“Play It Again, SAML” – How to Set Up SAML Authentication For Your SAP HANA Cloud Platform Trial Instance
The new SAP HANA Multitenant Database Containers (MDC) feature, which was introduced last week in the Free Developer Edition of the SAP HANA Cloud Platform not only gives you a development experience much closer to a productive HANA instance, it also allows for much more freedom in configuring your HANA than the old HANA trial instances based on shared databases.
In the old HANA trial offering, the servers were preconfigured to use SAML authentication with the SAP Identity Provider for your HANA XS applications, and there was no option to change that. With the new MDC trial systems, you now have a choice between form-based authentication and SAML support using an identity provider of your choice (including On-Premise IDPs).
When configuring your XS application to use SAML, the authentication is handled by an Identity Provider Service (IDP) instead of adding user management in the HANA system. The IDP will authenticate the user either by username and password, or by certificate. This allows for single sign-on (SSO) scenarios and thus improves largely the user experience.
To make this scenario possible, a trust relationship between your HANA database and the IDP needs to be set up, meaning that you need to register your HANA instance, the Service Provider in the IDP and vice versa.
Once this is done you can configure the applications running on your HANA instance to use SAML authentication: if you open the UI for such an XS application in your browser, the request is redirected to the IDP, which will take care of the user authentication. Once the user’s identity is verified, the IDP sends the request back to the HANA application – including the information about the user. The application can then perform the authorization check based on the verified information about who was sending the request and decide if the user is allowed to perform the requested operation.
Note: the described procedure is specifically tailored to be used with HANA SPS10 (tested with revision 102.3, which is currently being used for the HANA MDC trial systems). There are a few places which look and feel like a workaround (feel free to apply the duck test to this statement). This will become easier in the future, and hopefully once SPS11 becomes available I will be able to replace these steps with a something simpler.
But now, without further ado, let’s jump right into the nitty gritty belly of the beast…
What You Need
There are a few things you need before we start:
- A Web browser (I was using Google Chrome).
- A tenant database on a SAP HANA Multitenant Database Containers system. You can get one following the instructions in the blog by Ekaterina Mitova.
- A SAP HANA Studio (Eclipse + SAP HANA Tools): follow the instructions on the SAP HANA Tools site.
- The SAP HANA Cloud Platform Tools plugin for the HANA Studio.
- A tool to generate the certificate for your Service Provider with. I will use OpenSSL in this blog. (If you are using a Mac or Linux system, chances are that it is already installed.)
- A tenant in an IDP Service with privileges to register service providers and manage users. I will use a tenant from an SAP test IDP in this blog.
Preparing Your HANA Tenant Database
After you have created the Trial instance following Ekaterina’s blog, you need to assign some privileges to an administration user in the HANA system. To keep it simple for this blog, we are using the SYSTEM user for that – something you should not do in a productive system!
In the database overview of the SAP HANA Cloud Platform Cockpit click on the SAP HANA Cockpit link:
In the SAP HANA Cockpit UI click on Manage Roles and Users:
In the security management UI select the SYSTEM user from the user list and assign these roles:
Note: in case you want to create a new user for administration of certificates, you also need to grant the system privilege CERTIFICATION ADMIN. The SYSTEM user already has this by default.
Creating a Hello World Application
Let’s first create the HANA XS application we want to protect with SAML authentication in this blog. This is pretty easy using the SAP HANA Web-based Development Workbench.
- Click on the SAP HANA Web-based Development Workbench link in the SAP HANA Cloud Platform Cockpit. A new UI opens.
- In this new UI, click on Editor
- Create a new sub-package within the public package
- In the context menu for the new sub-package, select Create Application
- Select Template “HANA XS Hello World” and click on Create
You should now see something like this:
Testing the Hello World Application
Click on the activate and run button:
Now the Hello World application will start in a new browser tab.
Click on the Call Backend” button: you should now see the message “Hello World from User SYSTEM”
Since you were already logged on to the HANA instance with the SYSTEM user in this browser, the new browser tab was opened with the same identity. Try opening the application by copying the URL into a private browsing window or another browser. You should be prompted with the normal HANA logon screen.
Note down the application URL. We’ll want to use it later when we test the SAML authentication.
Creating Your Service Provider Certificate
The Service Provider certificate is the “passport” with which your HANA instance will authenticate itself to the IDP. For productive purposes you will want to get an official certificate, signed by a trusted certification authority. For this trial scenario we will just create a self-signed certificate ourselves.
