Skip to Content
Author's profile photo Martin Raepple

Principal Propagation between HTML5- or Java-based applications and SAP HANA XS on SAP HANA Cloud Platform

Introduction

Although there is no standardized definition of the term “Principal Propagation”, it is commonly understood as the ability of a system to securely forward or propagate the authenticated user (principal) from a sender to a receiver in a way that the forwarded user information is kept confidential and – even more important – cannot be changed during transit. Based on a pre-established trust relationship to the sender, the receiver uses this information to logon the user without asking her again for the credentials.

 

Principal propagation plays an important role in many scenarios on SAP HANA Cloud Platform (HCP), e.g. when an application has to pass the logged-on user in the Cloud to an on-premise system via the SAP HANA Cloud Connector. More information on this scenario can be found here. The following picture illustrates another very common scenario for principal propagation, where an application on HCP consists of two components: The user interface (UI) is developed and deployed as an HTML5- or Java-application on HCP which consumes an API implemented as a RESTful service from an SAP HANA instance running on HCP. The API requires an authenticated user and exposes the user’s data via SAP HANA Extended Application Services (XS).

/wp-content/uploads/2016/03/figure1_910923.jpg

On HCP, the user usually authenticates against an identity provider (IdP) which is configured for the account where the application is deployed to. In HCP trial accounts for example, this is the SAP ID Service by default, which is a free-of-charge public identity provider from SAP, managing the SAP Community Network users, SAP Service Marketplace users and the users of several other SAP sites. To delegate user authentication to the IdP, HCP uses the SAML 2.0 protocol. Upon successful authentication at the IdP, the HTML5 application on HCP receives a SAML Response from the IdP, which is a message digitally signed by the IdP. It must contain at least the unique logon name of the user, and may also include additional information about the user, such as the user’s first and last name, e-mail address etc.

 

HTML5 applications usually rely on on-premise or on-demand RESTful services. When a RESTful service is called from an HTML5 application, a new connection is initiated by the central HTML5 dispatcher on HCP to the service that is defined in a corresponding HTTP destination. If this call requires the user to authenticate at the service, the HTML5 dispatcher should rather propagate the authenticated user or login context than prompting the user again for credentials to access the service.

/wp-content/uploads/2016/03/figure2_910960.jpg

There are two authentication mechanism available for an HTTP destination to propagate the logged-in user to a RESTful service running on SAP HANA XS: SAP Assertion SSO or Application-to-Application SSO (AppToAppSSO). The first one uses SAP Assertion Tickets to transfer the logged-on user information, the latter uses a SAML Assertion. Compared to SAP Assertion SSO, AppToAppSSO has the following advantages:

  • The propagated user information can contain more information than just the user’s login name. Additional user attributes are also forwarded with the SAML Assertion. SAP Assertion Tickets only forward the user’s login name.
  • SAP HANA XS can dynamically create a new DB user based on the forwarded information. This user is required to successfully log on the user on the SAP HANA instance. With SAP Assertion Tickets, this mechanism, sometimes referred to as “Just-in-time (user) provisioning”, is not supported, and the users have to be created in advance. However, this is sometimes not possible, e.g. if there is a large number of users accessing the service.

In this blog you will go step-by-step through a scenario using AppToAppSSO. Common for both mechanism is that the recipient (XS) must trust the sender (HTML5 dispatcher) to accept the propagated principal. For AppToAppSSO, this trust relationship is setup in XS similar to other SAML-based IdPs. Therefore, the SAP HANA instance must be properly setup for SAML-based authentication as one of the following prerequisites.

Note: Although an HTML5 application is used to implement the UI, a Java-based application could have been used as well for the scenario. AppToAppSSO works for both application runtimes to propagate the authenticated user to SAP HANA XS.

Prerequisites

The scenario in this blog is using an SAP HANA Multitenant Database Container (MDC) on the HCP trial landscape. Before getting started, please check that you meet the following prerequisites:

  • You have an HCP trial account, which can be created at no charge from here.
  • You have created a MDC in your trial account. Please follow Ekaterina Mitova‘s instructions in this blog to create one.
  • You have setup the SAML Service Provider in the MDC. Please follow the sections Creating Your Service Provider Certificate and Complete the Service Provider Settings in the blog “Play It Again, SAML” from Oliver Goetz.
  • You have installed Eclipse with the SAP HANA Cloud Platform Tools and SAP HANA Tools following the instructions on the SAP HANA Tools site
  • You have installed OpenSSL which will be used in first step to generate the signing key pair and certificate for your HTML5 SAML Service Provider

Step 1: Configuring the Local Service Provider for HTML5 apps

AppToAppSSO uses a SAML Assertion as the security token format to propagate the logged-on user. Therefore, your HCP (trial) account must be setup with a custom SAML Service Provider key pair which is used to digitally sign the SAML Assertion. Based on this signature, XS will verify that the user information has been propagated from a trustworthy system, i.e. your HTML5 application, or even more precisely, your account’s subscription to the central HTML5 dispatcher. Login to the Cloud Cockpit on the HCP trial landscape and open the Trust settings of your account. Click on the Edit button and switch the Configuration Type from “Default” to “Custom”.

