Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 – Part 1
SAP BusinessObjects 4.0 (BI) allowed for Single Sign On (SSO) to SAP HANA (HANA) configured via Kerberos. Now, in BI 4.1 we can setup SSO to HANA via the Security Assertion Markup Language (SAML). So what is SAML? SAML is an XML standard that allows parties (in our case BI and HANA) to exchange authentication and authorization data. With SAML we have a Service Provider (SP) that can contact an Identity Provider (IdP) to authenticate users trying to access secure content. In our setup we have,
- A client – For example BI Launchpad
- A IdP – BI 4.1
- A SP – HANA
In simplified terms, after a user has been Authenticated by the BI server, it will generate a SAML assertion for the user and pass it to HANA for SSO.
In Part 1 we will cover the configuration steps required for HANA and BI 4.1. In Part 2, the end-to-end SSO configuration steps required for BI 4.1.
- A user that can log into BI using any type of login (Active Directory, LDAP, SAP, or Enterprise)
- A user that can log into SAP HANA
- SSL has configured for HANA
It is highly recommended to have SSL setup in HANA as we are essentially creating a trust is being created between the BI server and HANA server, thus this connection stream should be encrypted to prevent packet sniffing. To configure SSL for HANA refer to my blog,
To confirm SSL has been setup you will need to click on the “Connect using SSL” option in the properties of the connection.
Once done, a lock will appear in the connection in HANA Studio,
In BI 4.1
BI 4.1 now comes with a new application called “HANA Authentication“. It’s found in the CMC, under Applications. The purpose of this application is to create a certificate that we can install on the HANA server, meaning that HANA will trust BI to do the authentication. This application will also allow us to test the SAML configuration.
You will need to know your HANA Hostname and Port for this to work correctly. The “Unique Identity Provider ID” can be called anything. This will become the Common Name (CN) in the Distinguished Name (DN), which you will create below. An example setup is,
In the prerequisites, SSL was recommended. If you have setup SSL, you will have a trust.pem file located here (or in another folder),
/usr/sap/<HANA Instance Name>/home/.ssl
In this trust.pem file, we will append the certificate that’s been created by BI. Before we can do that, we need to convert the certificate to the correct format.
1) Go to the certificate decoder site, for the purposes of this blog we will use http://certlogik.com/decoder/
2) Copy and paste the certificate from CMC to the decoder and hit Decode
4) Copy the decoded certificate and paste it under the current certificate in the trust.pem file (after the —–END CERTIFICATE—– line, paste the new certificate). Like so,
4. Save the file and restart HANA
In HANA the SAML provider needs to be configured and a HANA user needs to have an identity added for SAML. The steps are,
1. Create the SAML provider
Go to the certificate decoder website and scroll down until you find Issuer and Subject under Properties
The create SAML provider syntax is,
CREATE SAML PROVIDER <PROVIDER NAME> WITH SUBJECT ‘<Subject DN>’ ISSUER ‘<Issuer DN>’
In this example, it would be,
CREATE SAML PROVIDER HANA_BI_PROVIDER WITH SUBJECT ‘C=CA, ST=BC, O=SAP, OU=BOE, CN=BI4SAML’ ISSUER ‘C=CA, ST=BC, O=SAP, OU=BOE, CN=BI4SAML’
Note: In our case here the DN is not in the normal CN, OU, DC order, it needs to be in the exact same order as the certificate shown above.
2) Create a HANA user
CREATE USER TESTSAML PASSWORD Abcd1234
3) Enable the user for SAML authentication
ALTER USER TEST ENABLE SAML
4) Add an identity to the HANA user which is the BI user
ALTER USER TEST ADD IDENTITY ‘Administrator’ FOR SAML PROVIDER HANA_BI_PROVIDER
To verify the above steps, if we open the properties of the user you will see that the SAML checkbox is enabled and clicking on “Configure” will show the SAML provider that we created above,
Test SAML Authentication
To test if SAML is working, login to the CMC and go to Applications > HANA Authentication. On this screen, you will see “Test the connection for this user”. Here we want to enter the BI user name, remember we added this identity to our HANA user in step 4 above.
If the connection is successful, you will see,
If not, you will see,
As screen in the above failed login, the error message received is very generic. To troubleshoot SAML issues, start with the basics,
1) Do you have SSL setup and working in HANA (meaning: do you see the lock icon on your connection?)
2) After adding the BI certificate to the PEM file, did you restart HANA?
3) Check that the DN is correct and in the correct order as mentioned above
4) Enable the authentication trace in the INDEXSERVER
Once the trace has been enabled, you will get something similar to what you see in the log below. From here you can determine what error messages are being thrown as well as verify the Certificate Subject and Issuer. For the log below, you can see that the SAML provider created is wrong, thus a does not exist error is being thrown by HANA.