Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
pavlomelnyk
Product and Topic Expert
Product and Topic Expert
0 Kudos
353

As you may know, within HANA Tooling (either it HANA Cloud Central* or HANA Cockpit) you have an opportunity to set up your own identity providers to make Single-Sign-On possible.  

From now on, to simplify this journey and give you a smooth and approachable way of setting them up, we are introducing Guided Provider Creation of those identity providers for JWT and SAML. 

The guided app wizard streamlines identity provider integration by automatically reading configurations, certificates, and keys from OpenID providers, reducing manual effort and errors. It combines the functions of the JWT provider, Certificates, and Certificate Collections apps, simplifying identity management and enhancing security in one unified solution. This consolidation minimizes operational complexity and costs, allowing businesses to efficiently manage identity configurations at scale. 

For more details on Identity Providers, please see: 

Guided Wizard with managed Certificate Collections (or PSEs**) 

In the 1st part of the blogpost, we were setting up JWT identity provider for SSO with the help of Guided Wizard. We finished on Step 5, where we decided not to tick the box for “Managed Certificate Collection” or in short “Managed PSEs”.  

So, in this part, we will explore a bit more what is this feature, why it is needed and how to finish an identity provider setup with “Managed PSEs”. 

What is it all about and why is it simplifying the management of certificates and public keys? 

As we have already learnt, for the guided creation of a JWT/SAML identity providers, a wizard-based application was released. For one of the steps, the wizard walks through the creation of a certificate collection for verifying the signature of the JWT provider tokens. 

Up to now, the current certificates and/or public keys for this collection were taken from the OpenID configuration, imported into the SAP HANA Cloud and added to the new certificate collection by the wizard application. 

Usually, the certificates and/or public keys in the OpenID configuration are updated regularly and would have to be updated in the certificate collection accordingly each time this happens. 

With this feature, a managed certificate collection can be created instead for verifying the JWT provider token signatures, and everything is configured so that this certificate collection is automatically updated periodically. 

Finishing up the wizard set up (the rest of the setup you can see in the 1st part of the blog-post) 

Step 5. Here a new certificate collection will be created for the JWT provider 

Standard name for collection will be proposed, but you can change this name to your liking. The input will be validated whether the certificate collection with this name already exists. 

On top of that, you will select the option when your certificate collection is managed and tick the according box for that.

pavlomelnyk_0-1731420858969.png

The option for unmanaged certificate collection is needed for the trust of the automatic, periodic manager URL evaluation by the SAP HANA Cloud. 

Step 6. Trust for Managed Certificate Collection 

If this global root certificate collection exists, you can choose that this one should be used (recommended), or you can create a new certificate collection for the trust. This is what we are going to do. 

pavlomelnyk_1-1731420877168.png

You will need to specify the name of the new trust collection. A default name is suggested for the collection, which should be different from the name of the managed certificate collection from the step before. 

Step 7. Certificate for Trust Certificate Collection 

In this step, you can specify which certificate is to be added to the trust certificate collection. 

If there is already a suitable root certificate imported in the HANA, you can choose to use this certificate. A suitable root certificate is a certificate with subject = issuer (hence "root"), and this certificate has to be the uppermost certificate in the certificate chain of the manager URL evaluation.

pavlomelnyk_2-1731420896680.png

A suitable certificate will be added to the trust certificate collection, and you can go to review step to finish up setting up the JWT identity provider. 

If you do not have a suitable root certificate already imported in the SAP HANA Cloud, you can upload and import a new certificate: 

pavlomelnyk_3-1731420912120.png

Review and creation of identity provider 

After you press “review” button, all the information is checked.  

If this check finds an error in one or several steps due to invalid changes after a step was already left for its subsequent step, a message popover is displayed indicating which steps contain invalid input.  

You can navigate from these messages to the corresponding steps to correct the input. 

pavlomelnyk_4-1731420928552.png

After the final check is completed, all specified data is listed in the Review page. You still can edit the settings by pressing one of the step "Edit" buttons.

pavlomelnyk_5-1731420942433.png

After successful execution, a summary page is displayed listing the performed actions: 

pavlomelnyk_6-1731420954398.png

You can now close the summary with the "Close" button and analyse, why the managed certificate collection could not be updated - e.g. a wrong certificate was used. 

You can easily navigate from the identity provider details page, which is displayed after closing the summary page, to the details of the managed certificate collection. There you can try another manual update, navigate to the certificate collection for the manager URL trust to correct it, etc: 

pavlomelnyk_7-1731420972212.png

With that, we are concluding our 2 parts blogposts about guided wizard for identity provider set up for SAP HANA Cloud and SAP HANA onprem.

Big thanks to the SAP HANA Development and Design team, without the help of whom this blog post would not have been possible! 

Additional resources:

*With the migration of SAP HANA Cockpit functionality in SAP HANA Cloud Central, all of the documentation for these features has also been migrated to theSAP HANA Clouddocu set. 

Moreover, SAP HANA Cloud Central has in-app help that can be accessed by clicking the “?” icon in the shellbar. This in-app help is extensive and also contains links off to relevant content in the cloud docu set. 

**PSE stands for Personal Security Environment. PSEs are containers for security credentials, specifically certificates and cryptographic keys, used to establish secure communications and authenticate users or systems. PSEs store these certificates and keys in a structured, encrypted format, enabling SAP HANA Cloud to support secure communication protocols such as SSL/TLS for encrypted data transfer. 

In SAP HANA Cloud, PSEs are often used in scenarios involving secure connections to identity providers, third-party applications, or other SAP systems, ensuring data integrity and confidentiality in distributed environments. 

The following links may also be useful: 

For SAP data lake (SAP HANA Cloud) administration:SAP HANA Cloud, Data Lake Administration Guide for Data Lake Relational Engine 

For SAP HANA Cloud administration:SAP HANA Cloud Administration Guide 

For SAP HANA database (SAP HANA Cloud) administration:SAP HANA Cloud, SAP HANA Database Administration Guide 

Also, theSAP HANA Cloud Database Administration with SAP HANA Cockpitstill exists, but will not be updated or maintained going forward.