ADFS 2.0 Configuration for SAP HANA Cloud Platform
This post contains step-by-step guide, how-to configure Active Directory Federation Services (AD FS) 2.0 with SAP HANA Cloud Platform (HCP).
Overview
The following steps are required to enable AD FS as SAML Identity Provider for an HCP account:
- In HCP: Establish trust to AD FS, configure AD FS as Trusted Identity Provider for your HCP account
- In AD FS: Establish trust to HCP, configure HCP as Relying Party in your AD FS
Note: When adding the metadata of Identity/Service Provider, you need to select SHA-1 as Signature Algorithm (Secure hash algorithm).
In HCP: Establish Trust to AD FS
Step 1: Export SAML Identity Provider (AD FS) Federation Metadata
We need to get the ADFS 2.0 federation metadata which is accessible on the following URL:
https://<ADFS2.0 Server Host>/FederationMetadata/2007-06/FederationMetadata.xml
(In some cases, you need to be on the ADFS 2.0 Server Host, to access the federation metadata).
This page will list the content of the xml file.
Download the file (ctrl + S or File -> Save) as xml.
Step 2: Import the AD FS Federation Metadata into your HCP account
Open it from https://account.hana.ondemand.com/, then
- From the left list menu, navigate to Trust
- In the center of the page, navigate to Trusted Identity Provider
- Then click on Add Trusted Identity Provider:
4. Here we upload Federation Metadata by clicking Browse, and navigate to the FederationMetadata.xml file on our host (as downloaded in Step 1).
Once we select the file, it will automatically fill in all required fields.
Step 3: Create a Default Group Assignment
5. Then go to Groups tab on the top, where we add default group, which will be assigned for each and every user (we use this, to make sure, ADFS users can access the applications).
As the predefined HCP group “Everyone” holds the basic permissions to be assigned for the applications we would like to access, we assign it as default group to the users authenticated via AD FS:
6. Click Add Default Group to add a default group.
7. From the dropdown, select the default group “Everyone”
8. Press Save in the bottom right corner, to finally save the Trusted Identity Provider.
In AD FS: Establish Trust to HCP
Step 1: Export Service Provider (HCP account) Metadata
- Go to your HCP Account, navigate to Trust
- Select Local Service Provider in the center of the page. Usually it is selected by default.
- Click Get Metadata and download the xml file. Some browsers might download the file automatically when you click on the link.
Step 2: Import Service Provider (HCP account) Metadata (HCP) into your AD FS
- Open AD FS 2.0 Management and in the left menu navigate to AD FS 2.0
- Then TrustRelationships
- Then Relying Party Trusts
- On the right actions column menu, press Add Relying Party Trust…
The “Add Relying Party Trust” Wizard will guide through the process:
Begin with the Start button and on the second screen (Select Data Source),
- Select Import data about the relying party from a file,
- Then press Browse to select the HCP Metadata file (as downloaded in Step 1),
- Then Next.
4. On the next dialog “Specify Display Name”, select the name of the Relying Party Trust, it will be just a list name, then Next.
5. On the Choose Issuance Authorization Rules, we select Permit all users to access this relying party and then Next -> Next -> Close.
Step 3: Create Claim Rule to define the mapping of user ID from AD to HCP
When closing the “Add Relying Party Trust” wizard, the “Edit claim rules” wizard will be opened.
If not, you can right click on Relying Party Trust -> Edit claim rules to start it.
- In the “Edit Claim Rules” window, we go to “Issuance Transform Rules” tab on top
- Then Add Rule… .
To define the rule type in the “Add Transform Claim Rule” Wizard, from the dropdown Claim rule template, select Send LDAP Attributes as Claims, then Next.
Then, to specify the rule:
- Add the Claim rule name (e.g. “SAN to NameID”),
- for Attribute store select Active Directory from the dropdown,
- then map LDAP Attribute SAMAccount-Name
- to Outgoing Claim Type Name ID,
- and press Finish.
Step 4: Change Secure hash algorithm
To change Secure hash algorithm, you have to right click on Relying Party Trust -> Properties and then:
- Navigate to Advanced tab
- Then change the Secure hash algorithm to SHA-1
- Then OK
Now you should be able to login, using your AD FS users.
Hi Mihail,
When I am clicking on the Trust , i am not getting "Add trusted Identity Provider ."
Do i need some more access.
Regards
Regards
Deep
Hi Deep,
What roles are assigned to your account?
You can check under Members menu.
Regards,
Mihail
Hi Mihail,
I have Administrator, Developer, Support User, Application User Admin roles assigned me.
Regards
Deep
Deep,
I have checked different scenarios and Add Trusted Identity Provider is on the right place.
To make sure you are on the right place:
Please make sure you clicked on the Trusted Identity Provider tab in the centre of the page.
Regards,
Mihail
Hi Mihail,
I was able create a trust between HCP and Idp. It works fine . I created
so we created a destination with Authentication type Principal
Propagation . But when we are trying to access any application it gives us
following error:
GET
dispatcher.us1.hana.ondemand.com/destinations/EH1/sap/opu/odata/IWFND/CATALOGSERVICE/$metadata 403 (Forbidden)
We connected our HCP account with cloud connector to expose odata service from GW system.
Unfortunately I cannot help you with this error related to the Principal Propagation setup.
Hi Mihail
We are getting StatusCode in ResponseMessage != OK; please refer to the database trace for more information, Can you please advise. And sometime when we play with Relying Party Trusts we get error No assertion found in body of request
Hello Mihail,
I am trying to follow the same procedure with a trial account, but experiencing trouble after authentication occurs in ADFS.
Can you tell me if this feature is available on HCP trial edition ?
Thank you for your post
Frank
When configuring SSO with ADFS, we've following problem:
HTTP Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it has not received RelayState
What steps do we need to take to solve this?
Thx!
Regards,
Hans
When I try and add the default group, the dropdown is empty? Any tips on what I'm doing wrong?
Hello Mihail,
Thank you very much for the blog. Will the same steps work for ADFS 3.0 as well?
Also, in "Step 1: Export Service Provider (HCP account) Metadata", is it mandatory for "Principal Propogation" to be disabled ?
Regards,
Parag.