Skip to Content
Author's profile photo Former Member

Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 – Part 1

SAP BusinessObjects 4.0 (BI) allowed for Single Sign On (SSO) to SAP HANA (HANA) configured via Kerberos.  Now, in BI 4.1 we can setup SSO to HANA via the Security Assertion Markup Language (SAML).  So what is SAML?  SAML is an XML standard that allows parties (in our case BI and HANA) to exchange authentication and authorization data.  With SAML we have a Service Provider (SP) that can contact an Identity Provider (IdP) to authenticate users trying to access secure content.  In our setup we have,

  • A client – For example BI Launchpad
  • A IdP – BI 4.1
  • A SP – HANA


In simplified terms, after a user has been Authenticated by the BI server, it will generate a SAML assertion for the user and pass it to HANA for SSO.

In Part 1 we will cover the configuration steps required for HANA and BI 4.1.  In Part 2, the end-to-end SSO configuration steps required for BI 4.1.


  • A user that can log into BI using any type of login (Active Directory, LDAP, SAP, or Enterprise)
  • A user that can log into SAP HANA
  • SSL has configured for HANA

It is highly recommended to have SSL setup in HANA as we are essentially creating a trust is being created between the BI server and HANA server, thus this connection stream should be encrypted to prevent packet sniffing.  To configure SSL for HANA refer to my blog,

SSL with HANA and BI4 Feature Pack 3

To confirm SSL has been setup you will need to click on the “Connect using SSL” option in the properties of the connection. 


Once done, a lock will appear in the connection in HANA Studio,


In BI 4.1

BI 4.1 now comes with a new application called “HANA Authentication“.  It’s found in the CMC, under Applications.  The purpose of this application is to create a certificate that we can install on the HANA server, meaning that HANA will trust BI to do the authentication.  This application will also allow us to test the SAML configuration.


You will need to know your HANA Hostname and Port for this to work correctly.  The “Unique Identity Provider ID” can be called anything.  This will become the Common Name (CN) in the Distinguished Name (DN), which you will create below.  An example setup is,


In the prerequisites, SSL was recommended.  If you have setup SSL, you will have a trust.pem file located here (or in another folder),

/usr/sap/<HANA Instance Name>/home/.ssl

In this trust.pem file, we will append the certificate that’s been created by BI.  Before we can do that, we need to convert the certificate to the correct format.

1) Go to the certificate decoder site, for the purposes of this blog we will use

2) Copy and paste the certificate from CMC to the decoder and hit Decode


4) Copy the decoded certificate and paste it under the current certificate in the trust.pem file (after the —–END CERTIFICATE—– line, paste the new certificate).  Like so,


4. Save the file and restart HANA


In HANA the SAML provider needs to be configured and a HANA user needs to have an identity added for SAML.  The steps are,

1. Create the SAML provider

Go to the certificate decoder website and scroll down until you find Issuer and Subject under Properties


The create SAML provider syntax is,


In this example, it would be,




Note: In our case here the DN is not in the normal CN, OU, DC order, it needs to be in the exact same order as the certificate shown above.

2) Create a HANA user


3) Enable the user for SAML authentication


4) Add an identity to the HANA user which is the BI user


To verify the above steps, if we open the properties of the user you will see that the SAML checkbox is enabled and clicking on “Configure” will show the SAML provider that we created above,



Test SAML Authentication

To test if SAML is working, login to the CMC and go to Applications > HANA Authentication.  On this screen, you will see “Test the connection for this user”.  Here we want to enter the BI user name, remember we added this identity to our HANA user in step 4 above.


If the connection is successful, you will see,


If not, you will see,



As screen in the above failed login, the error message received is very generic.  To troubleshoot SAML issues, start with the basics,

1) Do you have SSL setup and working in HANA (meaning: do you see the lock icon on your connection?)

2) After adding the BI certificate to the PEM file, did you restart HANA?

3) Check that the DN is correct and in the correct order as mentioned above

4) Enable the authentication trace in the INDEXSERVER


Once the trace has been enabled, you will get something similar to what you see in the log below.  From here you can determine what error messages are being thrown as well as verify the Certificate Subject and Issuer.  For the log below, you can see that the SAML provider created is wrong, thus a does not exist error is being thrown by HANA.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Abhik Gupta
      Abhik Gupta

      Very nice post, Vishal !

      Author's profile photo Former Member
      Former Member

      Hi Vishal,

      If users have same id in BI and Hana. For existing users in the hana system, do we run the 'ALTER USER TEST ENABLE SAML' statement after we have enabled SAML SSO. Is there a need to change the password on hana or run any other statements.

      Please advise.

      Author's profile photo Former Member
      Former Member

      Nice post,

      Can you send post the Part 2 also if possible

      Author's profile photo Venkateswara Guptha
      Venkateswara Guptha

      Excellent Blog.

      Can you please provide the End to End configuration steps? Or the steps provided above are sufficient for End to End SSO, please clarify.

      Author's profile photo Former Member
      Former Member

      Thanks for putting this together.

      Author's profile photo Bhargav Malsani
      Bhargav Malsani

      nice post... can you provide the link to part 2.

      Author's profile photo Former Member
      Former Member

      Where is part 2?