As you may know, within HANA Tooling (either it HANA Cloud Central* or HANA Cockpit) you have an opportunity to set up your own identity providers to make Single-Sign-On possible.
From now on, to simplify this journey and give you a smooth and approachable way of setting them up, we are introducing Guided Provider Creation of those identity providers for JWT and SAML.
The guided app wizard streamlines identity provider integration by automatically reading configurations, certificates, and keys from OpenID providers, reducing manual effort and errors. It combines the functions of the JWT provider, Certificates, and Certificate Collections apps, simplifying identity management and enhancing security in one unified solution. This consolidation minimizes operational complexity and costs, allowing businesses to efficiently manage identity configurations at scale.
For more details on Identity Providers, please see:
Guided Wizard with managed Certificate Collections (or PSEs**)
In the 1st part of the blogpost, we were setting up JWT identity provider for SSO with the help of Guided Wizard. We finished on Step 5, where we decided not to tick the box for “Managed Certificate Collection” or in short “Managed PSEs”.
So, in this part, we will explore a bit more what is this feature, why it is needed and how to finish an identity provider setup with “Managed PSEs”.
What is it all about and why is it simplifying the management of certificates and public keys?
As we have already learnt, for the guided creation of a JWT/SAML identity providers, a wizard-based application was released. For one of the steps, the wizard walks through the creation of a certificate collection for verifying the signature of the JWT provider tokens.
Up to now, the current certificates and/or public keys for this collection were taken from the OpenID configuration, imported into the SAP HANA Cloud and added to the new certificate collection by the wizard application.
Usually, the certificates and/or public keys in the OpenID configuration are updated regularly and would have to be updated in the certificate collection accordingly each time this happens.
With this feature, a managed certificate collection can be created instead for verifying the JWT provider token signatures, and everything is configured so that this certificate collection is automatically updated periodically.
Finishing up the wizard set up (the rest of the setup you can see in the 1st part of the blog-post)
Step 5. Here a new certificate collection will be created for the JWT provider
Standard name for collection will be proposed, but you can change this name to your liking. The input will be validated whether the certificate collection with this name already exists.
On top of that, you will select the option when your certificate collection is managed and tick the according box for that.
The option for unmanaged certificate collection is needed for the trust of the automatic, periodic manager URL evaluation by the SAP HANA Cloud.
Step 6. Trust for Managed Certificate Collection
If this global root certificate collection exists, you can choose that this one should be used (recommended), or you can create a new certificate collection for the trust. This is what we are going to do.
You will need to specify the name of the new trust collection. A default name is suggested for the collection, which should be different from the name of the managed certificate collection from the step before.
Step 7. Certificate for Trust Certificate Collection
In this step, you can specify which certificate is to be added to the trust certificate collection.
If there is already a suitable root certificate imported in the HANA, you can choose to use this certificate. A suitable root certificate is a certificate with subject = issuer (hence "root"), and this certificate has to be the uppermost certificate in the certificate chain of the manager URL evaluation.
A suitable certificate will be added to the trust certificate collection, and you can go to review step to finish up setting up the JWT identity provider.
If you do not have a suitable root certificate already imported in the SAP HANA Cloud, you can upload and import a new certificate:
Review and creation of identity provider
After you press “review” button, all the information is checked.
If this check finds an error in one or several steps due to invalid changes after a step was already left for its subsequent step, a message popover is displayed indicating which steps contain invalid input.
You can navigate from these messages to the corresponding steps to correct the input.
After the final check is completed, all specified data is listed in the Review page. You still can edit the settings by pressing one of the step "Edit" buttons.
After successful execution, a summary page is displayed listing the performed actions:
You can now close the summary with the "Close" button and analyse, why the managed certificate collection could not be updated - e.g. a wrong certificate was used.
You can easily navigate from the identity provider details page, which is displayed after closing the summary page, to the details of the managed certificate collection. There you can try another manual update, navigate to the certificate collection for the manager URL trust to correct it, etc:
With that, we are concluding our 2 parts blogposts about guided wizard for identity provider set up for SAP HANA Cloud and SAP HANA onprem.
Big thanks to the SAP HANA Development and Design team, without the help of whom this blog post would not have been possible!
Additional resources:
*With the migration of SAP HANA Cockpit functionality in SAP HANA Cloud Central, all of the documentation for these features has also been migrated to the SAP HANA Cloud docu set.
Moreover, SAP HANA Cloud Central has in-app help that can be accessed by clicking the “?” icon in the shellbar. This in-app help is extensive and also contains links off to relevant content in the cloud docu set.
**PSE stands for Personal Security Environment. PSEs are containers for security credentials, specifically certificates and cryptographic keys, used to establish secure communications and authenticate users or systems. PSEs store these certificates and keys in a structured, encrypted format, enabling SAP HANA Cloud to support secure communication protocols such as SSL/TLS for encrypted data transfer.
In SAP HANA Cloud, PSEs are often used in scenarios involving secure connections to identity providers, third-party applications, or other SAP systems, ensuring data integrity and confidentiality in distributed environments.
The following links may also be useful:
For SAP data lake (SAP HANA Cloud) administration: SAP HANA Cloud, Data Lake Administration Guide for Data Lake Relational Engine
For SAP HANA Cloud administration: SAP HANA Cloud Administration Guide
For SAP HANA database (SAP HANA Cloud) administration: SAP HANA Cloud, SAP HANA Database Administration Guide
Also, the SAP HANA Cloud Database Administration with SAP HANA Cockpit still exists, but will not be updated or maintained going forward.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
10 | |
9 | |
8 | |
8 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |