SingleSignOn ( SSO) in SAP HANA

By admin Last updated Jan 20, 2021

This blog will give you details on setting up Single sign on (SSO) with SAP Hana using Kerberos.

Why do we need SSO ?

By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again

There are different teams involved for this set up ( This may change based on your organization structure)

1) System administrator needs to install Kerberos Client on Hana server

2) Active Directory & Service account set up is done by of Identity Management Administrator

3) Hana Administrator needs to set up the configuration & user creation

Note: I have greyed out server names & service account names in screen shots for security reasons

Kerberos Client Installation:

Please make sure that the Kerberos client & libraries are installed on the Hana Database server

Creation of service account:

Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot

The SPN needs to have the following syntax:

hdb/ @Kerberos realm name

: fully qualified domain name of the host

Generating a key Tab :

ktpass -princ hdb/ @ -mapuser -pass -out .keytab -ptype -crypto

= KRB5_NT_PRINCIPAL

= RC4-HMAC-NT

Using the above syntax key tab file is generated

Hana Admin configuration:

Entries in the file

[libdefaults]

default_realm=

[realms]

={ kdc=}

Where and are the names of your Kerberos realm and KDC.

Realm is your domain name in uppercase letters, such as DOMAIN_NAME.

Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator

Import the key tab which was generated into Hana Box.

Make sure the permissions are changed

Creation of user in HANA:

This can be done via GUI screen or via sql syntax

CREATE USER Kiran IDENTIFIED EXTERNALLY AS ‘Kiran@Realm’ ;

Please assign the appropriate role to this user

While configuring the user in Hana studio , Please check the authentication by OS user as shown below

Hope this information is useful for you . Thank you for reading this blog

Cheers,

Kiran Musunuru.

Would you like to access Full Article?

If you are already a member in this website, Please Click here to loginIf you are not yet a member, Please Click here to Sign up

if you have any questions don’t hesitate to contact us from the Button bellow

New NetWeaver Information at SAP.com

Very Helpfull

User Rating: Be the first one !