cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is it possible to use own IdP User for SAP HANA CLOUD DB User?

Go to solution
TillHeinen
Participant

on ‎2024 Aug 22 7:24 AM

0 Kudos
307

Hi,

We set up an own IDP and a HANA Cloud DB app +instance on SAP BTP.

SSO is possible for the APP, and it just need the user created on IdP.

But my question is if it is possible to reuse/synchronize this user also as DB User. From what I understand now its only possible with LDAP.

Any tips?

Thanks in advance!

SAP HANA Cloud SAP HANA Cloud, SAP HANA database SAP Cloud Identity Services 

SAP HANA Cloud
SAP HANA Cloud
Software Product
SAP HANA Cloud, SAP HANA database
SAP HANA Cloud, SAP HANA database
Additional Software Product
SAP Cloud Identity Services
SAP Cloud Identity Services
SAP Business Technology Platform
Labels:
Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Willem_Pardaens
Product and Topic Expert
Product and Topic Expert
‎2024 Aug 23 7:28 AM

"Using this IdP user as database user" can mean 2 things, so just answering for both:

1. Either: Allow the IdP user to log in to HANA Cloud instead of using the internal users created in HANA Cloud. Yes, this is possible, see for example here where the SAP Identity Authentication service (IAS) is used as IdP for HANA Cloud: https://community.sap.com/t5/technology-blogs-by-sap/setup-single-sign-on-in-sap-hana-cloud-administ...

2. Or: Use the IdP user within the CAP application to connect to HANA Cloud to retrieve app data. This is not advised. CAP uses a single/central technical user to connect to the database, and you will have to use the authorization framework (@requires) to restrict access based on the user's profile/roles. If every user/session would require its own database connection this would introduce a lot of latency in opening/closing connections.

Show replies
Show replies
TillHeinen
Participant
‎2024 Aug 23 7:35 AM
0 Kudos

Thanks @Willem_Pardaens  ! I followed the instruction of answer one. But in step 3 you need to create a database user. 

My question is, if I can somehow skip this step. So that automatically my user from IDP is created as DB user.

 

E.g. when I use the SAP Build or integration suite, what I do is only creating a user in Cloud identity service. Associate a user group. 2) Associate this user group on BTP to the necessary role collections.  

-> I don't need to match and map, neither create the user again.

This is the main difference from the case in HANA Cloud DB, its works fine for the application level but not to the db user level.

 

 

Willem_Pardaens
Product and Topic Expert
Product and Topic Expert
‎2024 Aug 23 8:41 AM
Ok, thanks for the clarification. This is not supported apart from LDAP at this point in time indeed, but is on the roadmap for non-LDAP (using Identity Provisioning): https://roadmaps.sap.com/board?PRODUCT=73554900100800002881&q=provision&range=FIRST-LAST#;INNO=1FB69...

Answers (1)

Answers (1)

Jakub_Roguski
Product and Topic Expert
Product and Topic Expert
‎2024 Aug 23 8:40 AM
0 Kudos

I'm not sure if I understood your need correctly, but if you want to give access to the HANA Cloud Central and HANA Cloud DB Explorer to the users defined in the iDp, then it is very simple - all you need to do is to setup your IAS tenant, connect your IdP to the IAS, establish trust between HANA Cloud subaccount and IAS and map IAS user groups to BTP subaccount role collections:

1. Setup your IAS,

2. Connect your IdP to your IAS,

3. Go to BTP cockpit,

4. Go to your HANA Cloud subaccount,

5. Go to "Security" -> "Trust Configuration",

6. Establish trust with your IAS,

7. Map IAS HANA Cloud users group to HANA Cloud role collections in the HANA Cloud subaccount

That's all.

Show replies
Show replies
Ask a Question