Skip to Content
Business Trends

Use SAML to Enable SSO for your SAP HANA XS App

So you want to use SAML to support single sign-on and secure your SAP HANA XS web application? Who doesn’t? This blog post will give you step-by-step instructions to enable your XS app to authenticate existing users from your SAP BI, NW, BW or your non-SAP apps.

Here is how I enabled SAML authentication for my XS app. I have performed these tasks in both rev 67 and rev 70 versions of HANA. I will refer to an SSL guide posted by Erik Lemen and a SAML/XS one posted internally by Bjoern Friedmann. Let’s get to work!

Pre-requisites

This guide will NOT document how to set up an Identity Provider (IDP) for SAML. It assumes that you already have access to an IDP and have access to an administrator of the IDP. Chances are that you already have a SAML IDP set up in your company. If not, you can use the SAP BI Platform, the Netweaver SSO product, or SAP’s own cloud-based ID Service (SAP IDS) as your IDP (see the Further Reading section for more on those products).

Additionally you will need access to the HANA Linux environment using the Linux admin ID setup for your HANA instance. You also will a HANA user ID that has been assigned the following role to administer the SAML configuration tool: sap.hana.xs.admin.roles::SAMLAdministrator

Plan your configuration

You should be familiar with SAML concepts and may wish to read section 5.4 in the SAP HANA SPS07 Administration Guide. Before you begin, discuss your plans with the security administrator of your SAML IDP and your XS development team.

Task Overview

1. Step1: Setup SAP Crypto Library, SSL (May be optional) and Trust Store

a. Step 1a: Set up SAP Crypto Library and Trust Store Utility

b. Step 1b: Turn on SSL Encryption

c. Step 1c: Create Trust Store

d. Step 1d: Setup the trust relation with the IDP

e. Step 1e: Restart the XS Engine

2. Step 2: Configure your XS Application

a. Step 2a: Add IDP

b. Step 2b: Add Service Provider

c. Step 2c: Register your App with your IDP

d. Step 2d: Configure App

3. Step 3: Modify your XS Application Code

a. Step 3a: Using Named Users

b. Step 3b: Set Default Role for Dynamically Generated Users

c. Step 3c: Implement Logout Code

d. Step 3d: Retrieving User Information from the IDP (Optional)

Step1: Setup SAP Crypto Library, SSL (May be optional) and Trust Store

Step 1a: Set up SAP Crypto Library and Trust Store Utility

Follow the steps in Section 1 (Only) of the attached document (a modified version of this document created by Erik Lemen).

  • STOP after completing section 1 of the attached instructions.

Step 1b: Turn on SSL Encryption

Important Note: This may be optional depending on your company’s security policy and SAML configuration

Follow the steps in Section 2 of the attached document (a modified version of this document created by Erik Lemen), BUT FIRST see my notes below based on my findings.

Important Notes:

  • DO NOT USE PINS: Don’t use a pin for any of the commands – using a pin did not work for me and gave an error – I need to determine why this happened.
  • If you are using HANA One on AWS, you will need to make sure you open your target port as needed

Step 1c: Create Trust Store

Type the following commands from a Linux command prompt, logged in as <sid>adm (e.g. hdbadm where your instance name is HDB):

cd /usr/sap/<INSTANCE>/SYS/global/security/lib

mkdir /usr/sap/<INSTANCE>/HDB<InstNo>/<host>/sec

./sapgenpse gen_pse -p /usr/sap/<INSTANCE>/HDB<InstNo>/<host>/sec/sapsrv.pse

Leave PIN empty (2x enter), and as “Distinguished name of PSE owner:” enter CN=<yourhostname>

Step 1d: Setup the trust relation with the IDP

Here you must gather the IDP metadata from your IDP service.

You will need the metadata URL for your IDP. For example, the metadata URL for the production SAP IDS service is: https://accounts.sap.com/saml2/metadata/accounts.sap.com

Once you know the appropriate metadata URL for your desired IDP, open the URL using your favorite browser. You will be copying some XML content – so right-click and select “View page source”.

