Use SAML to enable SSO for your XS App on SAP HANA rev 92 or later

This blog post will give you step-by-step instructions to enable your XS app to authenticate existing users from your SAP BI, NW, BW or your non-SAP apps.

I now have the pleasure of rewriting my previous blog on this topic that consisted of 2 documents. This blog post may be a little longer due to the explanations and screenshots, but the process is simpler and much faster to implement based on the many enhancements in HANA SPS08 and SPS09.

Here is how I enabled SAML authentication for my XS app using SAP HANA rev 92. Special thanks to Markus Strehle for his many contributions to this blog.


Pre-requisites

You must be using SAP HANA rev 92 or later. This guide will NOT document how to set up an Identity Provider (IDP) for SAML or teach you how to develop an XS application. It assumes that you already have access to an IDP and have access to an administrator of the IDP. Chances are that you already have a SAML IDP set up in your company. If not, you can use the SAP BI Platform, the NetWeaver SSO product, or SAP’s own cloud-based ID Service (SAP IDS) as your IDP (see the Further Reading section for more on those products).

Fortunately you will no longer need access to the HANA Linux environment nor require the Linux admin user ID for your HANA instance. You also will no longer need to download and install crypto libraries since they are now installed with SAP HANA.

You will need a HANA user ID that has been assigned the following roles to administer the SAML configuration tool:

  • sap.hana.xs.admin.roles::SAMLAdministrator
  • sap.hana.xs.admin.roles::TrustStoreAdministrator
  • sap.hana.xs.wdisp.admin::WebDispatcherAdmin
  • sap.hana.xs.admin.roles::RuntimeConfAdministrator

Plan your configuration

You should be familiar with SAML concepts and may wish to read the following sections of the SAP HANA SPS09 Administration Guide:

  • 5.4 Managing Trust Relationships
  • 5.5 Maintaining SAML Providers,
  • 5.10 Maintaining Single Sign-On for SAP HANA XS Applications

Before you begin, discuss your plans with the security administrator of your SAML IDP and your XS development team.

Task Overview

  1. Step1: Enable SSL Encryption (May be optional or required by your IDP)
    1. Step 1a: Create the Certificate Request
    2. Step 1b: Send the Certificate Request to a Certificate Authority to be signed
    3. Step 1c: Confirm HTTPS and SSL are Working
  2. Step 2: Setup the SAML IDP and Trust Relationship
    1. Step 2a: Get your IDP certificate information
    2. Step 2b: Add Your IDP
    3. Step 2c: Add Service Provider
  3. Step 3: Configure your IDP and Application
    1. Step 3a: Register your App with your IDP
    2. Step 3b: Configure App
  4. Step 4: Modify your XS Application Code
    1. Step 4a: Using Named Users
    2. Step 4b: Set Default Role for Dynamically Generated Users
    3. Step 4c: Implement Logout Code
    4. Step 4d: Retrieving User Information from the IDP (Optional)

Step1: Enable SSL Encryption (May be optional or required by your IDP)


Important Note: Using SSL may be optional depending on your company’s security policy and SAML configuration.

Background

SAP HANA uses the Extended Application Services (XS) Engine as a lightweight web application.  HANA leverages SAP’s existing Web Dispatcher to act as a proxy relaying communication between front-end http requests and HANA’s back-end XS Engine.

At the time this document was written the SAP HANA hardware vendors do not deliver the HANA appliance with SSL/HTTPs enabled for the XS Engine/Web Dispatcher.  These next steps will enable secure HTTP communication with the XS Engine using SAP’s Common CryptoLib libraries and an SAP CA evaluation certificate for use in development or test environments.

These steps are a supplement to the HANA security guide. If you are interested in securing HANA communication with OpenSSL please see this document. Note that OpenSSL is only supported for SQL connectivity to SAP HANA. The Web Dispatcher in SAP HANA does not support OpenSSL.

Symptoms to Resolve

The HTTP protocol should be working for communication with SAP HANA’s XS Engine when we navigate our browser to http://<host_name>:<xs_port>.

/wp-content/uploads/2015/03/pic1_664474.png

 

However, https protocol may or may not be working. In general (with rev 92 or later), a self-signed certificate should automatically be generated and SSL should automatically work. Note: If you delete your SAPSSLS.pse file and restart your web dispatcher the new PSE file should contain a newly generated self-signed certificate. See SAP Note 2014996 for more information regarding this new feature.

To test using https point your browser to https://<host_name>:<xs_ssl_port>. Note we use https as the protocol and use the SSL port for your XS engine. This should be 43<instance_nbr> (e.g. 4300 for HANA instance 00).

You may see a warning message from your browser, such as the following screen. You can work around this warning message by clicking “Advanced” (in Google Chrome) or “Continue to this website” (in Internet Explorer).

/wp-content/uploads/2015/03/pic2_664487.png

If you do not have an SSL certificate properly installed in your SAPSSLS.pse file you may see a different error when you go to https://<host_name>:<xs_ssl_port>.

If you receive an error you may view the details in your SAP HANA web dispatcher trace file. This file can be viewed, from the HANA Studio. Just double click on your system, select the Diagnosis Files tab and open the latest file starting with the “webdispather” prefix and “webdisp” suffix.

