Skip to Content

With the release of Analysis office 2.x, SAP now support Single Sign on from AO to HANA via SAML Security Protocol. In earlier releases of AO 1.4 & HANA SP08 you can create a local data source connection to HANA and do a single sign on via the HANA client ODBC driver i.e via creating a DSN or via maintaining database username.password in BOBJ user maintenance screen.Analysis office 2.x supports SAML SSO method & username/password method via OLAP connections and supports Username/Password method, X509 & Kerberos/SPNEGO client certificate SSO methods as local connections.With AO 2.x & HANA SP9 the authentication happens via the HANA XS/ Webdispatcher  where as in AO 1.4 & HANA SP08 or lower the authentication used to happen though the ODBC/JDBC interface

For setting up SAML SSO between Analysis Office 2.x to HANA SP9 the following needs to be setup

  1. Setup SSL in HANA using SAP Cryptolib or CommonCrypto.
  2. Setup SAP HANA HTTPS OLAP connection with SSO option on the BI platform OLAP Connections application
  3. Setup an entry in the HANA authentication application in BOBJ CMC of the HANA database server details with https port.
  4. Add the BOBJ IDP Base64 Certificate to HANA & WebDispatcher PSE
  5. Create a SAML Identity Provider in HANA XS Engine
  6. Create a SAML Identity Service Provider in HANA XS Engine
  7. Activate SAML authenticaton for the ‘SAP’ XS application package
  8. Setup User for authentication via SAML.
  9. Test the SAML SSO Login from AO to HANA

1. Setup SSL in HANA using SAP Cryptolib or CommonCrypto


You will need to set up SSL in HANA so that https connection calls to HANA would work. If you have setup SSL using openssl lib you will need to dismantle it and set it up using SAP Cryptolib or CommonCrypto. With HANA Rev 90 and above SAP CommonCrypto installation comes into HANA by default. There are many blogs already published regrading this topic. You can follow this blog for the section “Turn on SSL using SAP Crypto Libraryhere.


2. Setup SAP HANA HTTPS OLAP connection with SSO option on the BI platform OLAP Connections application

Create a HANA HTTP OLAP Connection in BOBJ CMC. Before you activate HANA HTTP Connection you will need to activate this new connection type in BOBJ and assign appropriate roles. You can follow the section “Configuration for SAP HANA” in this excellent blog on the activation of http connection type and assignment of roles

For setting up the HANA Http OLAP connection go to OLAP Connections in BOBJ CMC and click create new OLAP connection. Create a new connection. Remember to user https & port 43xx where xx is your HANA instance number. Set the authentication as SSO

1.JPG

3. Setup an entry in the HANA authentication application in BOBJ CMC of the HANA database server details with https port


Go to the HANA authentication app in CMC and create a connection to the HANA database using port 43xx. Provide a unique Identity provider ID (In Our case it is named as  HANASAML ) and copy the Base64 certificate


/wp-content/uploads/2015/07/2_759862.jpg

3.JPG



4. Add the BOBJ IDP Base64 Certificate to HANA & WebDispatcher PSE


You need to add the BOBJ IDP Base64 certificate to the HANA & WebDispatcher PSE. Login to URL http://<hanahost>:8000/sap/hana/xs/wdisp/admin/  & go to PSE Management. Import the BOBJ IDP Base64 certificate to sapsrv.pse & SAPSSLS.pse


Note** The HANA user will need the role “sap.hana.xs.wdisp.admin::WebDispatcherAdmin” in order to access the WebDispatcher Admin UI in HANA XS


4.JPG


6.JPG

/wp-content/uploads/2015/07/5_759879.jpg


You will see the BOBJ IDP certificate added to the trusted certificate list. Note down the Subject & Issuer details from the Trust Certificate.


7.JPG


5. Create a SAML Identity Provider in HANA XS Engine


Add a SAML Identity provider in the HANA XS engine. Login to URL http://<HANAHOST>:8000/sap/hana/xs/admin


Ensure that the SAML Identity Provider name is the same as provided by you in the HANA Authentication App in BOBJ CMC. Here in our case the name is HANASAML. You do not need the BOBJ IDP Metadata xml. Directly enter the Name, Subject & Issuer details from the above step. As for the other fields in the screen which are mandatory simple enter a ‘/’.