Copy the certificate string (which is DER encoded) from the ds:X509Certificate tag. For SAP ID service this is MIICHTCCAYagAwIBAgIETKTcJjANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJERTEPMA0G…

/wp-content/uploads/2013/12/picture1.png

Using your favorite editor put this into a file called sapid.cer in the directory:

/usr/sap/<INSTANCE>/SYS/global/security/lib

Surround the certificate string with the tags below (there are 5 hyphens before and after the CERTIFICATE tags)

—–BEGIN CERTIFICATE—–

MIICHTCCAYagAwIBAgIETKTcJjANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJERTEPMA0G…

—–END CERTIFICATE—–

Import this certificate into sapsrv.pse

./sapgenpse maintain_pk -p /usr/sap/<INSTANCE>/HDB<InstNo>/<host>/sec/sapsrv.pse -a sapid.cer

Step 1e: Restart the XS Engine

From HANA Studio, double-click on the SYSTEM you are configuring from the Systems view.

From the landscape tab, right-click on the xsengine row and select “kill”.

Alternatively you can type HDB stop and then HDB start from a Linux prompt to restart the whole HANA server.

Step 2: Configure your XS Application

Step 2a: Add IDP

Get your IDP Info

Similar to step 1d, you must know the URL for retrieving the metadata for your IDP. For the production SAP IDS IDP I will use the following URL: https://accounts.sap.com/saml2/metadata/accounts.sap.com

Note: Of course you should always start with a development or QA system, NOT a production system.

Open the URL, right-click and select “view page source”. Select all text and then click copy.

Configure IDP Info

Open the URL below with a browser.

http://<host_name>:<xs_port>/sap/hana/xs/admin

Login using the SYSTEM user ID or a user ID that has the following role assigned:

sap.hana.xs.admin.roles::SAMLAdministrator

From the Identity Provider page (under the SAML Configuration menu option), click the icon in the upper-left to add a new IDP. Paste the content, that you just copied, into the metadata field, click Parse, and enter a Name for your IDP (of your choosing).

Click the check box to enable dynamic user creation. Click Save to complete the setup of your IDP in the XS configuration.

Note: Checking the box to enable dynamic user creation will automatically add a database user ID for each user as they first log in to your XS application. This is highly recommended, unless you are planning to use a single technical user ID for all users.

/wp-content/uploads/2013/12/picture2.png

Step 2b: Add Service Provider

Fill in the service provider information in the admin screen. The Name field is very important and should match the domain (host) name and URL of your XS engine, including the port number, that users will use to access your system. Use the globally accessible domain name for externally facing systems.

For example, if your XS server splash page is accessible at http://hostname:8021 then enter http://hostname:8021.

Click Save after entering your information. But do not leave the screen yet.

/wp-content/uploads/2013/12/picture3.png

Step 2c: Register your App with your IDP

Copy all of the text in the Metadata text box shown on the screen.

/wp-content/uploads/2013/12/picture4.png

Save this text in a local file named as you wish, but with an XML file extension (e.g. myXsAppMetadata.xml).

Note: If you wish to return user attributes back to your application you can add fields by inserting XML similar to this text below, just before the close tag </md:SPSSODescriptor>. To get the exact XML, you need the field names that are provided by your IDP. This is just an example that will allow me to access a user’s profile ID, email, first name and last name.

<md:AttributeConsumingService index=”1“>

<md:ServiceName xml:lang=”en“>SAP HANA Answers</md:ServiceName>

<md:RequestedAttribute Name=”user_profile_id NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri isRequired=”true” />

<md:RequestedAttribute FriendlyName=”mail Name=”urn:oid:0.9.2342.19200300.100.1.3 NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri isRequired=”false” />

<md:RequestedAttribute Name=”first_name NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri isRequired=”false” />

<md:RequestedAttribute Name=”last_name NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri isRequired=”false” />

</md:AttributeConsumingService>

Now you need to submit this file to the administrator of your IDP so that they can create an entry to recognize your Service Provider that you just configured. You may need to email the file or submit the contents via a web form. It depends on your company policy.

Note: While you wait for the activation confirmation from your IDP team, please continue with the next steps. Of course nothing will work until they complete the necessary set up on their end.

Step 2d: Configure App

Click on the XS Applications link in the upper left menu bar. Edit the setting for your XS package(s) by highlighting each package (or just the parent package), and choosing SAML as shown below. You may need to click on the pencil icon next to the option you are editing. Select your SAML Identity Provider that you created in Step 2a and click Save.

/wp-content/uploads/2013/12/picture5.png

Note: These authentication settings override the authentication settings that you may have in your .xsaccess file for your application and its individual packages.