/wp-content/uploads/2015/03/pic4_664489.png

Important Note: If your page loaded properly but you wish to avoid the warning, you must install an evaluation or a signed certificate. If, for now, you are okay receiving the warning, you can skip ahead to Step 2 to configure your SAML authentication.


Step 1a: Create the Certificate Request

Here we will create a request for an evaluation certificate to use for our SSL encryption from a CA (certificate authority). We will use the Web Dispatcher Administration tool. These next steps should alleviate the need for a warning message when accessing our site via SSL.

Roles Required:

  • sap.hana.xs.admin.roles::TrustStoreAdministrator
  • sap.hana.xs.wdisp.admin::WebDispatcherAdmin

Open the URL below with a browser.

http://<host_name>:<xs_port>/sap/hana/xs/wdisp/admin/

/wp-content/uploads/2015/03/pic5_664505.png

Click on “PSE Management” from the navigation pane.

/wp-content/uploads/2015/03/pic6_664506.png

Keep the selection of SAPSSLS.pse and click the “Create CA Request” button.

Note: for more information regarding the various PSE files, see SAP Support Note 2009878.

/wp-content/uploads/2015/03/pic7_664507.png

Select and copy all of the text in the first text area. You will provide this information to your CA.

Step 1b: Send the Certificate Request to a Certificate Authority to be signed

This guide will generate a free evaluation certificate from SAP’s website.

Browse to http://service.sap.com/trust

/wp-content/uploads/2015/03/pic8_664511.png

 

Click “SSL Test Server Certificates”.

Then click the Test it Now! button that appears in the main canvas.

/wp-content/uploads/2015/03/pic10_664513.png

Paste the request text from the previous step into the Order SSL Server Test Certificate page shown here, choose the server type “PKCS#7 certificate chain”, and click the Continue button

SAP returns the signed certificate as text. Copy this text to your clipboard. You may choose to save the copied text into a local file using your favorite text editor for later reference.

/wp-content/uploads/2015/03/pic12_664515.png

Switch back to your Web Dispatcher Administration screen and paste the text into the “Import CA Response…” text area. And click “Import”

Note: If you previously closed this page, click on “PSE Management” in the navigation bar. Make sure SAPSSLS.pse is selected at the top of the screen. Then click on the “Import CA Response” button. Paste the certificate text into the text area and click import.

You should see a message stating that the CA-Response was imported into the SAPSSLS.pse and you should see certificate details in the “PSE Attributes” section of the page.

Step 1c: Confirm HTTPS and SSL are Working

If everything is working as expected, then SSL should now be enabled.

You can now call your XS Engine using the SSL port for your XS engine. This should be 43<instance_nbr> (e.g. 4300 for HANA instance 00). Type the URL into your browser.

https://<host_name>:<ssl_xs_port>

You may see a warning if your browser does not have the root certificate for the CA in its certificate store. You can click “Advanced” (in Chrome) or “Continue to this website” (in Internet Explorer) to proceed.

If you used the SAP evaluation certificate, you can save and import the SAP Server root certificate into your browser’s trust store. Just save the certificate file from here: https://tcs.mysap.com/invoke/tc/getCert?SAPServerCA.der and then double click on the file from Windows Explorer and follow the import wizard.

If everything went well you are now looking at the XS engine screen again, but now using your evaluation certificate and SSL!

If it does not work, you can check the trace file for the web dispatcher by clicking on the “Trace” link in the navigation bar of the Web Dispatcher Administration tool as shown below. Or, as shown earlier, the trace file can also be viewed from the HANA Studio.

/wp-content/uploads/2015/03/pic17_664520.png

Important Notes: 

  • If you are using HANA One on AWS, you will need to make sure you open your target (SSL) port as needed.
  • As needed, from HANA Studio, you may change various web dispatcher settings in the [profile] section of the webdispatcher.ini file. A restart of the web dispatcher service is no longer required for parameter changes to take effect.


Step 2: Setup the SAML IDP and Trust Relationship

The next steps will walk you through gathering your IDP information, then adding that information to your SAP HANA configuration. This will tell HANA which IDP to trust and use when authenticating your application users.

Note for this section you will need the following roles assigned for your HANA user account.

  • sap.hana.xs.admin.roles::SAMLAdministrator
  • sap.hana.xs.admin.roles::TrustStoreAdministrator


Note: See section 5.10 [Maintaining Single Sign-On for SAP HANA XS Applications] of the SAP HANA Administration Guide for further support and reference on how to configure SAML settings for XS.


Step 2a: Get your IDP certificate information

Here you must gather the IDP metadata from your IDP service. In this example I will use the SAP’s cloud-based ID service (SAP IDS) as my SAML IDP. Again, you must choose your IDP which may be internal to your company. It may even be the SAP IDS or an IDP offered by SAP software such as the SAP BI Platform, the NetWeaver SSO product (see the Further Reading section for more on those products).


You will need the metadata URL for your IDP. For example, the metadata URL for the production SAP IDS service is: https://accounts.sap.com/saml2/metadata/accounts.sap.com


Note: Of course you should always start with a development or QA system, NOT a production system.


Once you know the appropriate metadata URL for your desired IDP, open the URL using your favorite browser. You will be copying some XML content – so right-click and select “View page source”.

/wp-content/uploads/2015/03/pic18_664541.png

Now select ALL of the text and copy it into your clipboard. You will use this content in the next step.

Step 2b: Add Your IDP

Open the URL below with a browser. This time use the https:// protocol and port number (43<instance_nbr>)


https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin


Note 1: If you will not use SSL for your site that is okay as long as your SAML IDP allows support for the HTTP protocol.


Note2 : In my screen shots below I did not use the SSL protocol and port. That is okay too, but before I copy my metadata (in a later step) I will have had to open the tool using SSL. I will point out where this occurs.


Login using the SYSTEM user ID or a user ID that has the following role assigned.


Role required: sap.hana.xs.admin.roles::SAMLAdministrator


Click on the menu icon and then click on “SAML Identity Provider”

/wp-content/uploads/2015/03/pic20_664548.png

You will then see the following screen.

/wp-content/uploads/2015/03/pic21_664549.png

Click the Plus “+” icon to add a SAML IDP.

/wp-content/uploads/2015/03/pic22_664550.png

You will see a form to enter the IDP metadata.Now paste in the content that you copied in the previous step. When you click in any of the fields in the “General Data” section, the XML content that you pasted should be reformatted and the “General Data” fields should automatically be populated as shown below.

/wp-content/uploads/2015/03/pic24_664551.png

Click to activate the checkbox for “Dynamic User Creation”

/wp-content/uploads/2015/03/pic25_664552.png

Note: Checking the box to enable dynamic user creation will automatically add a database user ID for each user as they first log in to your XS application. This is highly recommended, unless you are planning to use a single technical user ID for all users or if you will provision all HANA user IDs by some other method.


Click “Save”


You should see a fleeting message stating that the IDP was successfully saved and then you should see the IDP listed in the “SAML Identity Provider List”.

So what just happened? Quite a bit actually.

Pressing the “Save” button added our IDP as well as established a trust relationship with the IDP. The certificate from the IDP was contained in the metadata that you pasted. This certificate was imported into the “sapsrv.pse” file.


To view the certificate and ensure it was loaded, click on “Trust Manager” from the navigation bar and select SAML. Then click on “Certificate list” you should your IDP’s certificate listed.

/wp-content/uploads/2015/03/pic27_664556.png

Note: You can also view the certificates stored in the “sapsrv.pse” from the Web Dispatcher Administration tool that we used in Step 1. This is completely optional. To see the certificate using this approach, you need the following role:

  • sap.hana.xs.wdisp.admin::WebDispatcherAdmin


If you have this role assigned to your user account, you can go to the following URL.


https://<host_name>:<SSL_xs_port>/sap/hana/xs/wdisp/admin/


Click PSE Management and select “sapsrv.pse”. If the certificate was imported properly you should see the certificate in the “Trusted Certificates” section of the screen.


Step 2c: Add Service Provider

Now from the XS Administration Tool, click the menu icon and click “SAML Service Provider”

/wp-content/uploads/2015/03/pic29_664558.png


/wp-content/uploads/2015/03/pic30_664562.png

Click “Edit”


Fill in information about your organization and name your service provider.


Click “Save”.


You should see a fleeting “success” message.


Step 3: Configure your IDP and Application

Step 3a: Register your App with your IDP

If you will use SSL for your site, and if you did not use SSL when opening the XS Admin tool, you must do so now. Point your browser to:


https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin


Click “SAML Identity Provider” from the navigation bar.

/wp-content/uploads/2015/03/pic33_664563.png

Copy all of the text in the Metadata text box shown on the screen.


Important Note: Notice that when you view this page with HTTPS in your URL the metadata uses the HTTPS protocol and port number. This is important to properly set up the IDP configuration for our XS URL (if you will be using SSL for your site).


Save this text in a local file named as you wish, but with an XML file extension (e.g. myXsAppMetadata.xml).


Note 1: If you prefer or are required to instead send an endpoint URL that provides the metadata you can use the following link, based on your host name and port. Again, use your SSL port if you will use SSL.https://<hostname>:<ssl_port>/sap/hana/xs/saml/info.xscfunc


Note 2: If you wish to return user attributes back to your application other than default attributes configured by your IDP, you must modify the XML file that you created. The SAP IDS returns the user’s email address, company, first and last names by default so that they may be accessed by your application.


But if there was a special field, let’s say “nickname”, I would have to insert XML in my XML file to request that the field be returned. I will not go into details in this blog, but this may be documented by your IDP provider.


Now you need to submit this file (or the endpoint URL) to the administrator of your IDP so that they can create an entry to recognize your Service Provider that you just configured. You may need to email the file or submit the contents via a web form. It depends on your company policy.


Note: While you wait for the activation confirmation from your IDP team, you may wish to continue with the next steps. Of course nothing will work until they complete the necessary set up on their end.

Step 3b: Configure App

Here we will configure our XS application to use SAML authentication.


Role required:  sap.hana.xs.admin.roles::RuntimeConfAdministrator


From your XS Admin tool, select “XS Artifact Administration” from the navigation bar.

/wp-content/uploads/2015/03/pic34_664564.png

Select the arrow next to your package. In my case I will select the package mycorp.myapp. Youmay choose to just select a parent package depending on your application’s package layout.

/wp-content/uploads/2015/03/pic35_664565.png

After you have navigated to your package, click “Edit”.

/wp-content/uploads/2015/03/pic36_664566.png

Activate the “Force SSL” checkbox if you want to enforce SSL.


Activate the “SAML” checkbox and select your IDP from the dropdown.


Uncheck all other authentication options such as “Form based” and “Basic”.


Click “Save”


/wp-content/uploads/2015/03/pic37_664567.png

You should see a fleeting success message such as the one above.


Note: These authentication settings override the authentication settings that you may have in your .xsaccess file for your application and its individual packages.


I am attaching actual code in the form of a delivery unit that you may wish to use to test your configuration. This sample code accesses the fields returned by SAP IDS and displays them along with providing a logout button. Just place the files in your mycorp.myapp package (minus the “.txt” extension. Also add an empty “.xsapp” file to the folder. To test this sample app, point your browser to https://<host>:<ssl_xs_port>/mycorp/myapp/saml.html


At this point, you can test your SAML authentication once you received confirmation from your IDP team that they have configured your application in the IDP system. However, please continue on to step 4 to learn more about how your XS code should work with SAML.


Step 4: Modify your XS Application Code

Package Layout and Other Development Considerations

Your XS application needs a clear security model. Will you have different levels of security for each package? Will you allow database connectivity for named user IDs or maybe just one technical user ID? Answers to these questions fall outside the scope of this blog.


However, you must consider your authorization requirements early in your development and may choose to organize your package hierarchy accordingly. For example you may want to organize your application into 3 primary packages: a public package, a user package and an admin package. Each of these packages can be granted different authentication and authorization policies.


In this blog I will provide the steps to use named users and secure the entire app (the root package of the app) with one authentication policy using SAML. We will also demonstrate how to assign a default role to new users logging into the system.


Step 4a: Using Named Users

Because we set the option to dynamically generate database users in Step 2b above, our code to get the database connection does not need to take the user ID as a parameter. See sample code below.


var conn = $.hdb.getConnection();


Each user will access the database with his/her own user ID that is automatically generated for us. Not too bad!


For more information see: http://help.sap.com/hana/SAP_HANA_XS_JavaScript_API_Reference_en/$.hdb.html


Step 4b: Set Default Role for Dynamically Generated Users

Double click on your system in the Systems tab of HANA Studio. Click on the Configuration tab and add the parameter defaultrole under indexserver.ini->saml. Set the value to be the name of a role that you have defined.


Now new users that login to your app will be assigned your specified role by default.

/wp-content/uploads/2015/03/pic38_664568.png

Note: I did not get it to work using the syntax of a design-time role. So I created a run-time role and assigned the design time role to it.


Step 4c: Implement Logout Code

To provide logout logic you must call the following url: /sap/hana/xs/formLogin/logout.xscfunc


You can invoke the call to the URL when a user clicks on a logout button or link in your application.

Logout button logic

<div id=”logoutButton”>

        <form action=”/sap/hana/xs/formLogin/logout.xscfunc” method=”post”>

            <input type=”hidden” name=”X-CSRF-Token” value=””>

            <input type=”hidden” name=”x-sap-origin-location” value=”/sap/hana/xs/formLogin/”>

            <input type=”submit” value=”Logout”>

        </form>

</div>


Step 4d: Retrieving User Information from the IDP (Optional)

SAML user attributes can be accessed from your XSJS code with the following code. Notice that there are two syntax options to choose from here.


var value = $.session.samlUserInfo[“<name>”];

var value = $.session.samlUserInfo. <name>;


A valid example could be


var response_string=$.session.samlUserInfo[“first_name”] + ” “ + $.session.samlUserInfo[“last_name”] + ” (<a href=mailto:” + $.session.samlUserInfo[“mail”] + “>” + $.session.samlUserInfo[“mail”] + “</a>). You logged on via SAML from company “ + $.session.samlUserInfo[“company”];


Create your Own Registration Experience (Overlay)

The SAP IDS SAML identity provider and other IDP’s offer the ability to customize your login and registration experience. Review your IDP documentation for details.


Troubleshooting

Assertion did not contain a valid MessageID.

If you receive the above error message when logging in to your app then your XS app is considering the response from your IDP as having timed out. You can change the timeout setting as needed by following these steps.


Double click on your system in the Systems tab of HANA Studio. Click on the Configuration tab and add the parameter assertion_timeout under indexserver.ini->saml. Set the value to be the number of seconds before a timeout takes place. The default value is 10.

/wp-content/uploads/2015/03/pic39_664569.png

Try deleting PSE and Restart the XS Engine

If you have issues that you ultimately cannot resolve, you may choose to delete the 2 PSE files that we modified and then restart the XS Engine to have them recreated in their original form. Note: New certificates being generated results in the need to reconfigure your IDP to recognize and trust your application.


From HANA Studio, double-click on your SYSTEM name from the “Systems” tab. From the landscape tab, right-click on the “xsengine” row and select “kill”.


Alternatively you can type HDB stop and then HDB start from a Linux prompt to restart the whole HANA server.


If you need to open a support ticket with SAP, you can assign your ticket to one of the following two components: HAN-DB-SEC or BC-SEC.


Further Reading

To report this post you need to login first.

73 Comments

You must be Logged on to comment or reply to a post.

  1. Hassan El Salamouni

    Hi,

    I am facing a problem in step 1a: Creating the Certificate Request when i try to access the WebDispatcher Admin tool (http://<host_name>:<xs_port>/sap/hana/xs/wdisp/admin/) i get this error:

    500 error.PNG

    I have the role: sap.hana.xs.admin.roles::TrustStoreAdministrator assigned but i dont have this role: sap.hana.xs.wdisp.admin::WebDispatcherAdmin

    I contacted the system admin (SYSTEM) to assign me this role to be able to access the WebDispatcher tool but he couldn’t access it too and he couldn’t even add the role to his account (SYSTEM) or to my account as the role wasn’t on the list.

    Does anyone know what is the problem here and how to get the role sap.hana.xs.wdisp.admin::WebDispatcherAdmin assigned ?

    Any help is appreciated.

    Thanks a lot,

    Hassan El Salamouni

    (0) 
        1. Mark Hourani Post author

          If the role is missing then the delivery unit for the web dispatcher admin tool was not properly installed during your upgrade/installation.

          You can try importing the DU from HANA Studio -> File->Import->SAP HANA Content->Delivery Unit

          Select your system and then click the “server” radio button. Load the DU: HANA_XS_BASE.tgz.

          You should then see the role. Let me know.

          Best,

          Mark

          (0) 
  2. Suja Arjunan

    Hi Mark,

    I followed your steps and configured SAML for my application with SFDC. When I hit the application url its going to SFDC page and redirecting to “http://myurl.com/sap/hana/xs/saml/login.xscfunc” and here I am getting message like

    SAML provider does not exist(StatusCode: , StatusMessage: )

    Can you please navigate me what I have to do else where can I see the error log for this issue in hana

    Thanks,

    SujaArjunan

    (0) 
      1. Naresh Setty

        Hi ,

        I am trying to implement logout functionality as you specified and I receive the following message when clicked on logout button

        Request execution failed due to missing or invalid XSRF token

        Can you pl. advice

        (0) 
        1. Pranjal Chugh

          Hi,

          You can make  call to    url : “/sap/hana/xs/formLogin/token.xsjs” to get the XSRF token ,which you can send with logout call.

          Header has to include –  “X-CSRF-Token”: “Fetch” to get the token.

          And then set this XSRF token along with logout xscfunc call.

          Regards,

          Pranjal

          (0) 
                1. Naresh Setty

                  After logout its taking us to HANA XS login page rather than application login page. Can you pl. suggest where this redirection needs to happen either on IDP or Hana to display application sign in page after logout?

                  (0) 
                  1. Pranjal Chugh

                    For me it doesn’t take my app to any login page.May be some configuration if different.

                    You can do a document.reload(appUrl) to redirect it to accounts login page.

                    are you making any login call?

                    Regards,

                    Pranjal

                    (0) 
                    1. Naresh Setty

                      To perform document.reload(appurl), dont we need to know the response from logout.xsfun call to makesure it successfully logged out on IDP and Hana side?

                      Typical flow is : UI Logout Request —> IDP —> IDP Redirects to Hana —> Hana logsout session at Hana side –> UI/IDP to be notified that Logout is successful –> UI to redirect user to login page.

                      Pl. let me know what your thoughts are ?

                      Thanks,

                      Naresh G

                      (0) 
  3. Ann Zhang

    Hi Mark,

    I have set up the integration with SAP IDS, and user can logon through SAML successfully. However, for logout, I call /sap/hana/xs/formLogin/logout.xscfunc through AJAX call. But always meet the following error:

    XMLHttpRequest cannot load https://accounts400.sap.com/saml2/idp/slo/accounts.sap.com?SAMLRequest=fZJB…4z5MzgGkOEkzMystC5GZOSuA5jjf1sj4W6KM5bMnjkb6JqvYfr4CfzqNQ%2BAgXISzkM7Ik%3D. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://XXXX:4378‘ is therefore not allowed access.

    Could you please help.

    Thanks & Regards,

    Ann

    (0) 
    1. Pranjal Chugh

      Hi Ann


      Two ways to resolve it:


             1. request.setRequestHeader(“Access-Control-Allow-Origin”,”*”);

                This has to added to beforeSend :function(req)

               

      OR

             2. Add the following to the ajax call

                  headers: {

                              “Access-Control-Allow-Origin”: “*”,

                               }

      Regards,

      Pranjal

      (0) 
      1. Ann Zhang

        Hi Pranjal,

        I have tried both two solutions, but none of these works for me. Is there any other configurations need to be done?

        Regards,

        Ann

        (0) 
        1. Mark Hourani Post author

          Hi Ann and Pranjal,

          Would it be possible to call the logout function without using AJAX? Does it work and properly redirect to your login page when called as a link? It sounds like there may be an issue logging out from AJAX.

          Best,

          Mark

          (0) 
          1. Ann Zhang

            Hi Mark,

            I have tried to call the logout function by following code.

            <form action=”/sap/hana/xs/formLogin/logout.xscfunc” method=”post”>

                        <input type=”hidden” name=”X-CSRF-Token” value=””>

                        <input type=”hidden” name=”x-sap-origin-location” value=”/sap/fpa/ui”>

                        <input type=”submit” value=”Logout”>

                    </form>

            The logout is successfully. However, after logout,it does not redirect to my app URL which I have declared as the value of “x-sap-origin-location”. It always redirect to the login page of HANA. Is there any solution for that?

            Regards,

            Ann

            (0) 
    1. Himanshu Pandey

      hi pranjal,

      did you get any solution for the error. I am using ajax call to the url and had included ‘Access-Control-Allow-Origin’: ‘*” in headers.

      regards,

      Himanshu

      (0) 
  4. Henrik PLATE

    Hi Mark,

    First of all thank you for this great documentation, it all works well except the assignment of the default role.

    I manually created a runtime role A that aggregates two other roles B and C (both generated from design time roles), comparable to what you describe. My system (HANA SPS09 rev 101) allows me to specify the default role already in the Web administration frontend. This, however, creates a configuration parameter “indexserver.ini > saml > default_role” (with underscore), which is different from the configurarion parameter you propose. Anyways, following your tutorial, I also created a configuration parameter “defaultrole” having as value the role A.

    Anyways, despite having the two configuration parameters defined, none of the newly created users get the role A assigned.

    Do you have any clue what could be missing/wrong? Perhaps any of the system users lacks a specific privilege related to the assignment of this role?

    Your help would be much appreciated,

    Kind regards,

    Henrik

    (0) 
      1. Henrik PLATE

        Hi Pranjal,

        I already tried this a couple of times … however, at a time when the callbacks for the IdP still pointed to HTTP-only URLs of my SP (in fact, I overlooked the recommendation given in step 3a). It never worked.

        Now that the IdP points to HTTPS URLs the deletion and re-creation worked. Strange, looks like the default role assignment is somehow linked to this question?!

        Anyways, thanks a lot for your support,

        Kind regards,

        Henrik

        (0) 
          1. Henrik PLATE

            Hi Pranjal,

            We use the built-in HANA XS session management. Within our XSJS scripts, we do not use the session object $.session (with one exception, when checking whether the user has a certain privilege). Does that help clarifying your question?

            Cheers, Henrik

            (0) 
            1. Pranjal Chugh

              Hi Henrik,

              How do you check if the session has expired or not and how do you renew the sessions?

              And what do you mean HANA XS session Management?

              Thanks,

              Pranjal

              (0) 
  5. Florian Vogt

    Hi Mark,

    I am trying to use the default SAP ID IDP on my HANA XS Application (HANA Instance ->  Productive).

    It runs fine, but attributes like last_name, first_name and mail are not offered. I also try to edit the SAML Metadata xml to insert these attributes, but my changes are not affected anything, so the xml is not changed after saving the changes.

    Hope, anyone can give me a hint. Thanks a lot.

    Best Regards

    Florian

    (0) 
    1. Pranjal Chugh

      Hi Florian,

      Were you able to find any solution ?And after making changes in metadata.xml ,did you send it to SAP ID services?

      Regards,

      Pranjal

      (0) 
    2. Henrik PLATE

      I did not have to change the SP metadata in order to have access to those attributes. I think they are offered by default, at least by the SAP-internal IdP (as explained somewhere on their Wiki).

      (0) 
        1. Henrik PLATE

          Yes, using the following:

          $.session.getUsername()

          $.session.samlUserInfo.first_name

          $.session.samlUserInfo.last_name

          $.session.samlUserInfo.email

          (0) 
  6. Eduardo Espinosa

    Hi Mark.

    At the project I am we are trying to call in HCP a Java servlet from an XS App via Ajax request but currenlty we have the issue that we cannot pass/inherit the cookies/credentials (xssessionid) from the XS App to the Java servlet (expecting jsessionid and other). The error that we having is “Not user is logged in”.

    http://scn.sap.com/thread/3801334

    We are not using XS destination currently because the idea is to call an onprem service via Cloud Connector, and currently principal propagation is not supported ok (SAP Cloud Connector team are working on the fix). That is why we are using Java servlet but we have this “app” to “app” authentication issue (The servlet works ok at browser)

    Do you know what we could do in order make this work?

    Also we have tried by calling a destination directly from the XS app to an HTML5 app, but we are getting a CORS check issue (Could it be avoided by changing webdispatcher.ini file in HCP for allowing the origin?)

    I would appreciate very much your help.

    Thanks and Regards

    Eduardo

    (0) 
  7. Thorsten Hepting

    Hi Mark,

    I’m facing an error currently when browsing to my SSO Page. We setup Enterprise Dashbaord in our HDB and access via Hana XS URL. All is configured as described above (hopefully). After a HDB release upgrade from rel.85 to tel.97 I had to reinitate my SSO configuration with SAP ID Services. Which worked fine. I checked this with a colleagues user account. His account was created successfully on the HDB and SSO Login worked.

    The problem currently is, that already created users are tried to recreate which fails. “Dynamic user creation failed (username=D…). Reason was: user name already exists:”/wp-content/uploads/2015/10/error_user_creation_808050.png

    I found two solutions which didn’t help: Restart the HDB (Did this already) and delte the user. But this is not an option, because what I understood all objects and privileges granted and created by this user will be dropped when deleting the account.

    Do you know a solution?

    Best Regards,

    Thorsten

    (0) 
      1. Jan Schanzenbaecher

        I just checked with a colleague about that issue.

        It’s a bug and it can be solved by mapping the database user using HANA Studio to the IDS. Normally this should be done automatically but occasionally it does not work and you need to do it manually.

        Best Regards,

        Jan

        (0) 
        1. Marcus Schiffer

          Hi,

           

          i am facing the same error, but did not understand what you did to fix it. Should I map the S00XXXX user to a IDS user ? The IDS user should be created in the automatic process, so where do I get the ID ?

          I would appreciate, if you could give me a bit of guidance.

          (0) 
          1. Jan Schanzenbaecher

            Hi Marcus

             

            I don’t know if it still the same bug, if youre on an older release that might be the issue. However, if you experience the same problem, the only thing that you have to do is use HANA Studio to map the internal user to the external. This is what should be done automatically, if it doesn’t, do it manually:

             

            Open the user you want to map, check “SAML” and click “Configure”:

            Capture.JPG

            Then map it to the corresponding external user:

            Capture.JPG

             

            I hope I could help you with that.

             

            Best Regards,

            Jan

            (0) 
            1. Marcus Schiffer

              Hi Jan,

               

              thanks a lot. Actually the error message on our System was a bit different from your Problem. We solved it by Setting the ID from E-Mail to ID, after that Change the user was created withot Problems.

              (0) 
  8. Robert James Camangon

    Hi Mark,

    I followed your instructions but used an internal ID Provider instead. However, I get this error when accessing:

    Error in IE – StatusCode in ResponseMessage != OK; please refer to the database trace for more information

    Error in XS Trace – Assertion authentication failed with reason: Subject of assertion has to be provided using NameID


    According to our ADFS admin, it looks like we need to define a rule on the relying party trust in ADFS. Are you familiar with this error or what settings are needed on the ADFS side? I opened an support ticket with SAP on this but unfortunately, they told me it is a consulting issue and not a product issue so any help will be more than appreciated. Thanks a lot

    (0) 
    1. Ann Zhang

      Hi,

      If you are talking about setting up SAML authentication between HANA XS and ADFS, I think you need to define a Claim Rule to define NameID, and also change the hash algorithm to SHA-1

      (0) 
      1. Robert James Camangon

        Thanks Ann, you are correct. We are looking at SAML authentication between  HANA XS and ADFS.

        I already asked the ADFS admin to change has algorithm to SHA-1 but still getting an error since there is no claim rule defined in the replying party trust according to the ADFS admin. Do you know what is the specific Claim Rule to be defined for this? Do you have a sample rule that I can use to tell our ADFS admin on what to define?

        Thanks a lot,

        Robert

        (0) 
        1. Ann Zhang

          Hi Robert,


          You can define a rule with template “Send LDAP Attributes as Claims”, and use Attribute store “Active Directory”, map LDAP attribute “SAM-Account-Name” to “Name ID” as outgoing Claim Type.


          Regards,

          Ann

          (0) 
            1. Robert James Camangon

              Hi Ann,

              Thanks for the help on this. The suggestion you gave work but now I get the error message “Dynamic user creation failed (username=xxx). Reason was: user name

              already exists: xxx: line 1 col 13 (at pos 12)”

              Do you have any idea on how to fix this? Deleting the user is not an option as of the moment.

              Thanks a lot.

              Robert

              (0) 
              1. Ann Zhang

                Hi Robert,

                You can go to HANA XS Admin Tool, and uncheck “Dynamic User Creation” of the SAML IdP. But if you do that, you need to manually map the user in HANA to the user in AD.

                Regards,

                Ann

                (0) 
                1. Robert James Camangon

                  Thanks for all the help Ann. That did the trick. I didn’t take out the Dynamic User Creation. What I did was to map the HANA user to the AD user and that did the trick. I assume I would need to do that for all already existing users while the system will take care of the new users. I would do more tests to see how it goes.

                  Again, thanks a lot for all the help.

                  (0) 
  9. Vladimir Kral

    Hi,

    thanks for this step by step tutorial. I would like to enable the SSO using SAML on our internally used HANA DB system for XS applications. I had problems to completing the step 1b, because the link http://service.sap.com/trust is outdated and I found no replacement for requesting the SSL test certificate for our server. So I continued without enabling the SSL, then I tried to use the SAP QA IDS system

    https://accounts400.sap.com/saml2/metadata/accounts.sap.com but when trying to open the saml.html, I get an error: Identity Provider could not process the authentication request received. Delete your browser cache and stored cookies, and restart your browser. If you continue to experience issues, send an e-mail to sso@sap.com, I guess this may be caused by the fact that I am not using the SSL right?

    Thanks,

    Vladimir

    (0) 
    1. Vladimir Kral

      OK, so the new address to be used in step 1b is https://sapcerts.wdf.global.corp.sap/WebEnrollment.aspx. I can now use the HTTPS without warnings 🙂

      But still no luck with the SSO functionality, getting the same red error. I suppose it lies on the following action from step 3a:

      “Now you need to submit this file (or the endpoint URL) to the administrator of your IDP so that they can create an entry to recognize your Service Provider that you just configured. You may need to email the file or submit the contents via a web form. It depends on your company policy.”

      Who should I contact in case of using the SAP IDS service: https://accounts.sap.com/saml2/metadata/accounts.sap.com


      Thanks,Vladimir

      (0) 
        1. Vladimir Kral

          Hello Pranjal,

          – I wrote them, but no answer.

          – I emailed also to the sso@sap.com but the answer was:

          “Thank you for contacting SSO support. Unfortunately this support is for external users facing SSO issues. Can you please create an internal ITdirect ticket under the category IMIS_ACCSS_SSO as they will be able to assist you further.”

          – I also created an Single Sign On – Service Request IT Direct ticket, but received this response: “As previously stated, we do not support in configuring or setting up application for single sign on. The setup and configuration is purely done by the application owner. We only provide the certificates to be used for SSO.”

          – We tried it also through the HANA DB category, but no luck.

          It seems I am pretty close to get it running but can’t do the last step 🙁 And as I am not an external customer, I can’t get support, you were the only one supporting me 🙂

          Thanks for that,

          Vladimir

          (0) 
          1. Pranjal Chugh

            Hi Vladimir,

            The process has changed , you have to send on boarding request to id service team.

            Here the component on which you need to create IT direct ticket – SRAS_IDS

            Regards,

            Pranjal

            (0) 
          2. Ricardo Jurado Martinez

            Hi Vladimir,

            Ricardo here from the SAP Cloud Identity Team. You can find our whole onboarding process documented in our wiki space: https://wiki.wdf.sap.corp/wiki/x/hwHWRw
            (only accessible for SAP internals).

            Feel free to contact us via sapidservice@sap.com. I will make sure you receive a reply.

            Regards,

            Ricardo
            SAP Cloud Identity

            Add: The error message you are facing says that your Service Provider is unknown to the IdP.  You will get rid of it by integrating your application to the SAP Cloud Identity QA IdP.

            (0) 
            1. Vladimir Kral

              Thanks Pranjal and Ricardo, it was not easy to get to this onboarding wiki, I also contacted the SAP ID on April 22nd by email but received no response. Now I will follow the process.

              Regards,

              Vladimir

              (0) 
  10. Naresh Setty

    With SPS12,we started receiving sap/hana/xs/saml/login.xscfunc 504 (Gateway Timeout) when IDP posting to login.xsfunc during single sign on using saml.

    Any advice would greatly be appreciated.

    Thanks

    (0) 
  11. Raja Prasad Gupta

    Hi Mark,

    I am working on setting up SSO for an HCP HANA using SAP Id Provider.


    In HCP, I have kept the default Trust settings.

    /wp-content/uploads/2016/07/1_991034.jpg



    In HCP HANA admin tool, I have used default SAP ID Provider. I just changed the Service Provider Name to https://account.us1.hana.ondemand.com/b18b6bcc6. Which is https://account.us1.hana.ondemand.com/<account_id>



    /wp-content/uploads/2016/07/2_991035.jpg

    Finally, I changed the package settings to SAML.

    3.PNG

    But, when I am accessing the application inside test1 package, it is giving error

    ““Identity Provider could not process the authentication request received. Delete your browser cache and stored cookies, and restart your browser. If you continue to experience issues, send an e-mail to sso@sap.com””

    I have also sent a mail to sapidservice@sap.com.

    Could you please help me to resolve this issue. Thanks.

    Regards,

    Raja

    (0) 
    1. Pranjal Chugh

      Hi Raja,

      Have you completed the On Boarding request with SAP ID service?

      If not ,then you need to first on board. The procedure is explained by Ricardo in the comments above.

      Regards,

      Pranjal

      (0) 
  12. Fenil Doshi

    Hi Team,

    I tried configuring the Hana Engine as Service provider but is there any possibility we can configure the Identity Federation context which currently is email address in existing SP Metadata but I need that to Name ID.

    I have searched many online materials and also standard Hana Security & Administration guide but no where we see any steps mentioned for configuring the Identity Federation for Hana XS Engine.

    I have lost almost 3 days searching for this configuration and any help will be appreciated.

    Best Regards
    Fenil

    (0) 
  13. Robert James Camangon

    Hi,

     

    I was just wondering if there is a way to redirect a user to a logon screen if user SAML SSO returns NULL for a user (user has no access to ADFS). There is a new requirement for us to open our SAP HANA XS externally for our clients and I was wondering if this is possible so there is no need to create external users on our AD and create them only in HANA.

    I opened an incident with SAP and they said this is a consulting issue so just wanted to try my luck here in case anyone is familiar with how to make it work.

    Thanks,

    Robert

    (0) 
  14. M. van Foeken

    Hi Mark,

     

    In Step 2a we need to gather the IDP metadata from your IDP service. If I’m using the SAP BusinessObjects BI platform as an IDP. Where can I gather this metadata?

     

    Thanks for your reply!

     

    With kind regards,

    Martijn van Foeken | Interdobs

     

    (0) 
  15. Arun Ghewarchand

    Hi

    We are trying to setup SAP BOBJ 4.2 as Identity provider with SAP HANA XS APP. Trying to find documentation or know-how on how to achieve it as most of the  forums speaks about IDP being SAP ID service or Organization level IdP.

    We have restriction as we need to only user SAP BOBJ as our IdP and also we are currently using SAP BI to HANA SAML SSO for our users coming from BI system to access HANA data.

    Please let me know how to configure the SAP BI as IdP for SAP HANA XS apps

     

    Thanks

    Arun

    (1) 
  16. Himanshu Pandey

    hi all,

    Is anyone able to solve the default redirect to HANA login page after logout using the method mentioned in blog. I tried using AJAX call to logout.xscfunc but it is giving me CORS error.

    Please let me know if anyone know how to prevent auto redirect to HANA login page.

    (0) 

Leave a Reply