Re: what is the role of "Any" in configure external SAML Identities

Hi,

HANA supports two ways of user mappings
(e.g. map user from an external application to the "correct" HANA user):
https://help.sap.com/saphelp_hanaplatform/helpdata/en/db/6db355bb571014b56eb25057daec5f/content.htm

1.)    SAP HANA-based user mappings

2.)    Identity provider-based user mappings

For the first approach you need to maintain the table "PUBLIC"."SAML_USER_MAPPINGS"
what could be quite cumbersome. This is basically what happens via GUI when you click on
"Configure SAML" for an individual user. You assign the SAML provider and you map the
external identity (the user known to the external application). This can also happen with

custom procedures, …

Let's say there is an external application App1 in which the user Albert Einstein is known as EmpAE.
Moreover there is a HANA database to which the same user is known as AlbertE.

HANA needs to know that the assertion coming in having EmpAE needs to be mapped to HANA user AlbertE

to allow the SSO. This happens as said via the mapping table.

Now if you think about a case where the user is known in both systems as AlbertE.

Why using a mapping table? You just need to allow HANA to use the user name of the

SAML assertion coming in from application App1 because it already contains the name

in same way it is known in the HANA itself. This is what the flag "any" does.

On a side note - the option reflects in the table "PUBLIC"."SAML_USER_MAPPINGS" with a "?".

·         Identity provider-based user mappings

The identity provider maps its users to SAP HANA database users and provides this information
using the SPProvidedID attribute. The corresponding assertion subject looks like this:

<NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified" SPProvidedID="BILLG">zgc2VLavgYy4hsohfYPM21</NameID>

You can configure SAML identity providers and map them to database users in the SAP HANA studio.

Having said that, the external application needs to be able to create SAML assertions
using the SPProvidedID attribute. On a side note - for the Business objects platform
this seems to be not (yet) the case. You can check on your own if you enable trace on HANA side

and test SAML from BO CMC. You will find then the SAML assertion in the trace.

I hope that helps, Holger