/wp-content/uploads/2016/03/figure3_911270.jpg

If you have never done this before, you will see empty text fields for the Signing Key and Signing Certificate. Those need to be filled in this step as they identify your HTML5 application to the service running on XS. For development purposes, you can use the “Generate Key Pair” button in this scenario to generate a key pair with a self-signed certificate. For a productive scenario, it is recommended to use a certificate issued by a well-known and trusted Certificate Authority (CA). After clicking on Save you should get a message that you can proceed with the configuring of your trusted identity provider settings, and see a Local Service Provider configuration like shown in the following screenshot:

/wp-content/uploads/2016/03/figure4_911457.jpg

Click on the Get Metadata link to export the Local Service Provider configuration in a standardized metadata format, which will be use in the next step to import the trust settings in XS.

With the Configuration Type “Custom” you are now able to configure your own trusted identity providers, e.g. a corporate IdP. For the scenario in this blog you will continue to use SAP ID Service as our IdP to authenticate the users. Therefore you have to switch back to Configuration Type “Default” by clicking on the Edit button and reverting Configuration Type “Custom” back to “Default”. Click on Save.

Note: By switching back to “Default”, your “Custom” settings are not lost, and will be used for signing the SAML Assertion sent by the HTTP destination using AppToAppSSO principal propagation.

Step 2: Setup Trust in XS to the HTML5 Local Service Provider

Open the SAML Identity Provider list of your trial MDC with the XS Admin tool using your account-specific URL https://<mdcname><account name>.hanatrial.ondemand.com/sap/hana/xs/admin, and login with the SYSTEM user. If the SYSTEM has not yet the required roles to access the XS Admin tool, add all roles in SAP HANA Studio containing “xs.admin” in the name as shown in the following screenshot:

/wp-content/uploads/2016/03/figure5_911516.jpg

On the SAML Identity Provider list, click on Add (“+”) to create a new trust relationship to your HCP account’s Local Service Provider which has been configured in the previous step. In the Metadata field, copy and paste the content of the SAML Metadata file you exported from the Cloud Cockpit using the Get Metadata link.

/wp-content/uploads/2016/03/figure6_914258.jpgWhen you click on Save, the fields in the form will be updated based on the values from the metadata file. The only fields left blank are “SingleSignOn URL (RedirectBinding)” and “SingleSignOn URL (PostBinding)”, because you’ve actually imported a metadata file of a service provider, and not of an identity provider. Therefore add some dummy values, e.g. “/saml2/sso”. Also make sure that the checkbox “Dynamic User Creation” is activated. This ensures that for new users a corresponding HANA user is created. Click on Save again to store your settings.

Next, verify that the destination for the new IdP was stored in HANA by checking in SAP HANA Studio the _SYS_XS.HTTP_DESTINATIONS table using the command

SELECT * FROM _SYS_XS.HTTP_DESTINATIONS

You should see the destination in the result list:

/wp-content/uploads/2016/03/figure7_911585.jpgAlso verify that the certificate of your trial account metadata has been successfully stored using the following SQL command:

SELECT * FROM SYS.CERTIFICATES

The certificate is shown at the end of the list:

/wp-content/uploads/2016/03/figure8_911606.jpg

 

This concludes the trust setup in HANA XS to your HTML5 application as a trustworthy system to propagate the authenticated user. Next you will configure the destination of your HTML5 application.

Step 3: Configure HTTP Destination for AppToAppSSO

The sample HTML5 application used in this blog is a project management application, which retrieves a user’s project data from an REST service running on XS. The complete code of the HTML5 application can be downloaded from here and can imported in SAP WebIDE on HCP following these steps:

  • In Cloud Cockpit, go to Applications > HTML5 Applications. Click on Import from File.
  • Select the downloaded ZIP archive. For the version name, enter “initial”
  • Select the new application “xproject” by clicking on its link
  • Select Versioning from the left-hand navigation menu, then click on Versions > Initial > Activate.

Open the HANA Cloud Platform WebIDE from the Services Cockpit or open it directly with the link https://webide-<account_name>.dispatcher.hanatrial.ondemand.com/. In your WebIDE workspace, follow these steps:

  • Right-click on the Workspace and select Import > Application from SAP HANA Cloud Platform
  • Right-click on the xproject folder and select Deploy > Deploy to SAP HANA Cloud Platform. Enter something like 1.0 in the version field and click Deploy.

You should now be able to reach the application under its Application URL as shown in the Cloud Cockpit, e.g. https://xproject-<account_name>.dispatcher.hanatrial.ondemand.com/?hc_reset.

Let’s have a close look at the HTML5 application. As a user, you login to the application via the IdP, and then see a list of projects where you are assigned to. Therefore the logged-on user must be propagated securely to XS which will use the propagated user id to query the database for the projects where the user is assigned to as the project lead. In addition, the user’s attributes such as first- and last name are used to set the user’s name in the list of projects returned from XS to HTML5.

The actual invocation of the service in XS is done in Project.controller.js of the HTML5 application:

/wp-content/uploads/2016/03/figure9_911709.jpg

In the JSON model, the data is loaded from the URL /api/projects, which is mapped in the HTML5 application’s neo-app.json descriptor file to the HTTP destination with name “xsprojectdata” :

/wp-content/uploads/2016/03/figure10_911800.jpg

Let’s have a look at the destination configuration in the Cloud Cockpit. The two most important settings are highlighted in the following screenshot:

/wp-content/uploads/2016/03/figure11_911829.jpg

  • The Authentication method is set to AppToAppSSO
  • An additional property with the name “saml2_audience” and the value “I1700” is set for the destination

The property sets an important value in the SAML Assertion which is used to propagate the user. This value, the SAML audience,

“contain[s] the unique identifier URI from a SAML name identifier that describes a system entity” and “evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.” (Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, page 23)

In other words: XS would reject the SAML Assertion with the propagated user if the audience is not set correctly to its own SAML name identifier. By default, an HTTP destination configured for AppToAppSSO sets the audience to the name of the SAML local service provider (aka “relying party”) configured in the Cloud Cockpit. For a trial account, this would be “https://hanatrial.ondemand.com/<your account name>” if you haven’t changed it. However, your MDC container is configured to a different SAML service provider name. Mine got the name identifier “I1700” which can be looked up in the XS Admin Tool under “SAML Service Provider”:

/wp-content/uploads/2016/03/figure12_911830.jpg

Last but not least, configure the URL of the destination according to your service location. To do so, follow these steps:

  • Create a new package “sample”, e.g. with SAP HANA Studio in the SAP HANA Systems view
  • Create a new schema “xproject”, e.g. with SAP HANA Studio SQL Console, using the command CREATE SCHEMA “xproject”
  • Download the XS service code from here, and import it in the new “sample” package, e.g. with the SAP HANA Web-based Development Workbench (https://<MDC_name><account_name>.hanatrial.ondemand.com/sap/hana/ide/editor/) using the context menu (Import – Archive)

  • Refresh the package after successful import of the archive and open the newly created “xproject” sub-package. Right-click on the following imported files and select Activate: PROJECT.hdbdd, project.hdbsequence, projectmember.hdbrole,
  • Open the data/projects.csv file, and replace the two placeholders <your user id> in the file with your SAP ID Service user ID (e.g. P123456 or D987654). Save the changes. This file will import some sample data into the PROJECT table which is used later for testing the scenario. Now right-click on the file project.hdbti and select Activate from the context menu.
  • Finally, right-click on the package “xproject” and select Activate All from the context menu.

As a result, the XS-based service is now accessible at the URL  https://<MDC_name><account_name>.hanatrial.ondemand.com/sample/xproject/xproject.xsjs. Enter this URL in the destination’s URL field and save it.

Step 5: Configure the default role of dynamically created users in XS Service

The xproject.xsjs file implements the XS service to retrieve the propagated user’s projects from the database. The function getProject() retrieves the user’s unique logon name and queries the database for projects where the user set as the project lead. The result is returned in JSON format. The PROJECT table can only be accessed by users with the role “projectmember” which is defined by the file projectmember.hdbrole. Therefore, new HANA DB users created dynamically according to the new IdP’s setting should automatically be assigned to this role. To set this default role, you first need to create a run-time role by opening the Security folder of your system in the “Systems” view in SAP HANA Studio. There do a right-click on the Roles element and select New Role from the context menu. For the Role Name, enter a value such as “DEFAULT_ROLE_FOR_PROJECT_MEMBERS”, and click on the “+” in tab Granted Roles to add your design-time role “sample.xproject::projectmember” to it. Press Ctrl+S to save you new run-time role.

/wp-content/uploads/2016/03/figure16_912557.jpgNext, double-click on your system in SAP HANA Studio to open the Administration. Select the Configuration tab and filter for “saml”. Right-click on the saml section in the search results and select Add Parameter from the context menu. The Add Parameter Wizard opens. Leave the default selection (“Database”) for the scope and click Next. For the key name, enter “defaultrole”, and for the value the name of the newly created run-time role (“DEFAULT_ROLE_FOR_PROJECT_MEMBERS”). Click Finish to save the new parameter.

/wp-content/uploads/2016/03/figure15_912550.jpg


Step 6: Configure SAML for the XS Service

Before you can test the scenario, the XS Service must also be protected with SAML. In the XS Admin Tool, select “XS Artifact Administration” from the menu. Go to package “sample.xproject” and click on Edit. In the Security & Authentication tab, activate SAML and select newly created IdP in the dropdown box, starting with “HTTPS__HANATRIAL_…”. Deactivate any other authentication methods and click on Save.

/wp-content/uploads/2016/03/figure13_911866.jpg

Step 7: Testing the Scenario

Now it is time to test the scenario: Go back to Cloud Cockpit and open the Overview page of your xproject HTML5 application. Right-click on the Application URL and open the application in a new private/incognito browser window to obtain a new session.

/wp-content/uploads/2016/03/figure17_912592.jpgYou will see the landing page of the xproject application. Click on Login.

/wp-content/uploads/2016/03/figure18_912602.jpg

Based on your trial account’s trust settings, you will be redirected to SAP ID Service as the default IdP. Upon successful logon with your SAP ID Service credentials, your browser is redirected back to the application. The project overview page retrieves its data from the XS service, which uses the AppToAppSSO destination to propagate your user. Based on the configuration settings from the previous steps, only the projects for the currently logged-in user are retrieved by getting the username from the XS session object with

var username = $.session.getUsername();

in line 20 of the xproject.xsjs file, and appending it to the SQL statement which queries the application’s PROJECT table. In addition, the federated user attributes for first- and last name of the logged-in user are used to return the display name of the user. Those are accessed in XS under the same name as in HTML5 or Java. For SAP ID Service, they are accessed using firstname and lastname using the following API:

var displayName = $.session.samlUserInfo.firstname + ” “ + $.session.samlUserInfo.lastname;

Depending on your table data and user name, the list may look like this in the web browser, only showing two out of three projects in total:

/wp-content/uploads/2016/03/figure19_912603.jpgThis step concludes the scenario and I hope this is of help if you are implementing a similar scenario on SAP HANA Cloud Platform.

Assigned Tags

      68 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Raepple,

       

      Very nice blog, it's very help to me, thanks.

       

      Br,

      Jordan

      Author's profile photo Former Member
      Former Member

      Hi Raepple,

       

      Thanks a lot.

      Very enlightening and helpful for the OpenSAP course about HCP essentials

       

      Best regards

       

      Emmanuel

      Author's profile photo JAGAN VUPPALA
      JAGAN VUPPALA

      Thanks for the detailed steps. Helped a lot.

      Author's profile photo Luca Manassero
      Luca Manassero

      Hi Martin,

       

      thank a lot for this blog post AND the units in week 2 of the openSAP course about the SAP HCP Essentials.

       

      Unfortunately the file including the whole xproject_xs application code (mentioned at the beginning of step 3) is not publicly available anymore: could you please check its availability? It's a very useful resource to complete the course.

       

      Thank you in advance,

       

      Luca

      Author's profile photo Martin Raepple
      Martin Raepple
      Blog Post Author

      Hi Luca,

       

      access to the source code should now be possible again.

       

      Best regards

      Martin

      Author's profile photo Luca Manassero
      Luca Manassero

      Thank you, Martin!

      Author's profile photo Former Member
      Former Member

      Hi Martin,

       

      I recently started this course and try to download this file that mentions Luca, but is not available, because it expired. Is it possible to  check its availability for download?

       

      Thanks

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi B,

       

      it's uploaded again.

       

      All the best,

      Sven

      Author's profile photo Rouzbeh Nabatian
      Rouzbeh Nabatian

      Hi,

       

      i get the following error message:

       

      The following problem occurred: error - Dynamic user creation failed (username=S000...). Reason was: user name already exists: S000...: line 1 col 13 (at pos 12),500,Internal Server Error

       

      Any idea how to solve this issue?

       

      Kind regards

      Rouzbeh

      Author's profile photo Alexander Karpinski
      Alexander Karpinski

      Hi Rouzbeh,

      I'm having to exact same problem! On the first try it works fine and the user is created. In a new session, the existing DB user is not used, by i get the same error message from the database.

      Is there some kind of permission issue? Did you get it to work?

      After I delete the user and run it one more time, it works fine for this one time again.

       

      Kind regards,

       

      Alexander

      Author's profile photo Abhijeet Gupta
      Abhijeet Gupta

      Hi Martin,

       

      I am currently going through the course 'Developing Java-Based Apps on SAP HANA Cloud Platform' but to complete that 'SAP HANA Cloud Platform Essentials' is a prerequisite.

       

      But, to complete 'SAP HANA Cloud Platform Essentials' the XPROJECT_XS file is required which is no longer available.

       

      Is there any way to get access to that file for download.

       

      Thanks in advance.

       

      Abhijeet

      Author's profile photo Luca Manassero
      Luca Manassero

      Hi Abhijeet,

       

      the file you're looking for IS still available.

       

      If you go to the Week 2 of "SAP HANA Essentials" and select the "Download" area (my link is https://open.sap.com/courses/hcp1/items/3Pn3FPA6SkPqLXlHOcgW4u), you should be able to download the file - Unit 2: SECHTMA_xproject.zip

       

      By the way, completing the course "SAP HANA Essentials" is NOT (as far as I understand) a "formal" prerequisite, but it definitely helps understanding a lot of sections of  'Developing Java-Based Apps on SAP HANA Cloud Platform', especially the ones about security, explained in great detail by Martin Repple.

       

      Hope it helps,

       

      Luca

      Author's profile photo Abhijeet Gupta
      Abhijeet Gupta

      Hi Luca,

       

      Thanks a lot for the quick response.

       

      I have already downloaded the Unit 2:SECHTMA_xproject.zip file.

      However, it doesn't contain the *.xsjs file required to create destinations in SAP HCP.

       

      Kindly, guide me if I am missing something.

       

      Thanks in advance.

       

      Abhijeet

      Author's profile photo Luca Manassero
      Luca Manassero

      Hi Abjijeet,

       

      you're right to say that the code originally made available by Martin Raepple for this post is not available anymore. Possibly Martin Raepple will erad all our messages and make it available again

      Please also note that, as far as I know, Destinations will NOT be created by an .xsjs file, but need to be manually configured in the Destinations section of your application configuration in the SAP HANA Cloud Platform Cockpit.

       

      Also please note that while the "Developing Java-Based Apps on SAP HANA Cloud Platform" openSAP course is making extensive use of the SAP HANA Studio on Eclipse, most of this post uses the SAP Web IDE (more info here): if you feel not enough familiar with it, you should definitely visit the excellent Tutorials section here.

       

      Hope it helps,

       

      Luca

      Author's profile photo Former Member
      Former Member

      The source code can be downloaded from :

      https://mdocs.sap.com/mcm/public/v1/open?shr=OHRxAQwPDk6ldH8RHv2mOtwsS0Gk-UjVlrMYqEXJbyw&obj=bTrpisCuOi2hokdLzy88QO7glO9WqN9FNDDvTvjFbq4

       

      Author's profile photo Martin Raepple
      Martin Raepple
      Blog Post Author

      Hi Abjijeet, Luca,

       

      access to the code should work again. Please give it a try and let me know if there are still issues.

       

      Best regards

      Martin

      Author's profile photo Qing-hao Liang
      Qing-hao Liang

      Hi Martin,

       

      If I want to access the backend XS service from a HTML5 application subscription, should I create the HTTP destination in the subscription account? This makes sense if your HTML app will be subscribed by a lot tenant accounts.

       

      thanks,

      qing-hao Liang

      Author's profile photo Klaus Brengel
      Klaus Brengel

      Hi Martin,

      could you please once more provide access to the application needed in week2/unit6?

      Many thanks in advance
      -klaus

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Klaus,

      Martin made the code available again, you find it under this link: https://mdocs.sap.com/mcm/public/v1/open?shr=OHRxAQwPDk6ldH8RHv2mOtwsS0Gk-UjVlrMYqEXJbyw&obj=bTrpisCuOi2hokdLzy88QO7glO9WqN9FNDDvTvjFbq4

      All the best,

      Sven

      Author's profile photo Former Member
      Former Member

      Hi Sven,

      I tried the link but got error "Access to share has expired...".  Would it be possible to re-activate it  or is there any other way to get source code for HANA XS application ?

      Many thanks

      Juergen

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Jürgen,

      I will give Martin a PM, he can then upload the code again.

      All the best,

      Sven

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Jürgen,

      it works again now.

      All the best,

      Sven

      Author's profile photo Former Member
      Former Member

      Hi Sven,

      thanks, great !!!

      Cheers,

      Juergen

      Author's profile photo Former Member
      Former Member

      Hi Sven,

      The code for Week 2, Unit 6 is not available anymore,  getting error “Access to share has expired…”. Could you please reactivate the share or otherwise make it available again?

       

      Thanks,

      Jason

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Jason,

      I will give Martin a PM, he can then upload the code again.

      All the best,

      Sven

      Author's profile photo Former Member
      Former Member

      Hi Sven,

      Please would it possible to get the share to xproject reactivated for me as well?

      I have tried the below links.

      https://mdocs.sap.com/mcm/public/v1/open?shr=OHRxAQwPDk6ldH8RHv2mOtwsS0Gk-UjVlrMYqEXJbyw&obj=aDtbR0k9cgPkCj6GYDKtitPViwib3_pV96276NkQ5Yo

      https://mdocs.sap.com/mcm/public/v1/open?shr=OHRxAQwPDk6ldH8RHv2mOtwsS0Gk-UjVlrMYqEXJbyw&obj=bTrpisCuOi2hokdLzy88QO7glO9WqN9FNDDvTvjFbq4

      Thanks in advance. ?

      Warm Regards,

      Titu

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Titu,

       

      Martin is currently traveling, therefore it takes a bit longer, I've send him another PM.

       

      All the best,

      Sven

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Titu,

       

      it's uploaded again.

       

      All the best,

      Sven

       

      Author's profile photo Former Member
      Former Member

      Thanks very much.

      Also, just wanted to mention that you guys are doing a fabulous job with the Opensap courses. Thanks a lot.!

      Best Regards,
      Titu

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Jason,

       

      it's uploaded again.

       

      All the best,

      Sven

       

      Author's profile photo Former Member
      Former Member

      Thanks Sven!

      Author's profile photo Vikas Madaan
      Vikas Madaan

      I am not able to execute openssl command. I tried from various places but no success so far.
      Please help.

      Author's profile photo Balaji Ganapathiraman
      Balaji Ganapathiraman

      Hi Vikas,

      Did you try downloading the openssl toolkit on your desktop/laptop? I think only after installing that, you would be able to execute the openssl commands mentioned in the blog.

       

      ~Balaji

      Author's profile photo Former Member
      Former Member

      Hi Vikas,

      Please follow the steps mentioned in the below link and that should help you to run openssl on your desktop.

      https://www.youtube.com/watch?v=PYLTtABP1F4

      Author's profile photo Balaji Ganapathiraman
      Balaji Ganapathiraman

      Hi Martin, Nice blog, highly detailed and very informative.

       

      One question... 

      Can the SAPID identity provider be used for production use? If i have a SAPUI5 application and is deployed to a non-trial/production HCP account, can i use SAPID as the identity provider for user authentication?

      If the answer to the above question is yes, will the same steps mentioned in this blog needs to be done? or are there any changes / additions required? Please advice.

      Thanks in advance for your response.

      Author's profile photo Martin Raepple
      Martin Raepple
      Blog Post Author

      Hi Balaji,

      SAP ID Service can be used for productive scenarios, but we do not recommend to do so, since you have very limited control on its settings (e.g. password policy, UI customization, strong two-factor-authentication etc.) and its underlying user base. You cannot delete or suspend user access to it, since SAP ID Service is owned and controlled by SAP. As an alternative, we recommend to use the SAP HANA Cloud Platform Identity Authentication Service (formerly known as SAP Cloud Identity), which is essentialy the same as SAP ID Service, but under your full control.

      HTH and best regards

      Martin

      Author's profile photo Venkata Narasimha Rao Sandu
      Venkata Narasimha Rao Sandu

      Hi Martin, Sven,

      after i did the step 6 which is

      Step 6: Configure SAML for the XS Service

      i tried to test my xsjs service using the browser URL, i get the following shown error message in screenshot. how to resolve this ?

       

      This authn.hanatrial.ondemand.com page can’t be found

      
                    
      Author's profile photo G B
      G B

      Hello Martin

      The blog is a one stop place for everything I need on this scenario. Very useful!

      However, when a db user is dynamically created for an application user (HCP user), how can we ensure that this db user doesn’t directly access the database? Are the DB user credentials created dynamically same as the application user credentials?

      Also does the same procedure apply when I register my UI5 app on Fiori launchpad?

      Author's profile photo Binson Varikkasseril Abraham
      Binson Varikkasseril Abraham

      Hi Gowthami,

      The newly created user can connect to HANA DB only by using SAML authentication, other login options will be disabled.

       

      Author's profile photo Former Member
      Former Member

      Hi Martin,

       

      Can the complete code of the HTML5 application and the XS service code needed to complete step 3 be added to the Document Center again it seems that the service has expired.

       

      Kind Regards,

      Steve

      Author's profile photo Sven Kohlhaas
      Sven Kohlhaas

      Hi Steve,

       

      it's uploaded again.

       

      All the best,

      Sven

       

      Author's profile photo ketan malhotra
      ketan malhotra

      I don't see any data in for table project. Am i missing something?

      When i try to activate xproject, it gives me below error message.

      Error while activating /sample/xproject/PROJECT.hdbdd:
      [sample.xproject:PROJECT.hdbdd] Schema "xproject": used in Entity "sample.xproject::PROJECT", but does not exist

       

      Author's profile photo Joni Liu
      Joni Liu

      You should run the following script first in SAP HANA Studio SQL Console (or Catalog view) before proceeding with activating PROJECT.hdbdd, project.hdbsequence, and projectmember.hdbrole

      CREATE SCHEMA "xproject"
      Author's profile photo Nicolai Hansen
      Nicolai Hansen

      Hi Martin / Svenn,

      I am trying to make the sample application to work, but I getting the following error:

       

      StatusCode in ResponseMessage != OK; please refer to the database trace for more information

      500 : Internal Server Error.

       

      I am also missing the saml2_audience parameter in the destionation. How do I get this additional parameter ?

       

      Kind regards Nicolai

      Author's profile photo Peter Hrebik
      Peter Hrebik

      Hi Nicolai,

       

      I am having the same issue.

      Hi Martin Raepple , thanks you for a nice guide, however I am stuck on SAML issue.

      My xproject SAPUI5 app gives me following error:

      The following problem occurred: error – StatusCode in ResponseMessage != OK; please refer to the database trace for more information,500,Internal Server Error

      In the db trace I can see the following message:

      XSSessionLifecycle.cpp(00333) : Assertion authentication for user failed with reason: Unable to verify XML signature(StatusCode: , StatusMessage: )

      Have you managed to solve it?

      Thanks

      Peter

      Author's profile photo Former Member
      Former Member

      Hi Nicolai,

      Saml2_audience parameter value you can get it from HANA XS Admin tool.Actually this is your DB instance name. Go to tab SAML Service Provider and provide the same name.

      But i think this will not solve your issue, as i am facing the issue from last 1 month and SAP is also not able to provide me any solution to it.

      Please let me know also if you find any solution.

      Regards,

      Ravi Shankar.

       

      Author's profile photo Edgar Peña
      Edgar Peña

      Hi Ravi, did you find solution to this? I'm also stuck here

       

      Author's profile photo Nicolai Hansen
      Nicolai Hansen

      Hi Ravi,

       

      Thanks for your quick replay. I am aware where to find the value for the parameter, but I am not able to set the parameter due to the fact it is not present in the list of parameters. My question is, how do I get to apply this setting.

       

      From the hana trial db I get the following error: " Assertion authentication for user failed with reason: Error during loading memory pse from PEM: No key found in supplied" which raises an exception.

      Author's profile photo Former Member
      Former Member

      Hi Nicolai,

       

      You will not get in the selection list, just write it some where and paste. It will take the value.

       

      Regards,

      Ravi.

      Author's profile photo Olivier HUET
      Olivier HUET

      Hi Martin, Sven,

       

      Could you share again the code for the xsjs project?

       

      thanks

      Olivier

      Author's profile photo Vikas Madaan
      Vikas Madaan

      Hi Sven, Martin,

      Sven Kohlhaas

      Please add XS code again. Which contains

      PROJECT.hdbdd, project.hdbsequence, projectmember.hdbrole, etc.

      I am not able to download it from below link:

      https://mdocs.sap.com/mcm/public/v1/open?shr=OHRxAQwPDk6ldH8RHv2mOtwsS0Gk-UjVlrMYqEXJbyw&obj=aDtbR0k9cgPkCj6GYDKtitPViwib3_pV96276NkQ5Yo

       

      Also is it possible to add access SAML assertion attributes inside HANA procedure?

      I am trying to implement a scenario where supplier can only see his purchase order in Fiori Application. Supplier ID is maintained as an assertion attributes for user.

      At XS application layer it is possible to get SAML assertion attributes but is it possible at the DB layer also. Please help.

       

      Regards,

      Vikas Madaan

      Author's profile photo Martin Raepple
      Martin Raepple
      Blog Post Author

       

      Hi Vikas,

      the link to download the sample code should now work again.

      Best regards

      Martin

      Author's profile photo Soichiro Nakanishi
      Soichiro Nakanishi

      Hi Martin, Sven,

      Thank you for very nice blog.

       

      At the Unit 5 of the Week 2 of "SAP HANA Essentials",

      I executed SQL command "alter pse saml2xs add certificate XXXXXX".

      The follwing error occered ;

      " Could not execute 'alter pse saml2xs add certificate XXXXXX'

      SAP DBTech JDBC: [5639]: PSE could not be found "

      Could you help ?

      Regards,

      Soichiro

      Author's profile photo Florian Preuß
      Florian Preuß

      Hi Sven,

      I implemented everything so far and the login via IdP is working. Result when opening the application is a "HTTP Status 403 - Forbidden" at "....hana.ondemand.com/protected/xproject.html".

      Can you help me on this?

      Best Regards,

      Florian

      Author's profile photo Peter Hrebik
      Peter Hrebik

      Hi Martin Raepple , thanks you for a nice guide, however I am stuck on SAML issue.

      My xproject SAPUI5 app gives me following error:

      The following problem occurred: error - StatusCode in ResponseMessage != OK; please refer to the database trace for more information,500,Internal Server Error

      In the db trace I can see the following message:

      XSSessionLifecycle.cpp(00333) : Assertion authentication for user failed with reason: Unable to verify XML signature(StatusCode: , StatusMessage: )

      Any idea how can this be solved?

      Best Regards,

      Peter

      Author's profile photo G B
      G B

      Hi Peter

      I am also facing the same issue. Please post your fix once you receive a breakthrough.

      Author's profile photo G B
      G B

      Hi Martin Raepple

      Currently, we can only provide one default role in the SAML SP in HANA XS. In a case where multiple UI5 applications deployed to SCP need single sign-on, does giving all the apps a common role in HANA DB make sense?

      Each HCP user that would access these UI5 apps will be created as dynamic user with the same default role having privileges to the apps which he doesn't need as well.

      Does giving UI5 application access to specific SCP users only the way through?

      Kindly suggest.

      Author's profile photo Hock Lin Wong
      Hock Lin Wong

      Hi Martin,

      I am not able to download it from below link:

      https://mdocs.sap.com/mcm/public/v1/open?shr=OHRxAQwPDk6ldH8RHv2mOtwsS0Gk-UjVlrMYqEXJbyw&obj=aDtbR0k9cgPkCj6GYDKtitPViwib3_pV96276NkQ5Yo

       

      Can you please give the permission for download? Thanks

      Regards

      Hock Lin

      Author's profile photo Carlos Venturo
      Carlos Venturo

      Hello Experts,

      im stuck at step 2 , at

      Also verify that the certificate of your trial account metadata has been successfully stored using the following SQL command:

      SELECT * FROM SYS.CERTIFICATES

       

      I dont get any records, is there another way to upload the certificate?

      Author's profile photo Aisurya Puhan
      Aisurya Puhan

      Please follow the below . it will definitely help you.

      https://blogs.sap.com/2019/05/30/generate-certificate-and-add-to-sap-hana-certificate-store/#

      Author's profile photo j dubey
      j dubey

      Hi Martin,

      I am not able to download XS service code it is showing that the link has expired.

      Please add XS service code again.

       

      Regards

      Jyoti

      Author's profile photo Aisurya Puhan
      Aisurya Puhan

      Thanks Martin. Very nice blog.

      I have a doubt . Can we dynamically read a role value from SAML attribute instead of assigning in the configuration manually ?

      Regards,

      Aisurya

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Mr. Martin Raepple ,

      thanks for the helpful Blog.

      One question: does the saml2 token created by the SCP for the app2appSSO time out? Will it be renewed automatically?

      Thanks,

      Wolfgang

      Author's profile photo Aisurya Puhan
      Aisurya Puhan

      Hi Wolfgang,

      Yes, it renewed automatically.

      Author's profile photo Jose Maria Otero
      Jose Maria Otero

      Hello

      @martin.raepple
      @sven.kohlhaas

      I know it's been a while, but could you please do a 2020 re-upload of the infamous xsjs project everyone is asking for?

      Newbies will be grateful !

      Many thanks!

      Cheers

       

      Author's profile photo Eduardo Espinosa
      Eduardo Espinosa

      Great blog Martin! Thanks and Best Regards

      Author's profile photo Kevin Li
      Kevin Li

      I am not able to download XS service code it is showing that the link has expired.

      Please add XS service code again.

      Author's profile photo Claudio Buiatti
      Claudio Buiatti

      Hi Martin!

      Is there any "Cloud Foundry" version of this great blog?

      Thanks,

      Claudio.-