Create the certificate with OpenSSL
OpenSSL is a command tool, and once it is installed you can create a self-signed certificate by calling the tool in a command shell like this (all in one line):
openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes -subj ‘/CN=trust.no.one’
Note: I didn’t check if the example domain name I used ‘trust.no.one’ is actually registered by anyone. You can use your domain instead.
This command will produce two files:
- certificate.key: the private key. Never share this with anyone for a productive use-case!
- certificate.crt: the public certificate for your service provider
Register the Certificate in Your HANA Instance
Connect to the Tenant DB via HANA Studio (add cloud system). Unfortunately, the SQL editor in the SAP HANA Web-based Development Workbench (aka Web IDE) does not seem to work for some of the multiline statements we are about to use.
Create a PSE Container
In an SQL editor execute the following command:
CREATE PSE TrustMe;
Assign the PSE Store For SAML Use
Execute this statement:
SET PSE TrustMe PURPOSE SAML;
Register the Service Provider Certificate
For the following statement use the values from the certificate.crt (replace the part between the Begin/End Certificate tags) and from the certificate.key file from (the part between the Begin/End Private RSA Key tags). You should end up with something like this:
ALTER PSE TrustMe SET OWN CERTIFICATE ‘—–BEGIN CERTIFICATE—–
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–‘
You have now created a PSE store containing the “own” certificate with which your HANA instance will be registered in the IDP service.
Complete the Service Provider Settings
There are still a few properties of the metadata for your Service Provider which need to be set. This is done in the XS Admin Tool of your tenant DB. You can open this tool by appending “/sap/hana/xs/admin/#samlsp” to the Url of your HANA instance.
Service Provider Information
In the Service Provider Information tab, you should set your Organisation Name, Organisation Display Name and Organisation URL. To change the values, click on the Edit button in the lower right corner and click on Save once you’re done.
Service Provider Configuration
Not much to do here. Just set the Default Role to “PUBLIC”.
Making the IDP Trust Your HANA
In this step you will export the certificate of your HANA instance and register it as a Service Provider in the IDP.
Export HANA SAML Metadata
Now go to the Metadata tab of the SAML Service Provider UI in the XS Admin Tool. Select the complete XML content of the text field and copy and paste it to a local text file. Save that file with the ending xml.
Register Your Service Provider Metadata in the IDP
My development team has a tenant in an SAP test instance of the SAP Cloud Identity Service, so I will use that to demonstrate the process in this blog. This should work similarly with other IDP service offerings.
- Log on to the SAP Cloud Identity Administration Console
- Go to Applications
- Click on + Add
- Enter a new name and click on Save
- Click on SAML 2.0 Configuration
- In the Define from Metadata section click on the Browse… button
- Select the xml metadata file for your Service Provider, which you created in the previous step
- Click on Save
You have now set up the IDP to trust your HANA instance.
Making Your HANA Trust the IDP
We still need to set up the trust relation in the other direction, because right now your HANA system doesn’t know anything about the IDP.
Export the IDP Metadata
Again, I’m using the SAP Cloud Identity Service to demonstrate this.
- Log on to the SAP Cloud Identity Administration Console
- Go to Tenant Settings -> SAML 2.0 Configuration
- Click on Download Metadata File at the very bottom of the window. This will create a metadata.xml file containing the IDP metadata to your local disc
- At the bottom of the screen (please scroll down to the end) you will find the Signing Certificate. Copy the cryptic string from the Insert as Text field and paste it to a local text file.
Import the IDP Metadata Into HANA
Now this is a bit tricky, because for part of the information you will still use the “old” XS Admin Tool and other parts are handled now via SQL statements.
