Skip to Content

Introduction

When you run applications in corporate environment, it is common requirement that they are integrated, with company Identity Provider (IDP). The integration allows users to login to all applications with same credentials (user and password) regardless where they are hosted. Common protocol for establishing single sign-on on world wide web is SAML 2.0. In this article, we describe how to setup SAML single sign-on between SuccessFactors and SAP HANA XS Applications. The tutorial was tested using SAP HANA MDC Instance hosted on SAP HANA Cloud Platform, but should be valid also for on premise SAP HANA instances.

Note: The described tutorial is valid and tested on HANA SPS12 (version 112.03). At the moment of writing this article the SAP HANA MDC Free Developer Edition Edition offered by SAP HANA Cloud Platform is SPS10 (102.03), on which this tutorial will not work. There is dedicated article for configuring SAML single sign-on trial SAP HANA MDC instances: “Play It Again, SAML” – How to Set Up SAML Authentication For Your SAP HANA Cloud Platform Trial Instance.

Prerequisites

These are the things you will need in order to complete the tutorial:

  • a web browser (we are using Google Chrome)
  • a tenant SAP HANA database hosted on SAP HANA Cloud Platform
  • a SAP HANA Studio (Eclipse + SAP HANA Tools): follow the instructions on the SAP HANA Tools site.
  • access to SuccessFactors trial/demo tenant. Such you might already have if you are SuccessFactors customer or as part of SAP HANA Cloud Platform Innovation Package
  • (optional) provisioning access to SuccessFactors trial/demo tenant

Required additional roles besides default SYSTEM user already have:

  • sap.hana.security.base.roles::HANACertificateAdmin
  • sap.hana.security.base.roles::HANACertificateView
  • sap.hana.security.cockpit.roles::DisplayCertificateStore
  • sap.hana.xs.lm.roles::Developer
  • sap.hana.ide.roles::Developer
  • sap.hana.xs.admin.roles::SAMLAdministrator
  • sap.hana.xs.admin.roles::RuntimeConfAdministrator
  • sap.hana.xs.admin.roles::TrustStoreViewer

Note: in case you want to create a new user for administration of certificates, you also need to grant the system privilege CERTIFICATION ADMIN and TRUST ADMIN. The SYSTEM user already has this by default.

Creating sample application

In order to demonstrate the scenario, we would need HANA XS application protected with SAML authentication. Building such simple demo application can easily be done using the SAP HANA Web-based Development Workbench.

It is accessible through SAP HANA cloud cockpit database overview page:

/wp-content/uploads/2016/06/page1_986190.png

To open web based application development tool, click the Editor tab from the SAP HANA Web-based Development Workbench window.

Inside the editor create new empty application (with XSAccess and XSApp).

/wp-content/uploads/2016/06/page2_986191.png

Choose application package “com.sample.test”.

/wp-content/uploads/2016/06/page3_986216.png

In “com.sap.test” package create new file (right click – New > File) and name it loggedInUser.xsjs.

/wp-content/uploads/2016/06/page4_986218.png

After the file is created insert the following code in the loggedInUser.xsjs.


function isSAMLSSO() {
    return (!!$.session.samlAttribute);
}
function getDatabaseUsername(){
   return $.session.getUsername();
}
function getUsername(){
   return $.session.samlAttribute.loggedinuserid[0].value;
}
function getCompanyID(){
   return $.session.samlAttribute.companyid[0].value;
}
function getUserLocale(){
   return $.session.samlAttribute.locale[0].value;
}
function getCompanyUUID(){
    return $.session.samlAttribute.companyuuid[0].value;
}
var loggedInUser = {};
loggedInUser.databaseUser = getDatabaseUsername();
if (isSAMLSSO()) {
    loggedInUser.saml = true;
    loggedInUser.user = getUsername();
    loggedInUser.locale = getUserLocale();
    loggedInUser.companyID = getCompanyID();
    loggedInUser.companyUUID = getCompanyUUID();
} else {
    loggedInUser.saml = false;
}
$.response.setBody(JSON.stringify(loggedInUser));

























This XS service would return the logged in user and all user attributes provided by SuccessFactors IDP. Since in the beginning it will not be using SAML, additional logic is added that shows the logged in user, but skips SAML attributes.

/wp-content/uploads/2016/06/page5_986225.png

Run the service (F8), and in the new window opened it should show the logged in database user and flag indicating that SAML authentication is not used.

/wp-content/uploads/2016/06/page6_986227.png

Next step is to configure the SuccessFactors as trusted IDP in SAP HANA.

Configure SAP HANA trust to SuccessFactors IDP

As first step, we need to obtain the SAML metadata from the SuccessFactors IDP. This can easily be fetched in a browser.

In order to construct the proper url we need the SuccessFactors landscape host and company id.

The format is

  • https://<landscapeHost>/idp/samlmetadata?company=<companyID>

For example:

  • landscape host (salesdemo4.successfactors.com)
  • company id (I0024)

Would produce SAML metadata URL:

Opening the URL in the browser, would result in immediate download of file called “samlmetadata”.

It is advisable to save it (or rename it) as samlmetadata.xml.

/wp-content/uploads/2016/06/page7_986252.png

Open it with text editor, and it should look like in the screenshot.This is important step since we would have to be able to copy it from there in order to complete the next step.

