Skip to Content

After writing two blogs about the installation of Design Studio 1.1 and the BI Add-on for Design Studio 1.1 on top of a BI 4.1 platform this blog will show you how to establish SSO between BI 4.1 and SAP HANA.

As of BI 4.1 it’s quite easy to setup SSO towards SAP HANA. During the ASUG Annual Conference Greg Wcislo presented a session with the promising title: Demystifying Authentication and SSO Options in Business Intelligence. During this session he gave an overview of the current possibilities to setup SSO towards SAP HANA but also mentioned the new option as of BI 4.1.

To setup first logon to the CMC and goto Applications and double-click HANA Authentication.

Untitled8.png

Create a connection.

Untitled9.png

Provide the HANA Hostname, Port and fill in a Unique Identity Provider ID that will be used to uniqly identify the BI platform.

Now let’s generate the Identity Provider Base64 Certificate by clicking Generate. After generating the certificate string is displayed in the text box. Click OK to save the connection.

SSO1.png

Next steps need to be done from within the SAP HANA Studio. Start the SQL Console.

Untitled12.png

Use the following SQL statement to enable the BI platform as the ID Provider.

CREATE SAML PROVIDER <UNIQUE ID> WITH SUBJECT ‘C=CA, ST=BC, O=SAP,

OU=BOE, CN=<UNIQUE ID>’ ISSUER ‘C=CA, ST=BC, O=SAP, OU=BOE, CN=<UNIQUE

ID>’

Replace <UNIQUE ID> with your Unique Identity Provider ID, in this case BOE41 and execute the SQL query.

SSO2.png

Next step is to copy the certificate from the CMC to the trust.pem file in the ~/.ssl directory for the user that you created when you installed SAP HANA. The user name is <3CharacterCode>adm.

At this time, you can verify whether the key.pem file exists in the ~/.ssl directory. If it does not exist, then SAP HANA was not configured correctly to use SSL. Before configuring SAP HANA single sign-on with SAML, you must configure SSL on the SAP HANA machine. See your SAP HANA documentation for details.

Restart SAP HANA

Use these commands in the SAP HANA Studio to create a user in SAP HANA that BI platform can generate tickets for:

CREATE USER <HANAUserName> PASSWORD <HANAUserPassword>;

ALTER USER <HANAUserName> ENABLE SAML;

ALTER USER <HANAUserName> ADD IDENTITY ‘<BIPUserName>’ FOR SAML PROVIDER <BIPUniqueIdentityProviderID>;

<BIPUserName> is the full name of the BI platform user.

Example:

CREATE USER foekm00 PASSWORD ABCD1234; (skipped this step as my user already exists on SAP HANA environment)

ALTER USER foekm00 ENABLE SAML;

SSO07.png

ALTER USER foekm00 ADD IDENTITY ‘foekm00’ FOR SAML PROVIDER BO41;

SSO8.png

Alternatively, you can use an existing user and run only the ALTER commands above like I performed.

Test the SAP HANA configuration.

a. Go to the “Applications” area of the CMC and double-click HANA Authentication. Make sure you are logged in with the ‘Administrator’ account.

SSO3.png

b. In the “HANA Authentication” dialog box, open the connection you created earlier.

SSO4.png

The “Edit HANA Authentication Connection” dialog box opens.

SSO5.png

c. Under “Test the connection for this user”, enter a user name and click the Test Connection

button to verify that your connection settings are valid.

SSO6.png

In my next blog I will verify whether I can actually use the established SSO connection in Design Studio 1.1.

Thanks for your comments on this blog!

Martijn van Foeken | Intenzz

To report this post you need to login first.

22 Comments

You must be Logged on to comment or reply to a post.

    1. M. van Foeken Post author

      Hi Faisal,

      Yes I was able to validate it all works when executing a Design Studio application at run-time using an SSO connection to SAP HANA defined in BIP 4.1.

      Please let me know if you have any additional questions!