Create the HTTP Destinations
This is the part where you can still use the XS Admin Tool. There is probably a way to do all this by manually storing this information in the appropriate database tables in the HANA system, but this would require deeper knowledge of the internal table layout and semantics, so it’s easier to do it like this:
- Go to the XS Admin Tool in your tenant database (appending “/sap/hana/xs/admin/#samlsp” to the URL of your HANA instance)
- Go to SAML Identity Provider and click on +
- Open the metadata.xml file you downloaded from the IDP in a text editor and copy and paste it to the Metadata input area
- Click Save
Now the metadata is displayed in the General Data and Destination fields, but because of the new certificate handling introduced in HANA with SPS10 nothing was really stored. We now need a trick to get the General Data and Destination data actually stored in the appropriate HANA tables:
- Delete all the text in the Identity Provider Metadata input field
- Click on Save again (there will likely be an error displayed at this point, but don’t mind that)
Verify that the destination was stored in HANA by going to the Catalog view (in the SAP HANA Web-based Development Workbench or SAP HANA Studio) and check the _SYS_XS.HTTP_DESTINATIONS table:
Add the Certificate
Because the XS Admin Tool cannot store the actual certificate anymore (the storage was moved from the file system to the database, and the tool wasn’t updated for this), we now have to store the certificate with a SQL statement.
Use the certificate string you got from the step where you exported the metadata from the IDP and embed it in a ‘CREATE CERTIFICATE’ statement. Make sure to have the BEGIN/END CERTIFICATE tags surrounding your string with the exact amount of dashes. Line brakes should not matter here.
I found that I had to execute this statement in the HANA Studio as the Web-based Development Workbench gave me an error.
Now check the content of the SYS.CERTIFICATES view and look for the CERTIFICATE_ID of the IDP certificate you just created. You need this ID for the next step.
With this CERTIFICATE_ID you can now add the IDP certificate to the PSE used for the SAML authentication:
ALTER PSE TrustMe ADD CERTIFICATE 154178;
Check the view SYS.PSE_CERTIFICATES, it should now have two entries, one with CERTIFICATE_USAGE OWN and one with TRUST
You have now fully configured the trust relationship between your HANA instance and the IDP for the sake of SAML authentication!
Setting Up the Application For SAML Authentication
What is still left to do is to configure the Hello World application to use SAML authentication instead of basic authentication.
- Again, go to the XS Admin Tool in your tenant database (appending /sap/hana/xs/admin/#” to the URL of your HANA instance)
- Select XS Artifact Administration
- Navigate to the package where you created your Hello World application
- Click on Edit
- In Authentication Methods tick the SAML checkbox and select the IDP configuration created in step 2
- Untick all other checkboxes
- Click Save
The configuration should now look like this:
Testing the Application
The User ID of my user in the IDP is “P000001”, as we can see in the user administration UI of the SAP Cloud Identity tenant:
We expect this ID to show up in the Hello World application once we log using the SAML authentication.
Remember the application URL from when we first tested it? Paste it in a private browsing window or even another browser (we want to avoid any caching problems).
Instead of the logon screen of your HANA system you should now see the logon screen of your IDP (assuming that you have not set up single sign-on, in which case you would be either directly redirected to the application, or asked by the browser to use a certificate for authentication).
Once you log in, the application UI is displayed. When you now click on the Call Backend button, instead of the SYSTEM user the user ID of the user from the Identity Provider should be displayed.
Note: if you did not tick the Dynamic User Creation checkbox in step 2 you need to create the user in the HANA instance manually, otherwise you will see an error message that the user does not exist.
I hope this blog is of help to anyone who wants to try such a scenario. The next step would be to try and add single sign-on.
Admittedly, the process to set up SAML authentication is not the smoothest. Especially the need to use the HANA Studio for multiline statements and the disjoint of the XS Admin Tool with the new certificate storage make it a bit of an adventure to configure this. I am certain that these points will be addressed in one of the next HANA versions.
I’d also like to give a big shout-out to my team-mate, architect and HANA whisperer Eduard Bartsch who guided me through some of the most tricky parts of this procedure.
With apologies that this comment is not about the obviously amazing techincal content and value of this post, the title alone really makes my day!
I can't register service provider certificate .Could you please advise ?
Could not execute 'ALTER PSE TrustMe SET OWN CERTIFICATE '-----BEGIN CERTIFICATE----- ...'
Error: (dberror) 257 - sql syntax error: unterminated quoted string literal: line 1 col 38 (at pos 39)
Unless you are asking for clarification/correction of some part of the Document, please create a new Discussion marked as a Question. The Comments section of a Blog (or Document) is not the right vehicle for asking questions as the results are not easily searchable. Once your issue is solved, a Discussion with the solution (and marked with Correct Answer) makes the results visible to others experiencing a similar problem. If a blog or document is related, put in a link. Read the Getting Started documents (link at the top right) including the Rules of Engagement.