Step 3: Modify your XS Application Code

Package Layout and Other Development Considerations

Your XS application needs a clear security model. Will you have different levels of security for each package? Will you allow database connectivity for named user IDs or maybe just one technical user ID? Answers to these questions fall outside the scope of this blog.

However, you must consider your authorization requirements early in your development and may choose to organize your package hierarchy accordingly. For example you may want to organize your application into 3 primary packages: a public package, a user package and an admin package. Each of these packages can be granted different authentication and authorization policies.

In this blog I will provide the steps to use named users and secure the entire app (the root package of the app) with one authentication policy using SAML. We will also demonstrate how to assign a default role to new users logging into the system.

Step 3a: Using Named Users

Because we set the option to dynamically generate database users in Step 2a above, our code to get the database connection does not need to take the user ID as a parameter.

See sample code below.

var conn = $.db.getConnection();

Each user will access the database with his/her own user ID that is automatically generated for us. Not too bad.

Step 3b: Set Default Role for Dynamically Generated Users

Double click on your system in the Systems tab of HANA Studio. Click on the Configuration tab and add the parameter defaultrole under indexserver.ini->saml. Set the value to be the name of a role that you have defined.

/wp-content/uploads/2013/12/picture6.png

Now new users that login to your app will be assigned your specified role by default.

Note: I did not get it to work using the syntax of a design-time role. So I created a run-time role and assigned the design time role to it.

Step 3c: Implement Logout Code

To provide logout logic you must create and activate a file within your XS project with the content below. I named my file logout.xscfunc.

Logout.xscfunc

{

“library”: “libxsauthenticator“,

“factory”: “createApp”,

“method”: “logout”

}

Next you have to create some javascript code shown below that can be accessed once a user clicks on a logout button or link in your application.

Logout button logic

function logout() {

$.ajax({

url: “logic/logout.xscfunc”,

type: “POST”,

dataType: “json”,

success: function(ret) {

document.location.reload(true);

}

});

}

Step 3d: Retrieving User Information from the IDP (Optional)

User attributes that have been identified and included in your metadata XML that you sent to your IDP team in Step 2c, can be accessed from your XSJS code with the following code.

var value = $.session.samlUserInfo.<name>;

A valid example could be

var mail = $.session.samlUserInfo.mail;

Create your Own Registration Experience (Overlay)

SAML identity providers offer the ability to customize your login and registration experience using something called an overlay. I need to learn more about how this works and post a subsequent blog on the topic.

Troubleshooting

Assertion did not contain a valid MessageID.

If you receive the above error message when logging in to your app then your XS app is considering the response from your IDP as having timed out. You can change the timeout setting as needed by following these steps.

Double click on your system in the Systems tab of HANA Studio. Click on the Configuration tab and add the parameter assertion_timeout under indexserver.ini->saml. Set the value to be the number of seconds before a timeout takes place. The default value is 10.

/wp-content/uploads/2013/12/picture7.png

Path Error when Running sapgenpse

If you receive a library path error running the sapgenpse command, you may need to run the following command.

export LD_LIBRARY_PATH=/usr/sap/HDB/SYS/global/security/lib

Further Reading

28 Comments
You must be Logged on to comment or reply to a post.
  • Hi Mark

    Nice blog which cover's almost all the steps for SAML config. I just want to understand how do I test this as we do not have any Identity Provider setup in our SAP environment. Is there any SAP Cloud application available which runs IDP ? So I can test by launching a cloud instance. Please advice.

    Thanks

    Srikar

    • Hi Srikar,

      The HANA cloud platform offers a simple/lightweight test IDP that comes with the SDK. This test IDP is started with your local development server, but can be used as a β€œreal” IDP for an end-to-end test in the Cloud. More on this can be found here: https://help.hana.ondemand.com/help/frameset.htm?754818ea63874ea38843ab0ed1928765.html

      Apprantely SAP may provide a security service for customers in the next year or so.

      Best,

      Mark

      • Hi Mark

        When I am trying to add the IDP details as per step 2a, I am getting the below error:

        InternalError:dberror(PreparedStaement.execute):4233 - Creating SAML provider failed because of internal error: Subject CN=Opsveda, C=US and issuer CN=OpsVeda, C=US already registered with SAML provider OPSVEDA_IP at DistMetadata/DistDDLRequester.cpp:44


        Can you please advise here.

        Thanks

        Srikar

        • Hi Srikar,

          Are you using your own IDP? Do you already have an IDP entry in HANA for those settings? Also, which version of HANA server are you running?

          Best,

          Mark

          • Hi Mark

            I have installed NW 7.3 EHP1 Java Stack for the purpose of IDP, created and using own IDP. When I am trying to add the IDP in HANA SAML Configuration tab I am getting the error. And we are on HANA SPS7.

            Thanks

            Srikar

          • Hi Srikar,

            Someone from our development team kindly provided some feedback.

            It seems as though internally someone tried to create an (additional) SAML provider. If this uses the same subject and issuer as one existing, this error will show up. One can see existing SAML providers in system view SAML_PROVIDERS. [select * from sys.SAML_PROVIDERS]

            If the entry already exists for your IDP you can skip this step. Even if you use the same name as the existing saml provider, this error will show up. I know this seems obvious, but let's rule it out.

            Thanks and regards,

            Mark

          • Hi Mark,

            I am also facing same error while configuring SP metadata in xs admin cockpit.

            Internal Error: dberror(PreparedStatement.execute): 4233- creating SAML provider failed because of internal error:: Subject

            CN=CPS Production, OU=Webkm, O=SAP, L=Berlin, C=DE and Issuer CN=CPS Production OU=Webkm O=SAP L=Berlin C=DE already registered with SAML provider test2 at Distmetadata/DistDDL Requester cpp:44

    • Hi Ashok,

      I have seen this once before. Although not the first choice, deleting the problematic user id and logging in again fixed the issue.

      Please check that new users are assigned the necessary application privileges/roles. This can be set in the saml section of the indeserver.ini as explained above.

      Can you try with another user to see if it works for them? If yes, then please try either assigning the necessary app roles to user I066096 or try deleting user I066096. Please let me know the outcome.

      Best regards,

      Mark

    • Hi,

      thi error can be related to nature of role you've created to be used by HANA for replicated users.

      If it is created via hdbrole file - won't work. You shall created it via SQL. If this also does not help - restart HANA πŸ™‚

      Denis.

      /
      πŸ™‚
  • Can anybody advise - what happens to the 'Dynamic user'Β  once the actual user logs out? Is the Dynamic user gets dropped from the HANA DB automatically?

    • Hi Pradip,

      The user account stays in the HANA system even after the user logs out. It is created the first time they log in.

      Regards,

      Mark

  • Hi Mark,
    thanks for this very helpful article.

    I'm struggling to get the defaultrole to work. I tried both run -and design-time roles, but the created user ends up with no roles assigned. Do you know whether this is still working with SP9?
    Also do you know of other similar configuration options in the indexserver.ini - saml? I'm looking for a way to add user parameters whenever a new user is created.

    Thanks,
    Daniel

  • Important: if you are on Rev 92 or later please use the following version of this document found here: http://scn.sap.com/community/developer-center/hana/blog/2015/03/14/use-saml-to-enable-sso-for-your-xs-app-on-sap-hana-sps-09-rev-92-or-later

  • Hi Team,
    We have implemented Single Sign On using SAML2.0 for HANA XS Application.SSO has been configured for KPI2.0 application in our Dev system.When one of the user is executing below link to test SSO he is getting error
    that" SAML response status is not SUCCESS(StatusCode:urn:oasis:name:tc:SAML:2.0:Status:Responser,StatusMessage)

    Link: https://stlts701.one.ofc.loc:4303/KPI/Z_PRJ_KPI_HOMEPAGE_UI/WebContent/index.html

    Please provide your help as in how to resolve this error.

    Thanks & Regards,
    Nilesh Shete

  • Hi Team,
    We have implemented Single Sign On using SAML2.0 for HANA XS Application.SSO has been configured for KPI2.0 application in our Dev system.When one of the user is executing below link to test SSO he is getting error that"No cookie with target path found in request".

    Link: https://stlts701.one.ofc.loc:4303/KPI/Z_PRJ_KPI_HOMEPAGE_UI/WebContent/index.html

    Please provide your help as in how to resolve this error.

    Thanks & Regards,
    Nilesh Shete

  • Hi Guys,

    I also configured the SAML provider and from IDP side everything works fine but on Service Provider I get below error :

    Database user does not exist(StatusCode: , StatusMessage: )

    Which is generic error coming from /sap/hana/xs/saml/login.xscfunc SingleSignOn Endpoint of Service provider

    Did Anyone else faced this error before ?

    Any help will be appreciated

    Best Regards
    Fenil.

  • Hi Mark,
    I have configured SAML to work with BOBJ, BW and ECC HANA. BOBJ --> BW SAML is working fine. but BOBJ --> ECC HANA SAML is sometime authenticating and sometime popup for the password. I have run the xsengine trace. In the trace i am seeing the following error. Could you please help me to resolve the issue.
    XSSessionLifecycle.cpp(00086) : creating logout request failed: SAML Provider configuration not established (saml_provider: ECCHTTP, binding_type: 0, profile_type: 1)

    Xsengine trace:
    Authentication Method.cpp(00076) : set logon name=ZTRAINING
    Authentication ManagerAcceptor.cpp(00289) : Got logon name from method: ZTRAINING
    Authentication Connection.cc(03860) : [PRE AUTHENTICATION] logon name: ZTRAINING
    Authentication Connection.cc(03927) : [POST AUTHENTICATION] logon name: ZTRAINING
    XSSession XSSessionLifecycle.cpp(00276) : Assertion was successfully checked. Now trying to match its response ID with the known response IDs...
    XSSession XSSessionManager.cpp(00664) : Session authenticated (method: SAML Authorization, user: ZTRAINING)
    XSSession XSSessionManager.cpp(00921) : SessionManager::authenticate: doNonInteractiveAuth result=200
    XSSession XSSessionManager.cpp(00929) : SessionManager::authenticate: isAuthenticated=true
    XSSession XSSessionManager.cpp(01115) : Sessions count has been increased to: 2
    XSSession XSSessionManager.cpp(01119) : Sessions overwrapping counter has been increased to: 3
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 3
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 3
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 3
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 2
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 2
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 3
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    TraceContext TraceContext.cpp(00960) : UserName=ZTRAINING, ApplicationUserName=ZTRAINING, ApplicationName=sap.hana.xs.formLogin, ApplicationSource=/sap/hana/xs/formLogin/logout.xscfunc, ClientIp=192.168.192.33
    XSSession XSSessionLifecycle.cpp(00086) : creating logout request failed: SAML Provider configuration not established (saml_provider: ECCHTTP, binding_type: 0, profile_type: 1)
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 4294967295 of session number 18446744073709551615
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 2
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 2
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 2
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(01013) : Found existing session object
    XSSession XSSessionManager.cpp(00873) : SessionManager::authenticate: defaultConnectionAvailable=0
    XSSession XSSessionManager.cpp(00885) : SessionManager::authenticate: sufficiently authenticated
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 2
    Logger SavepointImpl.cpp(02732) : Savepoint current savepoint version: 234334, restart redo log position: 0x31254484, next savepoint version: 234335, last snapshot SP version: 0
    XSSession XSSessionManager.cpp(00990) : Processing getSession() request
    XSSession XSSessionManager.cpp(00681) : ENTER SessionManager::doNonInteractiveAuth
    XSSession XSSessionManager.cpp(00687) : doNonInteractiveAuth: authType=FORM
    XSSession XSSessionManager.cpp(00687) : doNonInteractiveAuth: authType=BASIC_AUTH
    XSSession XSSessionManager.cpp(00271) : doNonInteractiveAuth: No basic credentials available
    XSSession XSSessionManager.cpp(01122) : decrease http request number to 0 of session number 18446744073709551615

  • Hi Mark,

    We have a scenario where we want to login to onpremise BOBJ & use SSO for SAP HANA XS App which is on SAP Cloud.

    We have an on-premise SAP BI 4.1 SP06 Application. We have couple of views and XS application build done on SAP HCP environment.
    In one the the on premise BOBJ report whe have a link created which should open HCP URL without prompting for HCP credentials.
    When we click on the link, we are getting user id password prompt.

    Steps we have performed till now.
    β€’ Generated certificate in BOBJ under CMC -> HANA Authentication -> provide SAML information -> generated certificate
    β€’ Change service provider name
    ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') SET ('authentication', 'saml_service_provider_name') = ' ' WITH RECONFIGURE; ( as we are using SAP BI 4.1 SP6, this step not required for SAP BI 4.2).]
    β€’ Added BOBJ certificate in trust store of HCP.
    β€’ Import BOBJ certificate in security and create SAML Identity provider in BI using SAP Cryptographic option.
    β€’ Restart HCP
    β€’ Now test connection between HCP and BOBJ is working fine.
    β€’ Now under XS Admin -> Artifacts -> Enable SAML for package where XS service is published

    Can you please help me? Thanks in advance.

    Regards,
    Girish Bhosale