Skip to Content

Does SSO authentication on SAP HANA 2 with XSA and Azure Active Directory as IDP really work?

Oct 20, 2017 at 10:58 AM


avatar image

Hi all,

I have attended some Thomas Jung's courses on XSA and now I am testing the SSO authentication on SAP HANA 2 with XSA and Azure Active Directory (AAD) as IDP, and the result is quite discouraging. Even if the configuration of the systems is simple, the problem is that user identifier configured in AAD is misinterpreted by HANA with XSA, whereas it is correctly interpreted by HANA with XSC. Looking at the configuration on Azure

you can see that the exact mail prefix is used, but when I sign-in through AAD on HANA with my account (DTOSATO@<domain>) the result on azure is as follow

Since, my user is not "5PRfJbLrfKuEem_B1VeUaxMO2sBHe_oTYuJCXLc91Oc" I can imagine that this is a new HANA user (created dinamically). The funny thing is that if I change the user identifier configured into AAD to "user.userprincipalname", I obtain the following result.

It seems that the user.userprincipalname is the email, why?!. Moreover, even guessing the "right" combination of parameters (see the following image)

AAD sends to HANA the lower-case version of the email I configured into Azure.

Thus, the authentication process fails because the matching performed by HANA is case sensitive and it assumes that users name must be upper-case as you see in the image below.

So, apparently it is not possible to login with SSO with HANA 2 + XSA and AAD. Is that right?

hana-login.png (201.5 kB)
azure-sso-conf.png (33.8 kB)
hana-login2.png (284.8 kB)
mail-azure.png (7.5 kB)
hana-user.png (120.8 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

0 Answers