Reputation: 129
Does SSO authentication on SAP HANA 2 with XSA and Azure Active Directory as IDP really work?
I am testing the SSO authentication on SAP HANA 2 with XSA and Azure Active Directory (AAD) as IDP, and the result is quite discouraging. Even if the configuration of the systems is simple, the problem is that user identifier configured in AAD is misinterpreted by HANA with XSA, whereas it is correctly interpreted by HANA with XSC. Looking at the configuration on Azure
you can see that the exact mail prefix is used, but when I sign-in through AAD on HANA with my account (DTOSATO@) the result on azure is as follow
Since, my user is not "5PRfJbLrfKuEem_B1VeUaxMO2sBHe_oTYuJCXLc91Oc" I can imagine that this is a new HANA user (created dynamically). The funny thing is that if I change the user identifier configured into AAD to "user.userprincipalname", I obtain the following result.
It seems that "user.userprincipalname" is the email, why?!. Moreover, even guessing the "right" combination of parameters (see the following image)
AAD sends to HANA the lower-case version of the email I configured into Azure (which is shown in the following image).
Thus, the authentication process fails because the matching performed by HANA is case sensitive and it assumes that users name must be upper-case as you see in the image below.
So, apparently it is not possible to login with SSO with HANA 2 + XSA and AAD. Is that right?
Upvotes: -1
Views: 919
Answers (1)
Reputation: 26
I'm working in a XSA project (SAP HANA 2.0 SPS02), and we were succefull activating the SSO by SAML between XSA and MS Azure (external IDP).
You just have to import the IDP metadata XML into XSA as you did, and correctly configure the IDP server. After that we succefully login into the XSA enviroment (i didn't create a user inside the XSA, because it was not necessary).
We had opened a issue in SAP because the user api is pretty limited inside XSA, and we can't access basic data as e-mail and name inside or UI5 applications (it's a API problem, not an assert problem into SSO). But the SSO is working fine for our applications.
Upvotes: -1
Related Questions
- Implement single signon (SSO) using SAML in java and AzureAD as IDP
- Azure Active Directory integration with SAP Cloud Foundry
- SAP HANA XSA Java user authentication by UAA
- SAML Single Log Out with Azure AD as IDP in SAP HANA
- SSO Setup for a Saas Application
- SAML based IDP(with signed response & encrypted assertion) setup in Azure?
- Integrate SAP HANA Cloud Platform with Azure Active Directory for single sign on
- Azure Active Directory integration with SAP HANA Cloud Platform
- Does the Windows Azure AD SAML integration with Salesforce support Service Provider-initiated SSO?
- Can I implement SSO authentication that introduced in VS 2013 with a third party IdP (not Windows Azure AD)?