP for application users" works.
Hello Kevin,
one more question 😉
In this scenario how we must configure the mapping of a AD-Group to a HANA Role?
Can you help us?
Thx Thomas
Hi Thomas,
You can map LDAP group to a HANA role. https://blogs.sap.com/2021/05/04/spotlight-ldap-support-in-sap-hana-cloud/
Thanks,
Kevin