cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

what is the role of "Any" in configure external SAML Identities

Former Member

on ‎08-12-2015 4:30 PM

0 Kudos

Hi can any one explain me the role of "Any" when we configure external SAML Identities.

Thanks

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

holger_brasch
Explorer
‎04-19-2016 11:45 AM

Hi,

HANA supports two ways of user mappings
(e.g. map user from an external application to the "correct" HANA user):
https://help.sap.com/saphelp_hanaplatform/helpdata/en/db/6db355bb571014b56eb25057daec5f/content.htm

1.)    SAP HANA-based user mappings

2.)    Identity provider-based user mappings

For the first approach you need to maintain the table "PUBLIC"."SAML_USER_MAPPINGS"
what could be quite cumbersome. This is basically what happens via GUI when you click on
"Configure SAML" for an individual user. You assign the SAML provider and you map the
external identity (the user known to the external application).
This can also be managed with custom procedures, …

Let's say there is an external application App1 in which the user Albert Einstein is known as EmpAE.
Moreover there is a HANA database to which the same user is known as AlbertE.

HANA needs to know that the assertion coming in having EmpAE needs to be mapped to HANA user AlbertE

to allow the SSO. This happens as said via the mapping table.

Now if you think about a case where the user is known in both systems as AlbertE.

Why using a mapping table? You just need to allow HANA to use the user name of the

SAML assertion coming in from application App1 because it already contains the name

in same way it is known in the HANA itself. This is what the flag "any" does.

On a side note - the any-option reflects in the table "PUBLIC"."SAML_USER_MAPPINGS" with a "?".

·     Identity provider-based user mappings

The identity provider maps its users to SAP HANA database users and provides this information
using the SPProvidedID attribute. The corresponding assertion subject looks like this:

<NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified" SPProvidedID="BILLG">zgc2VLavgYy4hsohfYPM21</NameID>

You can configure SAML identity providers and map them to database users in the SAP HANA studio.


Having said that, the external application needs to be able to create SAML assertions
using the SPProvidedID attribute. On a side note - for the Business objects platform
this seems to be not (yet) the case. You can check on your own if you enable trace on HANA side

and test SAML from BO CMC. You will find then the SAML assertion in the trace.

I hope that helps, Holger

Show replies
Show replies
former_member182114
Active Contributor
‎08-15-2015 2:43 PM
0 Kudos

Hi Tatab355 Tatab355 ( I prefer talk to people ),

I took a time to google, as I don't know the answer, and find something that can answer about the ANY on create user statement CREATE USER - SAP HANA SQL and System Views Reference - SAP Library



Defines a SAML provider.


 <mapped_user_name> ::= ANY | <string_literal> 


The mapped SAML user name to use. If the keyword ANY is used the SAML assertion will contain the name of the database user that the assertion is valid for.

It's just a guess ok. I had no oportunity to stablish such authentications before.

Regards, Fernando Da Rós

Show replies
Show replies
Ask a Question