on 02-04-2015 9:29 PM
As a preface, let me call out that we use numeric UserIDs in our organization.
I am looking to create UI5 based XS applications on SAP HANA. I would like to expose/embed links to these applications in our Enterprise Portal. I want to enable Single Sign on so that once someone is authenticated in the Enterprise Portal, they are not prsented with an additional logon screen when they access content in the EP which is hosted on SAP HANA.
Now from what I understand there are standard ways of establishing trust relationships and configuring HANA to accept the MySAPSSO2 ticket generated by the portal. However I believe that requires the exact same userID to exist on Portal and HANA. This is not possible, as HANA does not allow numeric userIDs which is a standard in our organization.
What can I do to achieve my desired result?
I am adding additional information as I find it.
Looking at the SAP HANA security guide, section 7 on Single Sign On (see here) I can see notes which indicate that for Kerberos and SAML, if the user is authenticated by an external authentication provider, there is a mechanism to map the external identity to the internal identity of a database user.
Unfortunately the notes also mention that this is not supported for "Logon and Assertion tickets" and for "X.509 Client certificates".
Separately I came across this note: 1828464 - Creating role analytic privileges fails when User ID’s are numeric.
Basically if you are on SPS09, numeric user IDs are supported.
So in essence, one approach is to get to SPS09 and setup Logon and Assertion tickets as normal.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you entered the user’s network id in the Kerberos External ID field?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kurt,
My understanding is the SAP HANA supports the following four Single Sign on Mechanisms.
For users coming in pre-authenticated via the SAP portal, I assume we would configure the "SAP Logon/Assertion tickets" mechanism of SSO. Would using the network ID in the Kerberos External ID field still apply in this case?
thanks,
Nitin
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.