cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HANA SSO with numeric UserIDs - Portal Authentication

Go to solution
Former Member

on ‎02-04-2015 9:29 PM

0 Kudos

As a preface, let me call out that we use numeric UserIDs in our organization.

I am looking to create UI5 based XS applications on SAP HANA. I would like to expose/embed links to these applications in our Enterprise Portal. I want to enable Single Sign on so that once someone is authenticated in the Enterprise Portal, they are not prsented with an additional logon screen when they access content in the EP which is hosted on SAP HANA.

Now from what I understand there are standard ways of establishing trust relationships and configuring HANA to accept the MySAPSSO2 ticket generated by the portal. However I believe that requires the exact same userID to exist on Portal and HANA. This is not possible, as HANA does not allow numeric userIDs which is a standard in our organization.

What can I do to achieve my desired result?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-19-2015 9:12 PM
0 Kudos

I am adding additional information as I find it.

Looking at the SAP HANA security guide, section 7 on Single Sign On (see here) I can see notes which indicate that for Kerberos and SAML, if the user is authenticated by an external authentication provider, there is a mechanism to map the external identity to the internal identity of a database user.

Unfortunately the notes also mention that this is not supported for "Logon and Assertion tickets" and for "X.509 Client certificates".

Separately I came across this note: 1828464 - Creating role analytic privileges fails when User ID’s are numeric.

Basically if you are on SPS09, numeric user IDs are supported.

So in essence, one approach is to get to SPS09 and setup Logon and Assertion tickets as normal.

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎02-10-2015 4:52 PM
0 Kudos

Have you entered the user’s network id in the Kerberos External ID field?

Show replies
Show replies
Former Member
‎02-10-2015 7:25 PM
0 Kudos

Hi Kurt,

My understanding is the SAP HANA supports the following four Single Sign on Mechanisms.

  • Kerberos
  • SAML
  • X.509 client certificates (Only for HTTP access to SAP HANA by means of SAP HANA XS)
  • SAP logon/assertion tickets

For users coming in pre-authenticated via the SAP portal, I assume we would configure the "SAP Logon/Assertion tickets" mechanism of SSO. Would using the network ID in the Kerberos External ID field still apply in this case?

thanks,

Nitin

Former Member
‎02-10-2015 7:42 PM
0 Kudos

Maybe.  The SAML checkbox might need to be on, also.  That's what I have seen.  I'm a HANA developer, not a security admin, so my knowledge of security is very limited.  Hopefully someone will supply some more educated guidance than I can provide.

Ask a Question