SAP HANA database facilitates the integration of different authentication methods. To integrate the SAP HANA database in your environment you need an overview of the supported authentication methods.
There are following options available:
- Direct logon to database with user and password
- Authentication using Kerberos (third party authentication provider)
- Authentication using security assertion markup language (SAML) bearer token
SAP HANA supports the Kerberos protocol for single sign-on. It has been tested with Windows Active Directory Domain Kerberos implementation and MIT Kerberos network authentication protocol. The ODBC database client and the JDBC database client support Kerberos.
To implement this, you need to install the MIT Kerberos client software on the host of the SAP HANA database.
The users stored in the Microsoft Active Directory or the MIT Kerberos Key Distribution Center can be mapped to database users in the SAP HANA database.
For this purpose, specify the user principal name (UPN) as the external ID when creating the database user.
SAML, Security Assertion Markup Language, is the XML-based standard for communicating identity information between organizations. The primary function of SAML is to provide Internet Single Sign-On (SSO) for organizations. SAML is used to securely connect Internet applications that exist both inside and outside the organization’s firewall.
SAML may be selected as a user authentication method when creating users in the SAP HANA studio.
The main purpose of SAML for SAP HANA is to support scenarios where clients are not directly connected to the SAP HANA Database, but to a middle tier application server (XS engine, for example).
• This middle tier application server runs an HTTP server. Whenever the application server needs to connect to the database on behalf of the user, it requests a SAML assertion from the client.
• The assertion is issued by an identity provider after the client was successfully authenticated. The assertion is then forwarded to the SAP HANA database, which will grant access based on the previously established trust to the identity provider.
some words are not accepted as passwords. This black list can be found in table _SYS_SECURITY._SYS_PASSWORD_BLACKLIST
This schema and table are owned by SYSTEM user.