Setting up SAML SSO between Analysis Office 2.x to HANA SP9

With the release of Analysis office 2.x, SAP now support Single Sign on from AO to HANA via SAML Security Protocol. In earlier releases of AO 1.4 & HANA SP08 you can create a local data source connection to HANA and do a single sign on via the HANA client ODBC driver i.e via creating a DSN or via maintaining database username.password in BOBJ user maintenance screen.Analysis office 2.x supports SAML SSO method & username/password method via OLAP connections and supports Username/Password method, X509 & Kerberos/SPNEGO client certificate SSO methods as local connections.With AO 2.x & HANA SP9 the authentication happens via the HANA XS/ Webdispatcher  where as in AO 1.4 & HANA SP08 or lower the authentication used to happen though the ODBC/JDBC interface

For setting up SAML SSO between Analysis Office 2.x to HANA SP9 the following needs to be setup

1. Setup SSL in HANA using SAP Cryptolib or CommonCrypto.
2. Setup SAP HANA HTTPS OLAP connection with SSO option on the BI platform OLAP Connections application
3. Setup an entry in the HANA authentication application in BOBJ CMC of the HANA database server details with https port.
4. Add the BOBJ IDP Base64 Certificate to HANA & WebDispatcher PSE
5. Create a SAML Identity Provider in HANA XS Engine
6. Create a SAML Identity Service Provider in HANA XS Engine
7. Activate SAML authenticaton for the ‘SAP’ XS application package
8. Setup User for authentication via SAML.
9. Test the SAML SSO Login from AO to HANA

1. Setup SSL in HANA using SAP Cryptolib or CommonCrypto

You will need to set up SSL in HANA so that https connection calls to HANA would work. If you have setup SSL using openssl lib you will need to dismantle it and set it up using SAP Cryptolib or CommonCrypto. With HANA Rev 90 and above SAP CommonCrypto installation comes into HANA by default. There are many blogs already published regrading this topic. You can follow this blog for the section “Turn on SSL using SAP Crypto Library” here.

2. Setup SAP HANA HTTPS OLAP connection with SSO option on the BI platform OLAP Connections application

Create a HANA HTTP OLAP Connection in BOBJ CMC. Before you activate HANA HTTP Connection you will need to activate this new connection type in BOBJ and assign appropriate roles. You can follow the section “Configuration for SAP HANA” in this excellent blog on the activation of http connection type and assignment of roles

For setting up the HANA Http OLAP connection go to OLAP Connections in BOBJ CMC and click create new OLAP connection. Create a new connection. Remember to user https & port 43xx where xx is your HANA instance number. Set the authentication as SSO

3. Setup an entry in the HANA authentication application in BOBJ CMC of the HANA database server details with https port

Go to the HANA authentication app in CMC and create a connection to the HANA database using port 43xx. Provide a unique Identity provider ID (In Our case it is named as  HANASAML ) and copy the Base64 certificate

4. Add the BOBJ IDP Base64 Certificate to HANA & WebDispatcher PSE

You need to add the BOBJ IDP Base64 certificate to the HANA & WebDispatcher PSE. Login to URL http://<hanahost>:8000/sap/hana/xs/wdisp/admin/  & go to PSE Management. Import the BOBJ IDP Base64 certificate to sapsrv.pse & SAPSSLS.pse

Note** The HANA user will need the role “sap.hana.xs.wdisp.admin::WebDispatcherAdmin” in order to access the WebDispatcher Admin UI in HANA XS

You will see the BOBJ IDP certificate added to the trusted certificate list. Note down the Subject & Issuer details from the Trust Certificate.

5. Create a SAML Identity Provider in HANA XS Engine

Add a SAML Identity provider in the HANA XS engine. Login to URL http://<HANAHOST>:8000/sap/hana/xs/admin

Ensure that the SAML Identity Provider name is the same as provided by you in the HANA Authentication App in BOBJ CMC. Here in our case the name is HANASAML. You do not need the BOBJ IDP Metadata xml. Directly enter the Name, Subject & Issuer details from the above step. As for the other fields in the screen which are mandatory simple enter a ‘/’.

Note** For steps 5+6 the HANA user will need the role “sap.hana.xs.admin.roles::SAMLAdminstrator” in order to access the SAML configuration in XS Admin UI

6. Create a SAML Identity Service Provider in HANA XS Engine

You will need to create a SAML Service Provider in HANA. Currently there is a restriction in HANA that the Service Provider name has to “spId” (Capital i). Rest of the fields like organization name, display name & url you can put sap , sap & sap.com or your own companies name.

Note** The restriction regarding  the “spld” naming  is caused by BI platform and not by HANA. It will ne resolved in BOBJ 4.1 SP5 Patch

7. Activate SAML authenticaton for the ‘SAP’ XS application package

You will need to set the SAML authentication in the sap package & its sub-packages in XS engine

8. Setup User for authentication via SAML.

Add the SAML Identity Provider HANASAML to the HANA database user. Go to HANA studio and activate and add the IDP to the user. Add the BOBJ user in the external Identity. Generally the BOBJ username and HANA database user names are same for a person

9. Test the SAML SSO Login from AO to HANA

To test the SAML SSO from AO to HANA, open AO excel and first login into BOBJ. You will be present with a list of datasources. Select the OLAP https SSO connection that you created in BOBJ (In Step 2)

Double clicking or selecting the HTTPS SSO connection should take you directly to HANA

In case the SSO login is  not working the xsengine trace contains valuable information about the root cause. In order to get all the details in the trace you should set the trace level of all “authentication” components in the XSENGINE trace configuration to trace level DEBUG

This bring to the end of this blog on SAML SSO configuration. Feel free to provide your valuable feedbacks