Now are we need to open XS Admin Tool and import the SuccessFactors IDP settings.

  1. Go to the XS Admin Tool in your tenant database (appending “/sap/hana/xs/admin/” to the URL of your HANA instance)
  2. Go to SAML Identity Provider and click on +
  3. Open the metadata.xml file you downloaded from the IDP in a text editor and copy and paste it to the Metadata input area
  4. Click away from the text editor in order to trigger processing
  5. Name the IDP something proper like “saml2_company_<companyId>”
  6. Set “Dynamic User Creation” flag to true. This is important in order to be able to login with IDP users that are not defined as database users.
  7. There will be one empty field, that prevents you from saving, SingleLogout URL (RedirectBinding). Copy the value of SingleLogout URL (PostBinding) “/sf/idp/SAML2/slo/POST” in that field:
  8. Click Save.

/wp-content/uploads/2016/06/page10_986255.png

Important ! The IDP Metadata Import might fail  with “Certificate Import Error” when import is done for the first time. In order to correct that, please remove the IDP and re-do the operation.

/wp-content/uploads/2016/06/page11_986550.png

After the import check that the SuccessFactors company certificate is imported in SAML Trust Store.

Configure SuccessFactors IDP to trust SAP HANA SP

As a next step, we need to configure the SuccessFactors IDP to trust the SAP HANA Service Provider.

/wp-content/uploads/2016/06/page12_986910.png

  1. In XS Admin Tool go to SAML Service Provider tab and click Edit
  2. Under Service Provider Information tab, set the “Name”, “Organisation Name”, “Organisation Display Name” and “Organisation URL” to the URL of the SAP HANA host. Save the settings. By default the values are not configured.
  3. From Service Provider “Metadata” tab we need to extract three values from the corresponding XML. It does not matter which binding (HTTP-Redirect or HTTP-POST) you chose – the URLs are the same.
    • “Location” property of AssertionConsumerService tag
    • “Location” property of SingleLogoutService tag
    • “entityID” property of EntityDescriptor tag
  4. Contact SuccessFactors to request enabling the Single Sign-On Functionality for your company instance giving the properties from above
    • Assertion Consumer Service URL
    • Single Logout Service URL
    • Audience URL – this is the “entityID”
  5. In case you have Provisioning Access to your SuccessFactors Company, you can do it yourself
    • Go to Company Settings -> Service Provider Settings -> Authorized SP Assertion Consumer Service Settings

/wp-content/uploads/2016/06/page13_987008.png

    • Select “Add another Service Provider ACS”, add the values described above

/wp-content/uploads/2016/06/page14_989615.png

XS Application configuration

We need to change the XS Application configuration to use SAML Authentication. This can be done using XS Admin Tool.

/wp-content/uploads/2016/06/page16_989178.png

In XS Admin Tool, select XS Artifact Administration and select “com.sample.test” package. Click “Edit” and select SAML as authentication mechanism. Pick the configured SuccessFactors IDP, from the drop down. You can also “Prevent Public Access For Sub-Packages” and disable Form Based and Basic authentication. Save the changes and you are almost done.

Making it work

 

Opening our application in new window would greet us with SuccessFactors login screen.

/wp-content/uploads/2016/06/page17_989179.png

However you will get blank screen after the login and will not be redirected back to the application.

/wp-content/uploads/2016/06/page18_989210.png

What is wrong ? After debugging a bit, it seems the reason for the trouble is a missing ACS URL property in SAML Assertion issued by HANA Service Provider.

As mentioned above the ACS URL is used by SuccessFactors IDP.

Fortunately there is a fix in HANA SP configuration, for that issue.

 

We have to use SAP HANA Studio for changing this configuration. We need to add cloud MDC instance in Systems view.

/wp-content/uploads/2016/06/page19_989211.png

/wp-content/uploads/2016/06/page20_989212.png/wp-content/uploads/2016/06/page21_989231.png

Open the Configuration tab and type “saml” as configuration filter. Change is “add_assertion_consumer_url” configuration value to “yes”.

 

/wp-content/uploads/2016/06/page22_989233.png

Increase the assertion timeout from the default value of 10 seconds to more reasonable value. Set the parameter assertion_timeout to 30 seconds or more.

 

Change and save the settings. You might need to restart HANA process so changes take effect.

Re-open your simple application:

 

https://<hanahost>.hana.ondemand.com/com/sample/test/loggedInUser.xsjs

 

/wp-content/uploads/2016/06/page23_989426.png

Congratulations! You have setup SAML single sign-on for your HANA XS application to SuccessFactors IDP. Below is the JSON response of the service.

 


{
  "databaseUser" : "DEV165USER001",
  "saml" : true,
  "user" : "dev165user001",
  "locale" : "en_US",
  "companyID" : "I0024",
  "companyUUID" : "1b1f94fd_b6bf_4c29_a635_9afcea251be3"
}






Inspecting the XS service code and response, you will see the available SAML attributes provided by SuccessFactors. The real logged in User ID can be taken from SAML attributes. For additional user information you can query SuccessFactors API. More information on SuccessFactors APIs you can find here : SuccessFactors HCM Suite APIs.

Conclusion

We have setup SAML single sign-on between HANA XS Application and SuccessFactors IDP and demonstrated the identity propagation with sample application. We hope, that this information helps you take better advantage of HANA in the context of SuccessFactors.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply