Skip to Content
Technical Articles
Author's profile photo Kevin Li

Setup Single Sign-On in SAP HANA Cloud Administration Tools

As SAP HANA Cloud is a modern database as a service (DBaaS), the end users can access SAP HANA Cloud from anywhere with public internet, whether that’s at home, in the office, or even at a third space like a coffee shop. When an organization wants to move to SAP HANA Cloud, the authentication method is a critical component of an organization’s presence in the cloud. The identity authentication controls access to all cloud data and resources. Organizations need an identity control plane that strengthens their security and keeps their cloud data safe from intruders. 

SAP HANA Cloud administration tools includes SAP HANA Cloud Central, SAP HANA cockpit and SAP HANA database explorer. By default, the administrators log into the administration tools using SAP Identity Service. You can also use your bundled SAP Identity Authentication service tenant to log into the administration tools (Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B]). Furthermore, you can configure SAP Identity Authentication tenant as a proxy to delegate authentications to your Corporate Identity Provider, which enables a seamless, flexible integration with your existing identity authentication infrastructure.

How can you log into SAP HANA Cloud cockpit using single sign-on? How can you connect to SAP HANA database without entering user and password? This blog demonstrates a solution that you can enable JSON Web Token single sign-on (JWT SSO) to log into SAP HANA Cloud cockpit, and connect to SAP HANA database in SAP HANA database explorer. The identity of users accessing the SAP HANA database from cockpit or database explorer can be authenticated by tokens issued by a trusted JWT identity provider. The internal database user to which the external identity is mapped is used for authorization checks during the database session.

Architecture%20of%20End-to-end%20Single%20Sign-On%20in%20SAP%20HANA%20Cloud

Architecture of End-to-end Single Sign-On in SAP HANA Cloud

Enable JWT SSO Login

1. Log into SAP HANA Cloud cockpit as database administrator.

Logon%20as%20Database%20Administrator

Logon as Database Administrator

2. On the Database Overview page, click Enable JWT SSO, which is located on the shellbar at the top of the page.

Enable%20JWT%20SSO

Enable JWT SSO

3. Confirm that you want to enable JWT SSO.

Note: JWT SSO has to be enabled on each SAP HANA Cloud database individually.

Confirmation%20of%20JWT%20SSO

Confirmation of JWT SSO

 4. Navigate to the JWT Identity Providers application on the Database Overview page to verify the identity providers. 

JWT%20Identity%20Providers%20Application

JWT Identity Providers Application

5. You can see a JWT identity provider created by the cockpit. The naming convention for identity providers is: XSUAA_JWT_PROVIDER_<uppercase issuer>_<uppercase origin>_<uppercase zone id>.

JWT%20Identity%20Provider

JWT Identity Provider

6. Change the origin value to the origin of your custom identity provider for platform users. If you previously log into the cockpit using your custom IdP before enabling JWT SSO, this value should already be the origin of your custom IdP.

The Origin of Your Custom Identity Provider

Create a Database User

1. Navigate to the User Management application on the Database Overview page to create and manage database users. 

User%20Management%20Application

User Management Application

2. Edit an existing database user to edit their configuration, if the user doesn’t exist, create a new database user.

Database User

3. On the Authentication tab for the database user, click Add JWT Identity

Add%20JWT%20Identity%20Provider

Add JWT Identity Provider

4. Select the identity provider from the dropdown list and then either manually map it to an external identity.

Mapping%20to%20an%20External%20Identity

Mapping to an External Identity

Test Logon via Single Sign On

1. Now, you can return to the Database Overview page and click Log in as a Different User.

Log%20in%20as%20a%20Different%20User

Log in as a Different User

2. Choose Log on via single sign on. SAP HANA Cloud Cockpit will create a JWT assertion for the user that is currently logged into the cockpit and use this assertion for login into SAP HANA database. Depending on the roles or privileges that database user has assigned, you only have access to some of the cockpit applications.

Log%20on%20via%20Single%20Sign%20On

Log on via Single Sign On

3. Now you will be logged in as your database user instead of DBADMIN. In the cockpit, you will notice some of the applications are missing due the lack of the privileges.

SAP HANA Cloud Cockpit

4. Log on as a database administrator.

Log%20on%20as%20a%20Database%20Administrator

Log on as a Database Administrator

5. Navigate to the Privilege Assignment application. Assign your user the CATALOG READ system privilege. This privilege will provide monitoring on memory usage, disk usage, CPU usage, etc. For more authorizations, please see Authorizations Needed for Monitoring and Administration.