NOTE: Getting the link is easy enough for both the author and Blog. Simply MouseOver the item, Right Click, and select Copy Shortcut. Paste it into your Discussion. You can also click on the url after pasting. Click on the A to expand the options and select T (on the right) to Auto-Title the url.
Thanks, Mike (Moderator)
SAP Technology RIG
Thank you very much
Were you trying this statement in the Web IDE? This is the same error I got there. That was the reason for this statement in the blog:
I think so
People rarely use code blocks in blogs. Some of them even write blogs in text processors such as Word. The SQL statement has an error, you shouldn't blindly copy-paste it. You can take mine as an example, but put your own certificates obviously:
It worked well even in Web IDE.
Could you clarify, if one could also use the "SAP Identity Provider", since I can't change this provider?
sorry for the late reply.
In contrast to the (now retired) "shared" XS trial instances, the MDC trial instances are not preconfigured with any SAML/IDP configuration.
In order to register the HANA MDC Trial instance as a Service Provider in an IDP you would need to have the privilege for such a registration in the IDP itself.
So it's not possible for trial users to register their HANA MDC Trial instance in the central SAP IDP.
If you have an own tenant in the SAP Cloud Identity Service, you could use that.
ok, but if you are on trial, you have normally no tenant in the SAP Cloud Identity Service, or can one get an test tenant besides the one-time 90day trial? IMHO also a partner edge HCP developer account does not include a tenant in the SAP Cloud Identity Service...
currently, the SAP Cloud Identity service is not available as a trial offering in HCP.
The SAP Partner Edge Innovation Pack for the SAP HANA Cloud Platform however, does include a SCI tenant. So if you have booked this offering, you could use that tenant to test this.
thank you for this great tutorial. Here is some feedback for further improvement:
As you recommended I haven't used the SYSTEM User to execute the steps. But in the "CREATE PSE" step I've faced authorization problem. I've solved it by adding the "TRUST ADMIN" privilege to my user. Also "SET PSE" failed. It seems "USER ADMIN" is needed there. The help page SQL Statements and Authorization for In-Database Certificate Management was there for my rescue.
You mention that the SQL Console of the HANA Studio has to be used to import the certificate. But that mention occurs at the second certificate we import. Please put it in front of the "ALTER PSE xxx SET OWN CERTIFICATE" section as it's needed here already.
Also it would be great if you could provide the path to the SAML IDP "/sap/hana/xs/admin/#/samlIDP/nodata" as you've done it for the admin pages too. It took me a while to figure out that I had to click the Hamburger Icon for the Menu :-).
As on HCP Trial SAP does not yet provide the SAP Cloud Identity service I've tried to use the MS Azure Active Directory as my IDP. I've done that already for my ABAP stack, so I hoped this should go smooth. Unfortunately I was proven wrong. When I tried to import the certificate from Microsoft I've got the error "Certificate definition inconsistent". Seems that is a known problem in HANA 102.03 and fixed in 102.06 (see Note 2290067). But the HCP MDC is still 102.03. So I hope either for SCI or an HANA upgrade on HCP Trial.
thank you for your detailed feedback. I will work it into the blog once I find some time to do it.
Regarding the problems you had with the Microsoft certificate, I saw a similar thing when I tried with SSOCircle as IDP. I'm sure that the trial servers will be updated at some point in time, but unfortunately, I don't know any timelines for this.
Since the MDC of the trial instances is now at 112.04 and you said there will be some changes with SP11 in this area, could you give as a hint, what is really different from the procedure described in this blog?
when writing the blog for the 102.03 version I encountered a few bugs which forced me to jump through some hoops to get the scenario working. Those were:
Unfortunately, I did not have the time yet to test if all of these issues have been resolved by now. I'm sure that by now it should be much easier to make this work, and I still hope that I will get around to updating this blog.
I hope that these pointers were useful to you.
Thank you for this detailed blog entry.
We have followed all the steps in the blog and we have configured our Identity Provider with Hana Cloud Platform Trial Instance. Our SP Initiated flow is working. But IDP Initiated flow gives following error displayed on the browser with absolutely nothing in the trace files.
"No assertion found in body of request"
Can we request you to tell us what have gone wrong.
Thanks in advance.
@Former Member, I have the same problem. Did you found any solution?
The key words of this post are:
There is no trial SAP Cloud Identity provider that can be used even for tests.