Setup Single Sign-On in SAP HANA Cloud Administration Tools

As SAP HANA Cloud is a modern database as a service (DBaaS), the end users can access SAP HANA Cloud from anywhere with public internet, whether that’s at home, in the office, or even at a third space like a coffee shop. When an organization wants to move to SAP HANA Cloud, the authentication method is a critical component of an organization’s presence in the cloud. The identity authentication controls access to all cloud data and resources. Organizations need an identity control plane that strengthens their security and keeps their cloud data safe from intruders. 

SAP HANA Cloud administration tools includes SAP HANA Cloud Central, SAP HANA cockpit and SAP HANA database explorer. By default, the administrators log into the administration tools using SAP Identity Service. You can also use your bundled SAP Identity Authentication service tenant to log into the administration tools (Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B]). Furthermore, you can configure SAP Identity Authentication tenant as a proxy to delegate authentications to your Corporate Identity Provider, which enables a seamless, flexible integration with your existing identity authentication infrastructure.

How can you log into SAP HANA Cloud cockpit using single sign-on? How can you connect to SAP HANA database without entering user and password? This blog demonstrates a solution that you can enable JSON Web Token single sign-on (JWT SSO) to log into SAP HANA Cloud cockpit, and connect to SAP HANA database in SAP HANA database explorer. The identity of users accessing the SAP HANA database from cockpit or database explorer can be authenticated by tokens issued by a trusted JWT identity provider. The internal database user to which the external identity is mapped is used for authorization checks during the database session.

Architecture of End-to-end Single Sign-On in SAP HANA Cloud

Enable JWT SSO Login

1. Log into SAP HANA Cloud cockpit as database administrator.

Logon as Database Administrator

2. On the Database Overview page, click Enable JWT SSO, which is located on the shellbar at the top of the page.

Enable JWT SSO

3. Confirm that you want to enable JWT SSO.

Note: JWT SSO has to be enabled on each SAP HANA Cloud database individually.

Confirmation of JWT SSO

 4. Navigate to the JWT Identity Providers application on the Database Overview page to verify the identity providers. 

JWT Identity Providers Application

5. You can see a JWT identity provider created by the cockpit. The naming convention for identity providers is: XSUAA_JWT_PROVIDER_<uppercase issuer>_<uppercase origin>_<uppercase zone id>.

JWT Identity Provider

6. Change the origin value to the origin of your custom identity provider for platform users. If you previously log into the cockpit using your custom IdP before enabling JWT SSO, this value should already be the origin of your custom IdP.

The Origin of Your Custom Identity Provider

Create a Database User

1. Navigate to the User Management application on the Database Overview page to create and manage database users. 

User Management Application

2. Edit an existing database user to edit their configuration, if the user doesn’t exist, create a new database user.

Database User

3. On the Authentication tab for the database user, click Add JWT Identity. 

Add JWT Identity Provider

4. Select the identity provider from the dropdown list and then either manually map it to an external identity.

Mapping to an External Identity

Test Logon via Single Sign On

1. Now, you can return to the Database Overview page and click Log in as a Different User.

Log in as a Different User

2. Choose Log on via single sign on. SAP HANA Cloud Cockpit will create a JWT assertion for the user that is currently logged into the cockpit and use this assertion for login into SAP HANA database. Depending on the roles or privileges that database user has assigned, you only have access to some of the cockpit applications.

Log on via Single Sign On

3. Now you will be logged in as your database user instead of DBADMIN. In the cockpit, you will notice some of the applications are missing due the lack of the privileges.

SAP HANA Cloud Cockpit

4. Log on as a database administrator.

Log on as a Database Administrator

5. Navigate to the Privilege Assignment application. Assign your user the CATALOG READ system privilege. This privilege will provide monitoring on memory usage, disk usage, CPU usage, etc. For more authorizations, please see Authorizations Needed for Monitoring and Administration.

Privilege Assignment

6. Navigate back to the Database Overview, and log on via single sign on. You now have access to memory usage, CPU usage, etc.

Database Overview with Monitoring Privilege

7. Open SAP HANA database explorer, add a database connection. You can now enable single sign-on to log into your database.

Authenticate Using Single Sign On

8. Open a SQL console of this database.

The SQL console of HANA Database

9. Confirm the current user and schema for the database connection in the status bar. You can also execute the following SQL statement to confirm the current user and schema:

SELECT CURRENT_USER, CURRENT_SCHEMA FROM DUMMY;

The current user and schema for the database connection

10. Choose the user of SAP HANA database explorer, and confirm the current user and schema are mapped to the correct external identity from the custom identity provider.

Extremal Identity Mapping

Congratulations! You have successfully enabled JWT SSO and set up mapping between database users and external identities. This configuration allows single sign-on logon to SAP HANA Cloud cockpit and database connections in SAP HANA database explorer. The users no longer need to re-authenticate to SAP HANA Cloud administration tools, and have the authorizations based on the roles or privileges assigned to their database users.

I hope you found this blog post useful. Let me know in the comments if you have any questions.