Identity and Access Management
In your Web browser, log on to the SAP HANA Cloud Platform Cockpit, and select an account. Choose the Security –>Trust section. Choose the Trusted Identity Provider tab page.
SAP ID Service
If you don’t have a corporate identity management infrastructure, you can use SAP ID Service as the default trusted identity provider (Configuration Type: Default) out of the box, without having to configure SSO and identity federation. Trust to SAP ID Service is pre-configured on SAP HANA Cloud Platform by default, so you can start using it without further configuration.
Using it, you can benefit from features such as user base, user provisioning, corporate branding or logo, and social IdP integration.
SAP S-user ID is a unique number that SAP uses for identification of people on its web portals and databases. SAP creates the first S-user ID for new customers and assigns this user the highest level of authorization. These users receive a letter containing their user ID and initial password. Your company’s user administrators manage your S-user IDs and authorizations – for security reasons SAP is not allowed to create additional S-user IDs for customers or assign authorizations to such S-users.
Administrators can’t change passwords for their company’s S-users (note 2288884).
S-Users must change their own password by using the SAP Cloud Identity application: https://accounts.sap.com/ui/protected/profilemanagement.
SAP Cloud Identity Service
If you want to use SAP HANA Cloud Platform in a productive landscape, you should purchase a customer account or join a partner account. In that case, SAP Cloud Identity service does not use for authentication the users registered in the SAP Service Marketplace, but maintains an own user store for administrators and users.
Once you purchase an account of SAP HANA Cloud Platform, a user account forSAP Cloud Identity service is created for the same contact person, specified in the Order Form. The contact person is the first administrator in the administration console for SAP Cloud Identity service. He or she receives an activation e-mail for the administration console account. The subject of the e-mail is: Activate Your Account for Administration Console. Following the required steps, the administrator activates the account and can continue to the administration console for SAP Cloud Identity service via the console’s URL.
URL has the https://<tenant ID>.accounts.ondemand.com/admin pattern. Tenant ID is an automatically generated ID by the system. The URL is in the activation e-mail received by the first administration contains the tenant ID.
You can register an SAP Cloud Identity tenant as an identity provider for your account by choosing SAP HANA Cloud Platform Cockpit –> Trust –> Local Service Provider –> Configuration Type –> Custom.
Once setting SAP Cloud Identity service as a trusted identity provider for SAP HANA Cloud Platform all SAP HANA Cloud Platform applications and services use the trust and configuration settings. If you need different settings for the different SAP HANA Cloud Platform applications or services, open a new account. For more information, see Creating Accounts. Once you have created the new account, add the tenant of SAP Cloud Identity service in the new account, and repeat the procedure in the table above to set the trust for each account.
You must Configure a Trusted Service Provider in the administration console for SAP Cloud Identity service by uploading its metadata or by entering the service provider information manually. Click Applications tile, choose the application that you want to edit and click the Trust tab.
With SAP HANA Cloud Platform Identity Authentication, you can now decide which applications you want to protect in a more secure and reliable way. If you configure an application to have two-factor authentication, once the user of this application provides valid username and password, additional one-time password (aka OTP or passcode) will be required as a second authentication factor. It is a 6-digits passcode (for example: 899866) that expires in 30 seconds. For the generation of the passcodes, the users need to install SAP Authenticator on their mobile device. It is a free mobile app available on iOS, Android and Windows.
Once you enter the Administration Console of Identity Authentication service, in the left menu, go to “Applications and Resources” –> “Applications”. Choose your application from the list of applications and navigate to the „Authentication and Access“ tab. Choose “Risk-Based Authentication” and Change Default Action from “Allow” to “Two-Factor Authentication” and click “Save”.
Identity Federation with a Corporate Identity Provider
SAP HANA Cloud Platform applications can delegate authentication and identity management to an existing corporate IdP that can, for example, authenticate your company’s employees. It aims at providing a simple and flexible solution: your employees (or customers, partners, and so on) can single sign-on with their corporate user credentials, without a separate user store and account in SAP HANA Cloud Platform. All information required by SAP HANA Cloud Platform about the employee can be passed securely with the logon process, based on a proven and standardized security protocol. There is no need to manage additional systems that take care for complex user account synchronization or provisioning between the corporate network and SAP HANA Cloud Platform. Only the configuration of already existing components on both sides is needed, which simplifies administration and lowers total cost of ownership significantly. Even existing applications can be “federation-enabled” without changing a single line of code.
If you want to add an SAP Cloud Identity tenant not related to your SAP user, you need to register the SAP Cloud Identity tenant as any other type of identity provider. This means you need to set up trust settings on both the SAP HANA Cloud Platform and the SAP Cloud Identity tenant side. For example, we can integrate Microsoft Azure Active Directory as the main authentication authority for the applications. In that case, SAP Cloud Identity service acts as a proxy identity provider and Azure AD as the main authentication authority for the applications. The authentication requests sent to SAP Cloud Identity service are redirected to Azure AD. User management and authentication is done on Azure AD side.
Using an On-Premise User Store
If you already have an existing on-premise system with a populated user store, you can configure SAP HANA Cloud Platform applications to use that on-premise user store. This approach is similar to implementing identity federation with a corporate identity provider. In that way, applications do not need to keep the whole user database, but request the necessary information from the on-premise system.
You can use two types of on-premise user store:
- SAP Single Sign-On with a SAP NetWeaver Application Server for Java System – the applications on SAP HANA Cloud Platform connect to the SAP on-premise system using Destination API (and, if necessary, SAP HANA Cloud Connector), and make use of the user store there
- Microsoft Active Directory – this is an LDAP server that can serve as an on-premise user store. The applications on SAP HANA Cloud Platform connect to the LDAP server using SAP HANA cloud connector, and make use of the user store there.
SAP Cloud Connector
SAP Cloud Connector is a simple on-premises integration agent that allows highly secure and reliable connectivity between your cloud applications and on-premises systems.
The cloud connector runs as on-premise agent in a secured network and acts as a reverse invoke proxy between the on-premise network and SAP HANA Cloud Platform. Due to its reverse invoke support, you don’t need to configure the on-premise firewall to allow external access from the cloud to internal systems.
SAP Cloud Connector initiates encrypted connections to cloud applications from inside the on-premise network to the cloud and provides a set of capabilities to secure access to on-premise systems, like fine-grained access control lists of both allowed cloud and on-premises resources, trust relation with on-premises systems based on X.509 certificates, and fine-grained audit logging for traceability.
After a new Cloud connector installation in a network, no systems or resources of the network have been exposed to the cloud yet. The Cloud connector administrator must configure each system and resource that shall be used by applications of the connected cloud account in the Access Control view of the Cloud connector. The recommendation is to narrow the access only to those backend services and resources that are explicitly needed by the cloud applications.
For example, define access to an HTTP service by specifying the service URL root path and allowing access to all its sub-paths. We can use RFC protocol for calling on-premise function modules from the cloud, in which case we must add that specific modules into the Cloud Connector’s access control resources.
Java EE Roles
Roles allow you to control the access to application resources in SAP HANA Cloud Platform, as specified in Java EE. In SAP HANA Cloud platform, you can assign groups or individual users to a role. Groups are collections of roles that allow the definition of business-level functions within your account. They are similar to the actual business roles existing in an organization. The users’ assigned role determines what permissions that user is granted for access to a particular set of resources in an application.
How to assign users/logins to rolles is Server dependent. To assign users in defined roles, in SAP HANA Cloud Platform Cockpit click on the Applications –> Java Applications –> app_name –> Roles.