Privilege%20Assignment

Privilege Assignment

6. Navigate back to the Database Overview, and log on via single sign on. You now have access to memory usage, CPU usage, etc.

Database%20Overview%20with%20Monitoring%20Privilege

Database Overview with Monitoring Privilege

7. Open SAP HANA database explorer, add a database connection. You can now enable single sign-on to log into your database.

Authenticate%20Using%20Single%20Sign%20On

Authenticate Using Single Sign On

8. Open a SQL console of this database.

The%20SQL%20console%20of%20HANA%20Database

The SQL console of HANA Database

9. Confirm the current user and schema for the database connection in the status bar. You can also execute the following SQL statement to confirm the current user and schema:

SELECT CURRENT_USER, CURRENT_SCHEMA FROM DUMMY;

The current user and schema for the database connection

10. Choose the user of SAP HANA database explorer, and confirm the current user and schema are mapped to the correct external identity from the custom identity provider.

Extremal%20Identity%20Mapping

Extremal Identity Mapping

Congratulations! You have successfully enabled JWT SSO and set up mapping between database users and external identities. This configuration allows single sign-on logon to SAP HANA Cloud cockpit and database connections in SAP HANA database explorer. The users no longer need to re-authenticate to SAP HANA Cloud administration tools, and have the authorizations based on the roles or privileges assigned to their database users.

I hope you found this blog post useful. Let me know in the comments if you have any questions.

Assigned Tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Diego Yaryura
      Diego Yaryura

      Hi Kevin,

       

      Nice Blog!

      I see JWT tokens seem to be a simple option to authenticate users with Hana Cloud but I've looking for feasible options to Authorize users. I see LDAP as an option for authorization and we've used for on-prem databases but for HANA Cloud ii just doesn't make sense because requires a LDAP server to be accessible from HANA Cloud instance and we should also consider that LDAP is already a "legacy protocol". Are you aware of any option to use the same JWT tokens but to authorize the users based on roles granted via IAS/customer IDP?

       

      Thanks

      Diego

       

      Author's profile photo Kevin Li
      Kevin Li
      Blog Post Author

      Hi Diego,

      Thank you for your question. JWT SSO supports automatic user creation with LDAP. The database users can be created and roles/privileges can be assigned based on the LDAP group information.

      Best,

      Kevin

      Author's profile photo Mauricio Miao
      Mauricio Miao

      Hi Kevin Li ,

      After perform the indicated steps I am still getting the logon page.

      This page was supposed to be bypassed if everything worked fine right?

      Regards,

      Mauricio

      Author's profile photo Kevin Li
      Kevin Li
      Blog Post Author

      Hi Mauricio,

      Do you get this from opening the database explorer from the browser? If you open database explorer or cockpit in a new browser session, this logon screen will show up..

      Thanks,

      Kevin

      Author's profile photo Mauricio Miao
      Mauricio Miao

      Hi Kevin Li

      I was testing in the same browser session, it means in a browser where I was already authenticated in BTP.
      I will perform a test in another BTP Account that I have and see if that works.
      Regards
      Mauricio
      Author's profile photo Thomas Beyer
      Thomas Beyer

      Hi Kevin,

      after creating the JWT Identity Provider the origin = sap.custom (Custom Identity Provider for Applications) and zid = 9xxxxxxb-6c30-4e3b-9b31-dxxxxxxxxxx0 .

      Can we also use the "Custom Identity Provider for Applications" or must we use the "Custom Identity Provider for Platform Users"?

      And how can find the value for "zid"?

       

      Thx Thomas

       

      Author's profile photo Kevin Li
      Kevin Li
      Blog Post Author

      Yes, the custom IDP for application users can be configured as JWT IDP.

      Author's profile photo Kevin Li
      Kevin Li
      Blog Post Author

      "zid" refers Zone ID. It should be one of the parameters in JWT token. https://docs.cloudfoundry.org/api/uaa/version/76.21.0/index.html#list-all-tokens-for-a-client

      Author's profile photo Thomas Beyer
      Thomas Beyer

      Hello Kevin,

      thank you.

      Now the authentication with the "custom IDP for application users" works.

       

       

       

      Author's profile photo Thomas Beyer
      Thomas Beyer

      Hello Kevin,

      one more question 😉

      In this scenario how we must configure the mapping of  a AD-Group to a HANA Role?

      Can you help us?

       

      Thx Thomas

       

      Author's profile photo Kevin Li
      Kevin Li
      Blog Post Author

      Hi Thomas,

      You can map LDAP group to a HANA role. https://blogs.sap.com/2021/05/04/spotlight-ldap-support-in-sap-hana-cloud/

      Thanks,

      Kevin