Strategy ONE

Setting Up an SAP HANA Instance with OAuth or SSO

An Entra ID (formerly Azure AD) app registration properly set up for OAuth. See Configure Entra ID (Formerly Azure AD) with SAP Hana OAuth and Configure Entra ID (Formerly Azure AD) with SAP HANA SSO for more information.

An up-and-running SAP HANA instance, with JWT authentication configured. This is the instance that you will connect to. See Setting Up an SAP HANA Instance with OAuth or SSO.

Run the JWTcurl.sh script

You must use values from your Entra ID app registration to perform the following procedure.

  1. Use the following bash script template to send a request to Microsoft's authentication service:
    2. Copy 


                    curl --location --request POST 'https://login.microsoftonline.com/TenantID/oauth2/v2.0/token ' \
                    --header 'Content-Type: application/x-www-form-urlencoded' \
                    --header 'Cookie: fpc=Atg3aNcFlnlDrDDXKuiuqpnYpHXVAQAAAKCyodoOAAAA; stsservicecookie=estsfd; x-ms-gateway-slice=estsfd' \
                    --data-urlencode 'grant_type=password' \
                    --data-urlencode 'client_id=ClientID' \
                    --data-urlencode 'client_secret=ClientSecret' \
                    --data-urlencode 'scope=CreatedScope' \
                    --data-urlencode 'username=AzureADAdminUser' \
                    --data-urlencode 'password=AzureADAdminPassword'

    Use the following table to edit the required values in the template above:

    Value

    Description

    ClientID

    The client ID of your app registration.

    ClientSecret

    The client secret for your app registration.

    CreatedScope

    The scope of your app registration.

    AzureADAdminUser

    The user name of the Entra ID Admin of your organization.

    AzureADAdminPassword

    The password of the Entra ID Admin of your organization.
  2. If your script is successful, you will receive a response that contains an access token. Copy the access token value in the "access_token" string.
  3. Decode the token using your preferred method. Strategy suggests using jwt.io.
  4. Copy the 'sub' value.

Configure a JWT User for SAP HANA

  1. In SAP HANA Studio, log in to your instance.
  2. Open the SQL console and use the following query template:
    3. Copy 


                            CREATE JWT PROVIDER my_jwt_provider
                            WITH ISSUER 'https://login.microsoftonline.com/TenantID/v2.0'
                            CLAIM 'sub' AS EXTERNAL IDENTITY;

                            CREATE PUBLIC KEY jwt_pubkey
                            FROM '-----BEGIN RSA PUBLIC KEY-----
                            PUBLICKEYValue
                            -----END RSA PUBLIC KEY-----'
                            KEY ID HINT 'KEYIDHint';

                            CREATE PSE PSENAME;
                            SELECT * FROM PUBLIC_KEYS;
                            ALTER PSE PSENAME ADD PUBLIC KEY JWT_PUBKEY;
                            SET PSE PSENAME PURPOSE JWT FOR PROVIDER MY_JWT_PROVIDER;

                            CREATE USER jwt_user WITH IDENTITY 'SUBValue' FOR JWT PROVIDER MY_JWT_PROVIDER;

    Use the following table to edit the required values in the template above:

    Value

    Description

    TenantID

    The tenant ID of your organization in Entra ID.

    PublicKEYValue

    Choose a key from https://login.microsoftonline.com/TenantID/discovery/v2.0/keys and paste its value here.

    KEYIDHint

    Copy and paste the key ID hint for the key you choose in https://login.microsoftonline.com/TenantID/discovery/v2.0/keys.

    SUBValue

    The 'sub' value you copied above.
  3. To run each query separately, click Execute.
  4. Click Security > Users > jwt_user > Object Privileges | System Privileges | Granted Roles to assign the required user privileges.