SAP HANA Admin - Authentication Methods

All SAP HANA users who have access to HANA database are verified with different Authentication methods. SAP HANA system supports various types of authentication methods and all these login methods are configured at the time of profile creation.

Following is the list of authentication methods supported by SAP HANA −

  • User name/Password
  • Kerberos
  • SAML 2.0
  • SAP Logon tickets
  • X.509

User Name/Password

This method requires HANA user to enter the user name and password to login to database. This user profile is created under User management in HANA Studio → Security Tab.

Password should be as per password policy. For example - Password length, complexity, lower and upper case letters, etc. You can change the password policy as per your organization’s security standards.

Note − The password policy cannot be deactivated.



All users who connect to HANA database system using an external authentication method should also have a database user. It is required to map the external login to the internal database user.

This method enables the users to authenticate HANA system directly, using JDBC/ODBC drivers through the network or by using front-end applications in SAP Business Objects.

It also allows HTTP access in HANA Extended Service using HANA XS engine. It uses SPENGO mechanism for Kerberos authentication.



SAML stands for Security Assertion Markup Language and can be used to authenticate the users accessing HANA system directly from ODBC/JDBC clients. It can also be used to authenticate the users in HANA system, coming via HTTP through HANA XS engine.

SAML is used only for authentication purposes and not for authorization.


SAP Logon and Assertion Tickets

SAP Logon/assertion tickets can be used to authenticate the users in HANA system. These tickets are issued to the users when they login into SAP system, which is configured to issue tickets such as SAP Portal, etc. User specified in SAP logon tickets should be created in HANA system as it doesn’t provide support for the mapping users.

SAP Logon

X.509 Client Certificates

X.509 certificates can also be used to login to HANA system via HTTP access request from HANA XS engine. Users are authenticated by certificates that are signed from trusted Certificate Authority, which is stored in HANA XS system.

The user in trusted certificate should exist in HANA system as there is no support for user mapping.

Client Certificates

Single Sign On in HANA System

Single sign on can be configured in HANA system, which allows the users to login to HANA system from an initial authentication on the client. User logins at client applications using different authentication methods and SSO allows the user to access HANA system directly.

SSO can be configured using the following configuration methods −

  • SAML
  • Kerberos
  • X.509 client certificates for HTTP access from HANA XS engine
  • SAP Logon/Assertion tickets

You can also use SAP HANA Cockpit for performing user and role management tasks.

Single Signon
Kickstart Your Career

Get certified by completing the course

Get Started