SingleSignOn ( SSO) in SAP HANA
This blog will give you details on setting up Single sign on (SSO) with SAP Hana using Kerberos.
Why do we need SSO ?
By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again
There are different teams involved for this set up ( This may change based on your organization structure)
1) System administrator needs to install Kerberos Client on Hana server
2) Active Directory & Service account set up is done by of Identity Management Administrator
3) Hana Administrator needs to set up the configuration & user creation
Note: I have greyed out server names & service account names in screen shots for security reasons
Kerberos Client Installation:
Please make sure that the Kerberos client & libraries are installed on the Hana Database server
Creation of service account:
Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot
The SPN needs to have the following syntax:
Generating a key Tab :
ktpass -princ hdb/
Using the above syntax key tab file is generated
Hana Admin configuration:
Login as root & update the krb5.conf file. This is located at /etc/krb5.conf
Entries in the file
Realm is your domain name in uppercase letters, such as DOMAIN_NAME.
Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator
Import the key tab which was generated into Hana Box.
Make sure the permissions are changed
Creation of user in HANA:
This can be done via GUI screen or via sql syntax
CREATE USER Kiran IDENTIFIED EXTERNALLY AS ‘Kiran@Realm’ ;
Please assign the appropriate role to this user
While configuring the user in Hana studio , Please check the authentication by OS user as shown below
Hope this information is useful for you . Thank you for reading this blog