Introduction

Although there is no standardized definition of the term “Principal Propagation”, it is commonly understood as the ability of a system to securely forward or propagate the authenticated user (principal) from a sender to a receiver in a way that the forwarded user information is kept confidential and – even more important – cannot be changed during transit. Based on a pre-established trust relationship to the sender, the receiver uses this information to logon the user without asking her again for the credentials.

 

Principal propagation plays an important role in many scenarios on SAP HANA Cloud Platform (HCP), e.g. when an application has to pass the logged-on user in the Cloud to an on-premise system via the SAP HANA Cloud Connector. More information on this scenario can be found here. The following picture illustrates another very common scenario for principal propagation, where an application on HCP consists of two components: The user interface (UI) is developed and deployed as an HTML5- or Java-application on HCP which consumes an API implemented as a RESTful service from an SAP HANA instance running on HCP. The API requires an authenticated user and exposes the user’s data via SAP HANA Extended Application Services (XS).

/wp-content/uploads/2016/03/figure1_910923.jpg

On HCP, the user usually authenticates against an identity provider (IdP) which is configured for the account where the application is deployed to. In HCP trial accounts for example, this is the SAP ID Service by default, which is a free-of-charge public identity provider from SAP, managing the SAP Community Network users, SAP Service Marketplace users and the users of several other SAP sites. To delegate user authentication to the IdP, HCP uses the SAML 2.0 protocol. Upon successful authentication at the IdP, the HTML5 application on HCP receives a SAML Response from the IdP, which is a message digitally signed by the IdP. It must contain at least the unique logon name of the user, and may also include additional information about the user, such as the user’s first and last name, e-mail address etc.

 

HTML5 applications usually rely on on-premise or on-demand RESTful services. When a RESTful service is called from an HTML5 application, a new connection is initiated by the central HTML5 dispatcher on HCP to the service that is defined in a corresponding HTTP destination. If this call requires the user to authenticate at the service, the HTML5 dispatcher should rather propagate the authenticated user or login context than prompting the user again for credentials to access the service.

/wp-content/uploads/2016/03/figure2_910960.jpg

There are two authentication mechanism available for an HTTP destination to propagate the logged-in user to a RESTful service running on SAP HANA XS: SAP Assertion SSO or Application-to-Application SSO (AppToAppSSO). The first one uses SAP Assertion Tickets to transfer the logged-on user information, the latter uses a SAML Assertion. Compared to SAP Assertion SSO, AppToAppSSO has the following advantages:

  • The propagated user information can contain more information than just the user’s login name. Additional user attributes are also forwarded with the SAML Assertion. SAP Assertion Tickets only forward the user’s login name.
  • SAP HANA XS can dynamically create a new DB user based on the forwarded information. This user is required to successfully log on the user on the SAP HANA instance. With SAP Assertion Tickets, this mechanism, sometimes referred to as “Just-in-time (user) provisioning”, is not supported, and the users have to be created in advance. However, this is sometimes not possible, e.g. if there is a large number of users accessing the service.

In this blog you will go step-by-step through a scenario using AppToAppSSO. Common for both mechanism is that the recipient (XS) must trust the sender (HTML5 dispatcher) to accept the propagated principal. For AppToAppSSO, this trust relationship is setup in XS similar to other SAML-based IdPs. Therefore, the SAP HANA instance must be properly setup for SAML-based authentication as one of the following prerequisites.

Note: Although an HTML5 application is used to implement the UI, a Java-based application could have been used as well for the scenario. AppToAppSSO works for both application runtimes to propagate the authenticated user to SAP HANA XS.

Prerequisites

The scenario in this blog is using an SAP HANA Multitenant Database Container (MDC) on the HCP trial landscape. Before getting started, please check that you meet the following prerequisites:

  • You have an HCP trial account, which can be created at no charge from here.
  • You have created a MDC in your trial account. Please follow Ekaterina Mitova‘s instructions in this blog to create one.
  • You have setup the SAML Service Provider in the MDC. Please follow the sections Creating Your Service Provider Certificate and Complete the Service Provider Settings in the blog “Play It Again, SAML” from Oliver Goetz.
  • You have installed Eclipse with the SAP HANA Cloud Platform Tools and SAP HANA Tools following the instructions on the SAP HANA Tools site
  • You have installed OpenSSL which will be used in first step to generate the signing key pair and certificate for your HTML5 SAML Service Provider

Step 1: Configuring the Local Service Provider for HTML5 apps

AppToAppSSO uses a SAML Assertion as the security token format to propagate the logged-on user. Therefore, your HCP (trial) account must be setup with a custom SAML Service Provider key pair which is used to digitally sign the SAML Assertion. Based on this signature, XS will verify that the user information has been propagated from a trustworthy system, i.e. your HTML5 application, or even more precisely, your account’s subscription to the central HTML5 dispatcher. Login to the Cloud Cockpit on the HCP trial landscape and open the Trust settings of your account. Click on the Edit button and switch the Configuration Type from “Default” to “Custom”.

