Skip to Content

SAP BusinessObjects 4.0 (BI) allowed for Single Sign On (SSO) to SAP HANA (HANA) configured via Kerberos.  Now, in BI 4.1 we can setup SSO to HANA via the Security Assertion Markup Language (SAML).  So what is SAML?  SAML is an XML standard that allows parties (in our case BI and HANA) to exchange authentication and authorization data.  With SAML we have a Service Provider (SP) that can contact an Identity Provider (IdP) to authenticate users trying to access secure content.  In our setup we have,

  • A client – For example BI Launchpad
  • A IdP – BI 4.1
  • A SP – HANA

    

In simplified terms, after a user has been Authenticated by the BI server, it will generate a SAML assertion for the user and pass it to HANA for SSO.

In Part 1 we will cover the configuration steps required for HANA and BI 4.1.  In Part 2, the end-to-end SSO configuration steps required for BI 4.1.

Prerequisites

  • A user that can log into BI using any type of login (Active Directory, LDAP, SAP, or Enterprise)
  • A user that can log into SAP HANA
  • SSL has configured for HANA

It is highly recommended to have SSL setup in HANA as we are essentially creating a trust is being created between the BI server and HANA server, thus this connection stream should be encrypted to prevent packet sniffing.  To configure SSL for HANA refer to my blog,

SSL with HANA and BI4 Feature Pack 3

To confirm SSL has been setup you will need to click on the “Connect using SSL” option in the properties of the connection. 

/wp-content/uploads/2013/08/6_255781.png

Once done, a lock will appear in the connection in HANA Studio,

/wp-content/uploads/2013/08/5_255806.png

In BI 4.1

BI 4.1 now comes with a new application called “HANA Authentication“.  It’s found in the CMC, under Applications.  The purpose of this application is to create a certificate that we can install on the HANA server, meaning that HANA will trust BI to do the authentication.  This application will also allow us to test the SAML configuration.

/wp-content/uploads/2013/08/1_255807.png

You will need to know your HANA Hostname and Port for this to work correctly.  The “Unique Identity Provider ID” can be called anything.  This will become the Common Name (CN) in the Distinguished Name (DN), which you will create below.  An example setup is,

/wp-content/uploads/2013/08/2_255808.png

In the prerequisites, SSL was recommended.  If you have setup SSL, you will have a trust.pem file located here (or in another folder),

/usr/sap/<HANA Instance Name>/home/.ssl

In this trust.pem file, we will append the certificate that’s been created by BI.  Before we can do that, we need to convert the certificate to the correct format.

1) Go to the certificate decoder site, for the purposes of this blog we will use http://certlogik.com/decoder/

2) Copy and paste the certificate from CMC to the decoder and hit Decode

/wp-content/uploads/2013/08/3_255809.png

4) Copy the decoded certificate and paste it under the current certificate in the trust.pem file (after the —–END CERTIFICATE—– line, paste the new certificate).  Like so,

/wp-content/uploads/2013/08/4_255810.png

4. Save the file and restart HANA

In HANA

In HANA the SAML provider needs to be configured and a HANA user needs to have an identity added for SAML.  The steps are,

1. Create the SAML provider

Go to the certificate decoder website and scroll down until you find Issuer and Subject under Properties

/wp-content/uploads/2013/08/7_255811.png

The create SAML provider syntax is,

CREATE SAML PROVIDER <PROVIDER NAME> WITH SUBJECT ‘<Subject DN>’ ISSUER ‘<Issuer DN>’

In this example, it would be,

 

CREATE SAML PROVIDER HANA_BI_PROVIDER WITH SUBJECT ‘C=CA, ST=BC, O=SAP, OU=BOE, CN=BI4SAML’ ISSUER ‘C=CA, ST=BC, O=SAP, OU=BOE, CN=BI4SAML’

 

Note: In our case here the DN is not in the normal CN, OU, DC order, it needs to be in the exact same order as the certificate shown above.

2) Create a HANA user

CREATE USER TESTSAML PASSWORD Abcd1234

3) Enable the user for SAML authentication

ALTER USER TEST ENABLE SAML

4) Add an identity to the HANA user which is the BI user

ALTER USER TEST ADD IDENTITY ‘Administrator’ FOR SAML PROVIDER HANA_BI_PROVIDER

To verify the above steps, if we open the properties of the user you will see that the SAML checkbox is enabled and clicking on “Configure” will show the SAML provider that we created above,

/wp-content/uploads/2013/08/10_255812.png

/wp-content/uploads/2013/08/11_255813.png

Test SAML Authentication

To test if SAML is working, login to the CMC and go to Applications > HANA Authentication.  On this screen, you will see “Test the connection for this user”.  Here we want to enter the BI user name, remember we added this identity to our HANA user in step 4 above.

/wp-content/uploads/2013/08/8_255814.png

If the connection is successful, you will see,

/wp-content/uploads/2013/08/9_255815.png

If not, you will see,

/wp-content/uploads/2013/08/13_255816.png

Troubleshooting

As screen in the above failed login, the error message received is very generic.  To troubleshoot SAML issues, start with the basics,

1) Do you have SSL setup and working in HANA (meaning: do you see the lock icon on your connection?)

2) After adding the BI certificate to the PEM file, did you restart HANA?

3) Check that the DN is correct and in the correct order as mentioned above

4) Enable the authentication trace in the INDEXSERVER

/wp-content/uploads/2013/08/14_255818.png

Once the trace has been enabled, you will get something similar to what you see in the log below.  From here you can determine what error messages are being thrown as well as verify the Certificate Subject and Issuer.  For the log below, you can see that the SAML provider created is wrong, thus a does not exist error is being thrown by HANA.

/wp-content/uploads/2013/08/12_255819.png

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Swaparna Kumar

    Hi Vishal,

    If users have same id in BI and Hana. For existing users in the hana system, do we run the ‘ALTER USER TEST ENABLE SAML’ statement after we have enabled SAML SSO. Is there a need to change the password on hana or run any other statements.

    Please advise.

    (0) 

Leave a Reply