This post contains step-by-step guide, how-to configure Active Directory Federation Services (AD FS) 2.0 with SAP HANA Cloud Platform (HCP).

Overview

The following steps are required to enable AD FS as SAML Identity Provider for an HCP account:

  1. In HCP: Establish trust to AD FS, configure AD FS as Trusted Identity Provider for your HCP account
  2. In AD FS: Establish trust to HCP, configure HCP as Relying Party in your AD FS

Note: When adding the metadata of Identity/Service Provider, you need to select SHA-1 as Signature Algorithm (Secure hash algorithm).

In HCP: Establish Trust to AD FS

Step 1: Export SAML Identity Provider (AD FS) Federation Metadata

We need to get the ADFS 2.0 federation metadata which is accessible on the following URL:

https://<ADFS2.0 Server Host>/FederationMetadata/2007-06/FederationMetadata.xml

(In some cases, you need to be on the ADFS 2.0 Server Host, to access the federation metadata).

This page will list the content of the xml file.
Download the file (ctrl + S or File -> Save) as xml.

Step 2: Import the AD FS Federation Metadata into your HCP account

Open it from https://account.hana.ondemand.com/, then

  1. From the left list menu, navigate to Trust
  2. In the center of the page, navigate to Trusted Identity Provider
  3. Then click on Add Trusted Identity Provider:

/wp-content/uploads/2015/08/1_hcp_add_idp_777967.png

   4. Here we upload Federation Metadata by clicking Browse, and navigate to the FederationMetadata.xml file on our host (as downloaded in Step 1).
  Once we select the file, it will automatically fill in all required fields.

Step 3: Create a Default Group Assignment

   5. Then go to Groups tab on the top, where we add default group, which will be assigned for each and every user (we use this, to make sure, ADFS users can access the applications).

/wp-content/uploads/2015/08/2_hcp_upload_metadata_select_groups_778055.png

As the predefined HCP group “Everyone” holds the basic permissions to be assigned for the applications we would like to access, we assign it as default group to the users authenticated via AD FS:

   6. Click Add Default Group to add a default group.

   7. From the dropdown, select the default group “Everyone

   8. Press Save in the bottom right corner, to finally save the Trusted Identity Provider.

/wp-content/uploads/2015/08/3_hcp_add_everyone_group_save_778056.png

In AD FS: Establish Trust to HCP

Step 1: Export Service Provider (HCP account) Metadata

  1. Go to your HCP Account, navigate to Trust
  2. Select Local Service Provider in the center of the page. Usually it is selected by default.
  3. Click Get Metadata and download the xml file. Some browsers might download the file automatically when you click on the link.

/wp-content/uploads/2015/08/4_hcp_get_metadata_778057.png

Step 2: Import Service Provider (HCP account) Metadata (HCP) into your AD FS

  1. Open AD FS 2.0 Management and in the left menu navigate to AD FS 2.0
  2. Then TrustRelationships
  3. Then Relying Party Trusts
  4. On the right actions column menu, press Add Relying Party Trust…

/wp-content/uploads/2015/08/5_adfs_add_repying_party_trust_778064.png

The “Add Relying Party Trust” Wizard will guide through the process:

Begin with the Start button and on the second screen (Select Data Source),

  1. Select Import data about the relying party from a file,
  2. Then press Browse to select the HCP Metadata file (as downloaded in Step 1),
  3. Then Next.

/wp-content/uploads/2015/08/6_adfs_add_metadata_778065.png

   4. On the next dialog “Specify Display Name”, select the name of the Relying Party Trust, it will be just a list name, then Next.

   5. On the Choose Issuance Authorization Rules, we select Permit all users to access this relying party and then Next -> Next -> Close.

Step 3: Create Claim Rule to define the mapping of user ID from AD to HCP

When closing the “Add Relying Party Trust” wizard, the “Edit claim rules” wizard will be opened.

If not, you can right click on Relying Party Trust -> Edit claim rules to start it.

  1. In the “Edit Claim Rules” window, we go to “Issuance Transform Rules” tab on top
  2. Then Add Rule… .

/wp-content/uploads/2015/08/7_add_rule_778066.png

To define the rule type in the “Add Transform Claim Rule” Wizard, from the dropdown Claim rule template, select Send LDAP Attributes as Claims, then Next.

Then, to specify the rule:

  1. Add the Claim rule name (e.g. “SAN to NameID”),
  2. for Attribute store select Active Directory from the dropdown,
  3. then map LDAP Attribute SAMAccount-Name
  4. to Outgoing Claim Type Name ID,
  5. and press Finish.

/wp-content/uploads/2015/08/8_claim_rule_definition_778076.png

Step 4: Change Secure hash algorithm

To change Secure hash algorithm, you have to right click on Relying Party Trust -> Properties and then:

  1. Navigate to Advanced tab
  2. Then change the Secure hash algorithm to SHA-1
  3. Then OK

/wp-content/uploads/2015/08/9_change_secure_hash_algorithm_778077.png

Now you should be able to login, using your AD FS users.

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

        1. Mihail Kyosev Post author

          Deep,

          I have checked different scenarios and Add Trusted Identity Provider is on the right place.

          To make sure you are on the right place:

          1. From the left list menu, navigate to Trust
          2. In the center of the page, navigate to Trusted Identity Provider
          3. Then click on Add Trusted Identity Provider

          Please make sure you clicked on the Trusted Identity Provider tab in the centre of the page.

          Regards,

          Mihail

          (0) 
  1. Nidhideep Bhandari

    Hi Mihail,

    I was able create a trust between HCP and Idp. It works fine . I created

    so we created a destination with Authentication type Principal

    Propagation . But when we are trying to access any application it gives us

    following error:

    GET

    dispatcher.us1.hana.ondemand.com/destinations/EH1/sap/opu/odata/IWFND/CATALOGSERVICE/$metadata 403 (Forbidden)

    We connected our HCP account with cloud connector to expose odata service from GW system.

    (0) 
  2. Srikar Vankadaru

    Hi Mihail

    We are getting StatusCode in ResponseMessage != OK; please refer to the database trace for more information, Can you please advise. And sometime when we play with Relying Party Trusts we get error No assertion found in body of request

    (0) 
  3. Frank Clement

    Hello Mihail,

    I am trying to follow the same procedure with a trial account, but experiencing trouble after authentication occurs in ADFS.

    Can you tell me if this feature is available on HCP trial edition ?

    Thank you for your post

    Frank

    (0) 
  4. Hans Verreydt

    When configuring SSO with ADFS, we’ve following problem:

    HTTP Status 400 – Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it has not received RelayState

    What steps do we need to take to solve this?

    Thx!

    Regards,

    Hans

    (0) 
  5. Parag Jain

    Hello Mihail,
    Thank you very much for the blog. Will the same steps work for ADFS 3.0 as well?
    Also, in “Step 1: Export Service Provider (HCP account) Metadata”, is it mandatory for “Principal Propogation” to be disabled ?

    Regards,
    Parag.

    (0) 

Leave a Reply