      With kind regards,

      Martijn van Foeken | Intenzz

      (0) 
      1. Faisal Mehmood

        One thing i did not understand is that from BI4 DS, we are using either Enterprise ID or SAP imported ID. if i make my olap connection for HANA as SSO, which id will it use?

        (0) 
        1. M. van Foeken Post author

          Hi Faisal,

          It will only use the User name as trust has been setup by implementing SSO. So whether it’s Enterprise or SAP doesn’t really matter.

          With kind regards,

          Martijn van Foeken | Intenzz

          (0) 
    1. M. van Foeken Post author

      Hi Christian,

      Sorry for my late reply, I was on holiday.

      I assume with port you mean the HANA port. This is something you need to ask your HANA administrator or check in your HANA Studio by checking the properties – additional properties of your system entry.

      The unique ID on the BOE platform is something you need to choose in order to identify the configuration when you assign users on the SAP HANA side. You can setup SSO to multiple systems.

      Hope this helps. Please let me know if you have any further questions!

      With kind regards,

      Martijn

      (0) 
  1. Devpriy Trivedi

    Hello Martin ,

    I tried the above mentioned steps but i imported the certificate into SAPSSL.pse instead trust.pem of my HANA system.

    While testing the connection am getting an error as invalid user name and password.

    Could you guide me here.

    Thanks

    Dev

    (0) 
  2. Jaya Battula

    Hi Martin,

    I provided the HANA Hostname, Port and fill in a Unique Identity Provider ID, when i try to generate the Identity Provider Base64 Certificate by clicking “Generate”. I get the following error.

    “Failed to generate the certificate due to: java.security.NoSuchAlgorithmException: no such algorithm: DefaultRandom for provider JsafeJCE. (FWM 02127) “


    your help is much appreciated.


    Regards,

    Jay

    (0) 
  3. tatab355 tatab

    Hi,

    I setting the SSO HANA BI4 and when I test It work  connexion it works,

    but when I use analysis for olap to test reporting I have this message :

    /wp-content/uploads/2015/08/ao_error_772489.png

    And when I tested a univers with sso I have also an error

    /wp-content/uploads/2015/08/2_sso_772499.png

    Could you guid me here

    Thanks

    (0) 
        1. M. van Foeken

          Hi,

          It has been 2 years since I wrote this blog. I’m not sure what the latest status is about this feature but it should work. Please check the latest guides on the BIP to use the SAML based SSO to SAP HANA.

          With kind regards,

          Martijn

          (0) 
    1. Brandon Johnson

      You are using a multi-tenant topology. You need to select multi server instead of single server. I know this is an old post, but for anyone who is out there searching the internet.

      (0) 
  4. Ritu John

    Hi martijn,

    This was a very informative blog. Thanks. There is a requirement to open BO webi reports from HANA xsjs application using opendocument link. Is it possible to login to BO using the HANA login? Want to avoid the the BO login page. How could I go about this?

    Thanks,

    Ritu

    (0) 
    1. M. van Foeken

      Hi Ritu,

      Thanks! Regarding your question. On help.sap.com there is a guide regarding OpenDocument.

      https://help.sap.com/businessobject/product_guides/sbo41/en/sbo41_opendocument_en.pdf

      This guide explains in more details how you can create an statement that allows you to pass a username and password so you can login to BO without getting prompted. If you create this statement as part of your HANA XSJS application you are able to reuse the username and password from HANA to the BI platform.

      Hope this helps!

      With kind regards,

      Martijn

      (0) 
  5. Willem Lourens

    Hi

    On the part to “copy the certificate from the CMC to the trust.pem file in the ~/.ssl directory” – The trust.pem file already contains a certificate,  should the new certificate string replace the existing contents, or can it be appended?

    Thanks

    (0) 
  6. Harmandeep Cheema

    Hi,

    Great Post.

    Though I have a question which is also one of the incidents I have been working on. In SP6 we get another option which is “Service Provide Name” under Unique provider name. But even in the snapshots included in the blog, I do not see that parameter.

    My question is what if the customer wants the parameter there just like SP6. Is there a way ?

     

    Thank you

     

    (0) 

Leave a Reply