After writing two blogs about the installation of Design Studio 1.1 and the BI Add-on for Design Studio 1.1 on top of a BI 4.1 platform this blog will show you how to establish SSO between BI 4.1 and SAP HANA.
As of BI 4.1 it’s quite easy to setup SSO towards SAP HANA. During the ASUG Annual Conference Greg Wcislo presented a session with the promising title: Demystifying Authentication and SSO Options in Business Intelligence. During this session he gave an overview of the current possibilities to setup SSO towards SAP HANA but also mentioned the new option as of BI 4.1.
To setup first logon to the CMC and goto Applications and double-click HANA Authentication.
Create a connection.
Provide the HANA Hostname, Port and fill in a Unique Identity Provider ID that will be used to uniqly identify the BI platform.
Now let’s generate the Identity Provider Base64 Certificate by clicking Generate. After generating the certificate string is displayed in the text box. Click OK to save the connection.
Next steps need to be done from within the SAP HANA Studio. Start the SQL Console.
Use the following SQL statement to enable the BI platform as the ID Provider.
CREATE SAML PROVIDER <UNIQUE ID> WITH SUBJECT ‘C=CA, ST=BC, O=SAP,
OU=BOE, CN=<UNIQUE ID>’ ISSUER ‘C=CA, ST=BC, O=SAP, OU=BOE, CN=<UNIQUE
Replace <UNIQUE ID> with your Unique Identity Provider ID, in this case BOE41 and execute the SQL query.
Next step is to copy the certificate from the CMC to the trust.pem file in the ~/.ssl directory for the user that you created when you installed SAP HANA. The user name is <3CharacterCode>adm.
At this time, you can verify whether the key.pem file exists in the ~/.ssl directory. If it does not exist, then SAP HANA was not configured correctly to use SSL. Before configuring SAP HANA single sign-on with SAML, you must configure SSL on the SAP HANA machine. See your SAP HANA documentation for details.
Restart SAP HANA
Use these commands in the SAP HANA Studio to create a user in SAP HANA that BI platform can generate tickets for:
CREATE USER <HANAUserName> PASSWORD <HANAUserPassword>;
ALTER USER <HANAUserName> ENABLE SAML;
ALTER USER <HANAUserName> ADD IDENTITY ‘<BIPUserName>’ FOR SAML PROVIDER <BIPUniqueIdentityProviderID>;
<BIPUserName> is the full name of the BI platform user.
CREATE USER foekm00 PASSWORD ABCD1234; (skipped this step as my user already exists on SAP HANA environment)
ALTER USER foekm00 ENABLE SAML;
ALTER USER foekm00 ADD IDENTITY ‘foekm00’ FOR SAML PROVIDER BO41;
Alternatively, you can use an existing user and run only the ALTER commands above like I performed.
Test the SAP HANA configuration.
a. Go to the “Applications” area of the CMC and double-click HANA Authentication. Make sure you are logged in with the ‘Administrator’ account.
b. In the “HANA Authentication” dialog box, open the connection you created earlier.
The “Edit HANA Authentication Connection” dialog box opens.
c. Under “Test the connection for this user”, enter a user name and click the Test Connection
button to verify that your connection settings are valid.
In my next blog I will verify whether I can actually use the established SSO connection in Design Studio 1.1.
Thanks for your comments on this blog!
Martijn van Foeken | Intenzz