Note** For steps 5+6 the HANA user will need the role “sap.hana.xs.admin.roles::SAMLAdminstrator” in order to access the SAML configuration in XS Admin UI


8.JPG

6. Create a SAML Identity Service Provider in HANA XS Engine


You will need to create a SAML Service Provider in HANA. Currently there is a restriction in HANA that the Service Provider name has to “spId” (Capital i). Rest of the fields like organization name, display name & url you can put sap , sap & sap.com or your own companies name.


Note** The restriction regarding  the “spld” naming  is caused by BI platform and not by HANA. It will ne resolved in BOBJ 4.1 SP5 Patch


9.JPG

7. Activate SAML authenticaton for the ‘SAP’ XS application package


You will need to set the SAML authentication in the sap package & its sub-packages in XS engine


10.PNG

8. Setup User for authentication via SAML.


Add the SAML Identity Provider HANASAML to the HANA database user. Go to HANA studio and activate and add the IDP to the user. Add the BOBJ user in the external Identity. Generally the BOBJ username and HANA database user names are same for a person


11.GIF

12.GIF

9. Test the SAML SSO Login from AO to HANA


To test the SAML SSO from AO to HANA, open AO excel and first login into BOBJ. You will be present with a list of datasources. Select the OLAP https SSO connection that you created in BOBJ (In Step 2)


13.GIF

Double clicking or selecting the HTTPS SSO connection should take you directly to HANA

14.GIF

15.GIF

In case the SSO login is  not working the xsengine trace contains valuable information about the root cause. In order to get all the details in the trace you should set the trace level of all “authentication” components in the XSENGINE trace configuration to trace level DEBUG

This bring to the end of this blog on SAML SSO configuration. Feel free to provide your valuable feedbacks

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Christian Schmitz

    Hi Jyotish,

    thanks for this extremely helpful post. After our call I intended to do the same but obviously you were faster 😉

    I have some additional comments, maybe you can adjust/extend the details in your post:

    • Step 4: the HANA user needs the role “sap.hana.xs.wdisp.admin::WebDispatcherAdmin” assigned in order to access the WebDispatcher Admin UI in HANA XS
    • Step 5+6: the HANA user needs the role “sap.hana.xs.admin.roles::SAMLAdministrator” assigned in order to access the SAML configuration in XS Admin UI
    • Step 6: the restriction regarding the “spId” naming is caused by BI Platform and not by HANA. It will be resolved in a 4.1 SP 5 patch.
    • Step 7: I would prefer to only activate SAML for package “sap.bc.ina.service.v2” instead of global “sap” package and all sub packages. If this does not work then the HANA colleagues should have a look at it. At least in my local configuration it was sufficient to activate SAML for the “sap.bc.ina.service.v2” package only.
    • Step 9: in case the SSO logon is not working the xsengine trace contains valueable information about the root cause. In order to get all details in the trace you should set the trace level of all “authentication” components in the XSENGINE trace configuration to trace level DEBUG.

    Best regards,
    Christian

    (0) 
  2. Harald Anton Mueller

    Hi!

    We have setup HANA Auth and SSO for use with Design Studio on a BI Platform using openSSL and SAP Hana Olap connection on the BIP as described e.g. here:

    http://scn.sap.com/community/businessobjects-design-studio/blog/2013/07/12/businessobjects-design-studio-11–setting-up-an-sso-connection-to-sap-hana

    In your article it says “…if you have used openSSL dismantle it.”. What do I need to do, to enable SSO for both Hana and Hana http connections?

    Do I need to setup two Hana Auth Systems (as they are using different ports)? Do I need to change the existing setup to SAP CommonCrypto / CryptoLib?

    Thanks for clarification.

    Regards,

    Harald

    (0) 
  3. Daniel Wu

    Hi,

    Is there any tricks to configure AO 2.3 to HANA SP10 multi-tenant database? I talked to SAP support, looks like AO 2.3 is not supported for HANA SP10 multi-tenant database.  Is there a way to establish the SSO HTTP connection from AO to HANA SP10 multi-tenant database?

    thanks
    Daniel

    (0) 
    1. M. van Foeken

       

      Hi Daniel,

      Any update on this? We are trying to connect AO 2.2 to HANA SPS12 and I’m running into an issue: Exception when retrieving GetSAMLAssertionTicket

       

      With kind regards,

      Martijn van Foeken | Interdobs

      (0) 

Leave a Reply