Using Multiple Identity Providers in SAP HANA Cloud Administration Tooling

Recently, we introduced support for multiple identity providers (IdPs) in the SAP HANA Cloud administration tools (SAP HANA Cloud Central, SAP HANA cockpit, and SAP HANA database explorer). The benefit of using a custom IdP is that SAP HANA Cloud users can now be authenticated by their company’s IdP, as opposed to authentication via SAP ID Service. An identity provider creates and manages an organization’s user identity and associated identity attributes. With the user’s consent, IdPs offer authentication services to websites, applications, and other services by federating the identity and authenticating an end-user to the service provider using the identity the IdP manages, but without sharing actual login details. The basic mechanism of using custom IdP is as follows:

1. User tries to access Application1 or Application2.

2. Application1 or Application2 sends an authentication request to the Identity Authentication Service.

3. Identity Authentication acts as a proxy and forwards the request to corporate IdP.

4. Corporate IdP logs on the user.

5. Corporate IdP returns authentication response to Identity Authentication.

6. Identity Authentication returns authentication response to Application1 or Application2. 

Prerequisites for the setup (This is a customer-specific procedure. Steps are going to be different depending on the IdP you use. In my setup, I followed the following steps to configure custom IdP to login to the cockpit. So, please be informed that these steps are just for reference and you may need to do it differently to configure custom IdP in your environment):

◉ Request an Identity Authentication Service (IAS) tenant.

◉ Establish Trust of Custom Identity Providers: Establish Trust and Federation of Custom Identity Providers for Platform Users in Multi-Environment Subaccounts [Feature Set A] – SAP Help Portal

◉ Login to the IAS you created.

◉ Go to Users & Authorizations -> User Management -> Add User. Fill in the information and choose the way to activate the account.

◉ You will receive an email. Follow the steps to activate the account.

◉ Sign in to SAP Business Technology Platform (BTP) using your custom IdP.

Let’s conclude with an example by logging into the SAP HANA cockpit tool with the custom IdP that I’ve created:

◉ Complete the space setup as mentioned above and then go to the SAP BTP Cockpit.

◉ Create an SAP HANA database instance in your space.

◉ Go to actions and open the instance in the SAP HANA cockpit.

◉ Sign in using your custom IdP.

◉ Enter the username and password you used to activate the account and there you go.

Congratulations! You have successfully logged in using your custom IdP.