Hi HANA Experts,

In short: SAML SSO with email as identifier in HANA- without pre-creating every single HANA user and setting it's external identifier - what can I do?

Using HANA2 (not on HCP), we enabled SSO with SAML. Now with some IDPs the SAML assertion uses email as identifier. When we use dynamic user creation, HANA will refuse the creation, because of the special characters like dots and @ sign.

Also when pre-creating HANA user and allow "Any", those email based identifiers will not get accepted by HANA.

Only if a user is pre-created and external id is set to that email, then SSO with SAML works. The problem is that users need to be pre-created and that it will create a huge list of HANA users.

So is there any work-around so that dynamic user creation with email will work? Or what can we do to have one HANA user, which will accept SAML assertions of one IDP based certificate with identifier "ANY" and then in the application the actual email can be read. Any hint or pointer is welcome!

Thank you in advance!

-Mario