This post contains step-by-step guide, how-to configure Active Directory Federation Services (AD FS) 2.0 with SAP HANA Cloud Platform (HCP).
The following steps are required to enable AD FS as SAML Identity Provider for an HCP account:
- In HCP: Establish trust to AD FS, configure AD FS as Trusted Identity Provider for your HCP account
- In AD FS: Establish trust to HCP, configure HCP as Relying Party in your AD FS
Note: When adding the metadata of Identity/Service Provider, you need to select SHA-1 as Signature Algorithm (Secure hash algorithm).
In HCP: Establish Trust to AD FS
Step 1: Export SAML Identity Provider (AD FS) Federation Metadata
We need to get the ADFS 2.0 federation metadata which is accessible on the following URL:
https://<ADFS2.0 Server Host>/FederationMetadata/2007-06/FederationMetadata.xml
(In some cases, you need to be on the ADFS 2.0 Server Host, to access the federation metadata).
This page will list the content of the xml file.
Download the file (ctrl + S or File -> Save) as xml.
Step 2: Import the AD FS Federation Metadata into your HCP account
Open it from https://account.hana.ondemand.com/, then
- From the left list menu, navigate to Trust
- In the center of the page, navigate to Trusted Identity Provider
- Then click on Add Trusted Identity Provider:
4. Here we upload Federation Metadata by clicking Browse, and navigate to the FederationMetadata.xml file on our host (as downloaded in Step 1).
Once we select the file, it will automatically fill in all required fields.
Step 3: Create a Default Group Assignment
5. Then go to Groups tab on the top, where we add default group, which will be assigned for each and every user (we use this, to make sure, ADFS users can access the applications).
As the predefined HCP group “Everyone” holds the basic permissions to be assigned for the applications we would like to access, we assign it as default group to the users authenticated via AD FS:
6. Click Add Default Group to add a default group.
7. From the dropdown, select the default group “Everyone”
8. Press Save in the bottom right corner, to finally save the Trusted Identity Provider.
In AD FS: Establish Trust to HCP
Step 1: Export Service Provider (HCP account) Metadata
- Go to your HCP Account, navigate to Trust
- Select Local Service Provider in the center of the page. Usually it is selected by default.
- Click Get Metadata and download the xml file. Some browsers might download the file automatically when you click on the link.
Step 2: Import Service Provider (HCP account) Metadata (HCP) into your AD FS
- Open AD FS 2.0 Management and in the left menu navigate to AD FS 2.0
- Then TrustRelationships
- Then Relying Party Trusts
- On the right actions column menu, press Add Relying Party Trust…
The “Add Relying Party Trust” Wizard will guide through the process:
Begin with the Start button and on the second screen (Select Data Source),
- Select Import data about the relying party from a file,
- Then press Browse to select the HCP Metadata file (as downloaded in Step 1),
- Then Next.
4. On the next dialog “Specify Display Name”, select the name of the Relying Party Trust, it will be just a list name, then Next.
5. On the Choose Issuance Authorization Rules, we select Permit all users to access this relying party and then Next -> Next -> Close.
Step 3: Create Claim Rule to define the mapping of user ID from AD to HCP
When closing the “Add Relying Party Trust” wizard, the “Edit claim rules” wizard will be opened.
If not, you can right click on Relying Party Trust -> Edit claim rules to start it.
- In the “Edit Claim Rules” window, we go to “Issuance Transform Rules” tab on top
- Then Add Rule… .
To define the rule type in the “Add Transform Claim Rule” Wizard, from the dropdown Claim rule template, select Send LDAP Attributes as Claims, then Next.
Then, to specify the rule:
- Add the Claim rule name (e.g. “SAN to NameID”),
- for Attribute store select Active Directory from the dropdown,
- then map LDAP Attribute SAMAccount-Name
- to Outgoing Claim Type Name ID,
- and press Finish.
Step 4: Change Secure hash algorithm
To change Secure hash algorithm, you have to right click on Relying Party Trust -> Properties and then:
- Navigate to Advanced tab
- Then change the Secure hash algorithm to SHA-1
- Then OK
Now you should be able to login, using your AD FS users.