/wp-content/uploads/2016/03/figure3_911270.jpg

If you have never done this before, you will see empty text fields for the Signing Key and Signing Certificate. Those need to be filled in this step as they identify your HTML5 application to the service running on XS. For development purposes, you can use the “Generate Key Pair” button in this scenario to generate a key pair with a self-signed certificate. For a productive scenario, it is recommended to use a certificate issued by a well-known and trusted Certificate Authority (CA). After clicking on Save you should get a message that you can proceed with the configuring of your trusted identity provider settings, and see a Local Service Provider configuration like shown in the following screenshot:

/wp-content/uploads/2016/03/figure4_911457.jpg

Click on the Get Metadata link to export the Local Service Provider configuration in a standardized metadata format, which will be use in the next step to import the trust settings in XS.

With the Configuration Type “Custom” you are now able to configure your own trusted identity providers, e.g. a corporate IdP. For the scenario in this blog you will continue to use SAP ID Service as our IdP to authenticate the users. Therefore you have to switch back to Configuration Type “Default” by clicking on the Edit button and reverting Configuration Type “Custom” back to “Default”. Click on Save.

Note: By switching back to “Default”, your “Custom” settings are not lost, and will be used for signing the SAML Assertion sent by the HTTP destination using AppToAppSSO principal propagation.

Step 2: Setup Trust in XS to the HTML5 Local Service Provider

Open the SAML Identity Provider list of your trial MDC with the XS Admin tool using your account-specific URL https://<mdcname><account name>.hanatrial.ondemand.com/sap/hana/xs/admin, and login with the SYSTEM user. If the SYSTEM has not yet the required roles to access the XS Admin tool, add all roles in SAP HANA Studio containing “xs.admin” in the name as shown in the following screenshot:

/wp-content/uploads/2016/03/figure5_911516.jpg

On the SAML Identity Provider list, click on Add (“+”) to create a new trust relationship to your HCP account’s Local Service Provider which has been configured in the previous step. In the Metadata field, copy and paste the content of the SAML Metadata file you exported from the Cloud Cockpit using the Get Metadata link.

/wp-content/uploads/2016/03/figure6_914258.jpgWhen you click on Save, the fields in the form will be updated based on the values from the metadata file. The only fields left blank are “SingleSignOn URL (RedirectBinding)” and “SingleSignOn URL (PostBinding)”, because you’ve actually imported a metadata file of a service provider, and not of an identity provider. Therefore add some dummy values, e.g. “/saml2/sso”. Also make sure that the checkbox “Dynamic User Creation” is activated. This ensures that for new users a corresponding HANA user is created. Click on Save again to store your settings.

Next, verify that the destination for the new IdP was stored in HANA by checking in SAP HANA Studio the _SYS_XS.HTTP_DESTINATIONS table using the command

SELECT * FROM _SYS_XS.HTTP_DESTINATIONS

You should see the destination in the result list:

/wp-content/uploads/2016/03/figure7_911585.jpgAlso verify that the certificate of your trial account metadata has been successfully stored using the following SQL command:

SELECT * FROM SYS.CERTIFICATES

The certificate is shown at the end of the list:

/wp-content/uploads/2016/03/figure8_911606.jpg

 

This concludes the trust setup in HANA XS to your HTML5 application as a trustworthy system to propagate the authenticated user. Next you will configure the destination of your HTML5 application.

Step 3: Configure HTTP Destination for AppToAppSSO

The sample HTML5 application used in this blog is a project management application, which retrieves a user’s project data from an REST service running on XS. The complete code of the HTML5 application can be downloaded from here and can imported in SAP WebIDE on HCP following these steps:

  • In Cloud Cockpit, go to Applications > HTML5 Applications. Click on Import from File.
  • Select the downloaded ZIP archive. For the version name, enter “initial”
  • Select the new application “xproject” by clicking on its link
  • Select Versioning from the left-hand navigation menu, then click on Versions > Initial > Activate.

Open the HANA Cloud Platform WebIDE from the Services Cockpit or open it directly with the link https://webide-<account_name>.dispatcher.hanatrial.ondemand.com/. In your WebIDE workspace, follow these steps:

  • Right-click on the Workspace and select Import > Application from SAP HANA Cloud Platform
  • Right-click on the xproject folder and select Deploy > Deploy to SAP HANA Cloud Platform. Enter something like 1.0 in the version field and click Deploy.

You should now be able to reach the application under its Application URL as shown in the Cloud Cockpit, e.g. https://xproject-<account_name>.dispatcher.hanatrial.ondemand.com/?hc_reset.

Let’s have a close look at the HTML5 application. As a user, you login to the application via the IdP, and then see a list of projects where you are assigned to. Therefore the logged-on user must be propagated securely to XS which will use the propagated user id to query the database for the projects where the user is assigned to as the project lead. In addition, the user’s attributes such as first- and last name are used to set the user’s name in the list of projects returned from XS to HTML5.

The actual invocation of the service in XS is done in Project.controller.js of the HTML5 application:

/wp-content/uploads/2016/03/figure9_911709.jpg

In the JSON model, the data is loaded from the URL /api/projects, which is mapped in the HTML5 application’s neo-app.json descriptor file to the HTTP destination with name “xsprojectdata” :

/wp-content/uploads/2016/03/figure10_911800.jpg

Let’s have a look at the destination configuration in the Cloud Cockpit. The two most important settings are highlighted in the following screenshot:

/wp-content/uploads/2016/03/figure11_911829.jpg

  • The Authentication method is set to AppToAppSSO
  • An additional property with the name “saml2_audience” and the value “I1700” is set for the destination

The property sets an important value in the SAML Assertion which is used to propagate the user. This value, the SAML audience,

“contain[s] the unique identifier URI from a SAML name identifier that describes a system entity” and “evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.” (Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, page 23)

In other words: XS would reject the SAML Assertion with the propagated user if the audience is not set correctly to its own SAML name identifier. By default, an HTTP destination configured for AppToAppSSO sets the audience to the name of the SAML local service provider (aka “relying party”) configured in the Cloud Cockpit. For a trial account, this would be “https://hanatrial.ondemand.com/<your account name>” if you haven’t changed it. However, your MDC container is configured to a different SAML service provider name. Mine got the name identifier “I1700” which can be looked up in the XS Admin Tool under “SAML Service Provider”:

/wp-content/uploads/2016/03/figure12_911830.jpg

Last but not least, configure the URL of the destination according to your service location. To do so, follow these steps:

  • Create a new package “sample”, e.g. with SAP HANA Studio in the SAP HANA Systems view
  • Create a new schema “xproject”, e.g. with SAP HANA Studio SQL Console, using the command CREATE SCHEMA “xproject”
  • Download the XS service code from here, and import it in the new “sample” package, e.g. with the SAP HANA Web-based Development Workbench (https://<MDC_name><account_name>.hanatrial.ondemand.com/sap/hana/ide/editor/) using the context menu (Import – Archive)

  • Refresh the package after successful import of the archive and open the newly created “xproject” sub-package. Right-click on the following imported files and select Activate: PROJECT.hdbdd, project.hdbsequence, projectmember.hdbrole,
  • Open the data/projects.csv file, and replace the two placeholders <your user id> in the file with your SAP ID Service user ID (e.g. P123456 or D987654). Save the changes. This file will import some sample data into the PROJECT table which is used later for testing the scenario. Now right-click on the file project.hdbti and select Activate from the context menu.
  • Finally, right-click on the package “xproject” and select Activate All from the context menu.

As a result, the XS-based service is now accessible at the URL  https://<MDC_name><account_name>.hanatrial.ondemand.com/sample/xproject/xproject.xsjs. Enter this URL in the destination’s URL field and save it.

Step 5: Configure the default role of dynamically created users in XS Service

The xproject.xsjs file implements the XS service to retrieve the propagated user’s projects from the database. The function getProject() retrieves the user’s unique logon name and queries the database for projects where the user set as the project lead. The result is returned in JSON format. The PROJECT table can only be accessed by users with the role “projectmember” which is defined by the file projectmember.hdbrole. Therefore, new HANA DB users created dynamically according to the new IdP’s setting should automatically be assigned to this role. To set this default role, you first need to create a run-time role by opening the Security folder of your system in the “Systems” view in SAP HANA Studio. There do a right-click on the Roles element and select New Role from the context menu. For the Role Name, enter a value such as “DEFAULT_ROLE_FOR_PROJECT_MEMBERS”, and click on the “+” in tab Granted Roles to add your design-time role “sample.xproject::projectmember” to it. Press Ctrl+S to save you new run-time role.

/wp-content/uploads/2016/03/figure16_912557.jpgNext, double-click on your system in SAP HANA Studio to open the Administration. Select the Configuration tab and filter for “saml”. Right-click on the saml section in the search results and select Add Parameter from the context menu. The Add Parameter Wizard opens. Leave the default selection (“Database”) for the scope and click Next. For the key name, enter “defaultrole”, and for the value the name of the newly created run-time role (“DEFAULT_ROLE_FOR_PROJECT_MEMBERS”). Click Finish to save the new parameter.

/wp-content/uploads/2016/03/figure15_912550.jpg


Step 6: Configure SAML for the XS Service

Before you can test the scenario, the XS Service must also be protected with SAML. In the XS Admin Tool, select “XS Artifact Administration” from the menu. Go to package “sample.xproject” and click on Edit. In the Security & Authentication tab, activate SAML and select newly created IdP in the dropdown box, starting with “HTTPS__HANATRIAL_…”. Deactivate any other authentication methods and click on Save.

/wp-content/uploads/2016/03/figure13_911866.jpg

Step 7: Testing the Scenario

Now it is time to test the scenario: Go back to Cloud Cockpit and open the Overview page of your xproject HTML5 application. Right-click on the Application URL and open the application in a new private/incognito browser window to obtain a new session.

/wp-content/uploads/2016/03/figure17_912592.jpgYou will see the landing page of the xproject application. Click on Login.

/wp-content/uploads/2016/03/figure18_912602.jpg

Based on your trial account’s trust settings, you will be redirected to SAP ID Service as the default IdP. Upon successful logon with your SAP ID Service credentials, your browser is redirected back to the application. The project overview page retrieves its data from the XS service, which uses the AppToAppSSO destination to propagate your user. Based on the configuration settings from the previous steps, only the projects for the currently logged-in user are retrieved by getting the username from the XS session object with

var username = $.session.getUsername();

in line 20 of the xproject.xsjs file, and appending it to the SQL statement which queries the application’s PROJECT table. In addition, the federated user attributes for first- and last name of the logged-in user are used to return the display name of the user. Those are accessed in XS under the same name as in HTML5 or Java. For SAP ID Service, they are accessed using firstname and lastname using the following API:

var displayName = $.session.samlUserInfo.firstname + ” “ + $.session.samlUserInfo.lastname;

Depending on your table data and user name, the list may look like this in the web browser, only showing two out of three projects in total:

/wp-content/uploads/2016/03/figure19_912603.jpgThis step concludes the scenario and I hope this is of help if you are implementing a similar scenario on SAP HANA Cloud Platform.

To report this post you need to login first.

28 Comments

You must be Logged on to comment or reply to a post.

  1. Luca Manassero

    Hi Martin,

     

    thank a lot for this blog post AND the units in week 2 of the openSAP course about the SAP HCP Essentials.

     

    Unfortunately the file including the whole xproject_xs application code (mentioned at the beginning of step 3) is not publicly available anymore: could you please check its availability? It’s a very useful resource to complete the course.

     

    Thank you in advance,

     

    Luca

    (0) 
      1. B Malave

        Hi Martin,

         

        I recently started this course and try to download this file that mentions Luca, but is not available, because it expired. Is it possible to  check its availability for download?

         

        Thanks

        (0) 
  2. Rouzbeh Nabatian

    Hi,

     

    i get the following error message:

     

    The following problem occurred: error – Dynamic user creation failed (username=S000…). Reason was: user name already exists: S000…: line 1 col 13 (at pos 12),500,Internal Server Error

     

    Any idea how to solve this issue?

     

    Kind regards

    Rouzbeh

    (0) 
  3. Abhijeet Gupta

    Hi Martin,

     

    I am currently going through the course ‘Developing Java-Based Apps on SAP HANA Cloud Platform’ but to complete that ‘SAP HANA Cloud Platform Essentials’ is a prerequisite.

     

    But, to complete ‘SAP HANA Cloud Platform Essentials’ the XPROJECT_XS file is required which is no longer available.

     

    Is there any way to get access to that file for download.

     

    Thanks in advance.

     

    Abhijeet

    (0) 
    1. Luca Manassero

      Hi Abhijeet,

       

      the file you’re looking for IS still available.

       

      If you go to the Week 2 of “SAP HANA Essentials” and select the “Download” area (my link is https://open.sap.com/courses/hcp1/items/3Pn3FPA6SkPqLXlHOcgW4u), you should be able to download the file – Unit 2: SECHTMA_xproject.zip

       

      By the way, completing the course “SAP HANA Essentials” is NOT (as far as I understand) a “formal” prerequisite, but it definitely helps understanding a lot of sections of  ‘Developing Java-Based Apps on SAP HANA Cloud Platform’, especially the ones about security, explained in great detail by Martin Repple.

       

      Hope it helps,

       

      Luca

      (0) 
      1. Abhijeet Gupta

        Hi Luca,

         

        Thanks a lot for the quick response.

         

        I have already downloaded the Unit 2:SECHTMA_xproject.zip file.

        However, it doesn’t contain the *.xsjs file required to create destinations in SAP HCP.

         

        Kindly, guide me if I am missing something.

         

        Thanks in advance.

         

        Abhijeet

        (0) 
        1. Luca Manassero

          Hi Abjijeet,

           

          you’re right to say that the code originally made available by Martin Raepple for this post is not available anymore. Possibly Martin Raepple will erad all our messages and make it available again

          Please also note that, as far as I know, Destinations will NOT be created by an .xsjs file, but need to be manually configured in the Destinations section of your application configuration in the SAP HANA Cloud Platform Cockpit.

           

          Also please note that while the “Developing Java-Based Apps on SAP HANA Cloud Platform” openSAP course is making extensive use of the SAP HANA Studio on Eclipse, most of this post uses the SAP Web IDE (more info here): if you feel not enough familiar with it, you should definitely visit the excellent Tutorials section here.

           

          Hope it helps,

           

          Luca

          (0) 
  4. Qing-hao Liang

    Hi Martin,

     

    If I want to access the backend XS service from a HTML5 application subscription, should I create the HTTP destination in the subscription account? This makes sense if your HTML app will be subscribed by a lot tenant accounts.

     

    thanks,

    qing-hao Liang

    (0) 
      1. Jürgen Martinitz

        Hi Sven,

        I tried the link but got error “Access to share has expired…”.  Would it be possible to re-activate it  or is there any other way to get source code for HANA XS application ?

        Many thanks

        Juergen

        (0) 
    1. Balaji Ganapathiraman

      Hi Vikas,

      Did you try downloading the openssl toolkit on your desktop/laptop? I think only after installing that, you would be able to execute the openssl commands mentioned in the blog.

       

      ~Balaji

      (0) 
  5. Balaji Ganapathiraman

    Hi Martin, Nice blog, highly detailed and very informative.

     

    One question… 

    Can the SAPID identity provider be used for production use? If i have a SAPUI5 application and is deployed to a non-trial/production HCP account, can i use SAPID as the identity provider for user authentication?

    If the answer to the above question is yes, will the same steps mentioned in this blog needs to be done? or are there any changes / additions required? Please advice.

    Thanks in advance for your response.

    (0) 
    1. Martin Raepple Post author

      Hi Balaji,

      SAP ID Service can be used for productive scenarios, but we do not recommend to do so, since you have very limited control on its settings (e.g. password policy, UI customization, strong two-factor-authentication etc.) and its underlying user base. You cannot delete or suspend user access to it, since SAP ID Service is owned and controlled by SAP. As an alternative, we recommend to use the SAP HANA Cloud Platform Identity Authentication Service (formerly known as SAP Cloud Identity), which is essentialy the same as SAP ID Service, but under your full control.

      HTH and best regards

      Martin

      (0) 
  6. venkata Narasimha Rao

    Hi Martin, Sven,

    after i did the step 6 which is

    Step 6: Configure SAML for the XS Service

    i tried to test my xsjs service using the browser URL, i get the following shown error message in screenshot. how to resolve this ?

     

    This authn.hanatrial.ondemand.com page can’t be found

    
                                                
    (0) 
  7. Gowthami Bhogireddy

    Hello Martin

    The blog is a one stop place for everything I need on this scenario. Very useful!

    However, when a db user is dynamically created for an application user (HCP user), how can we ensure that this db user doesn’t directly access the database? Are the DB user credentials created dynamically same as the application user credentials?

    Also does the same procedure apply when I register my UI5 app on Fiori launchpad?

    (0) 

Leave a Reply