Technical Articles
What’s Changed – Setup Remote HANA Connection with SAML SSO in SAP Analytics Cloud
In my earlier blogs SAP BusinessObjects Cloud – Setup Connection to Remote HANA Systems via Apache Reverse Proxy (link) and SAP BusinessObjects Cloud – Setup SAML 2.0 Single Sign-On with Remote HANA Systems (link), I walked you through the end-to-end process of setting up an Apache reverse proxy for live on-premise HANA connection in SAP Analytics Cloud (SAC) with SAML 2 Single Sign-On (SSO). In the recent few releases of SAC including the latest 2016.19 release, a few important architectural changes have been introduced, making additional configurations on the reverse proxy necessary.
Important Note: this article is about setting up reverse proxy for on-premise HANA connections. It does not apply to SAP Cloud Platform (SCP) HANA connections, as a reverse proxy is not necessary in that scenario.
One of the changes brought into the recent releases is the built-in SAP Cloud Identity service in SAC to handle authentication and user management. However, if you would like to configure SAML 2 SSO to your on-premise HANA system, you have to switch to your own dedicated SAML 2 Identity Provider (IdP), be it an on-premise IdP or an cloud-based IdP including a dedicated SAP Cloud Identity (SCI) tenant. From release 2016.19, on SAC tenants that are using Simple URLs (see details below), a self-service UI is provided for customers to perform the switch. More details can be found here.
The other important change brought in release 2016.19 is the Simple URLs. With Simple URLs, your BOC tenant URL follows the below format: https://<YourCustomDomain>.<region>.sapanalytics.cloud; for example, https://customer.us1.sapanalytics.cloud. No need to remember the long URL like this anymore: https://epmprodnnxxxxxxxxx.us1.hana.ondemand.com/sap/fpa/ui/tenant/nnn . This sounds like a simple change on the URL naming convention, but a lot is happening behind the scene that has implications on how your reverse proxy should be setup:
- The central SCP SAML Redirect Node is in use to facilitate the central Assertion Consumption Service (ACS) and Single Log-Out (SLO) service. In other words, the SAC tenant’s underlying ACS URL is not in use anymore. The Central Redirect URL follows this format: https://authn.<region>.hana.ondemand.com/; for example, https://authn.us1.hana.ondemand.com.
- During the SAML 2 authentication flow, there are redirections happening between the IdP and the Central Redirect Node. As you probably still remember from my earlier blogs and how-to guide, we need to put the SAML 2 IdP behind the reverse proxy. This means that now we need to somehow alter the redirection flow between the IdP and the Central Redirect Node, so that the redirection points toward the proxied IdP URL. Well, in other words, we have to put the Central Redirect Node behind the reverse proxy as well and intercept/modify the redirection flow.
- Now that we have to put the Central Redirect Node behind the reverse proxy, we also have to ensure that the redirection from the SAC to the Central Redirect Node also points to its proxied URL.
- Most typically, at least one of the redirection flow described above is done via auto-posting of an HTML form, so an HTML rewriter is needed in the reverse proxy to do the job. Reverse proxies such as Apache comes with an HTML link rewriter, but SAP Web Dispatcher does not, so we recommend using Apache as the reverse proxy going forward.
So here goes the new architecture:
Let me use a similar scenario as described in my previous blog SAP BusinessObjects Cloud – Setup SAML 2.0 Single Sign-On with Remote HANA Systems (link), i.e. using the SAP NetWeaver SSO as the SAML 2 Identity Provider, and provide you with a sample Apache configuration snippet that works with the new architecture. For details about the NetWeaver SSO setup and the SAML 2 bindings used, refer to that blog.
#Load key modules for reverse proxy
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule headers_module modules/mod_headers.so
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/httpd-proxy-html.conf
</IfModule>
Listen 443 https
<VirtualHost _default_:443>
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ServerName reverseproxy.customer.com:443
SSLCertificateFile "${SRVROOT}/conf/ssl/reverseproxy.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/reverseproxy.key"
DocumentRoot "${SRVROOT}/htdocs"
# DocumentRoot access handled globally in httpd.conf
CustomLog "${SRVROOT}/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "${SRVROOT}/htdocs">
Options Indexes Includes FollowSymLinks
AllowOverride AuthConfig Limit FileInfo
Require all granted
</Directory>
#Proxy rules for the Central Redirect Node (US1 data center in this example)
ProxyPass /authn/ https://authn.us1.hana.ondemand.com/
ProxyPassReverse /authn/ https://authn.us1.hana.ondemand.com/
ProxyPassReverse /authn/ https://authn.us1.hana.ondemand.com:443/
<Location /authn/>
ProxyPassReverse /
ProxyHTMLEnable on
SetOutputFilter proxy-html
ProxyHTMLCharsetOut *
RequestHeader unset Accept-Encoding
ProxyHTMLURLMap https://nwidp.yourcompany.corp:50001/ /
ProxyHTMLURLMap https://customer.us1.sapanalytics.cloud/ /
ProxyPassReverseCookiePath / /authn/
</Location>
#Proxy rules for remote on-premise HANA at https://righana2.yourcompany.corp:4300/
ProxyPass /righana2/ https://righana2.yourcompany.corp:4300/
ProxyPassReverse /righana2/ https://righana2.yourcompany.corp:4300/
<Location /righana2/>
ProxyPassReverse /
ProxyPassReverseCookiePath / /righana2
ProxyPassReverseCookiePath /sap/hana/xs/saml /righana2/sap/hana/xs/saml
</Location>
#Proxy rules for the SAML 2 Identity Provider at https://nwidp.yourcompany.corp:50001/saml2/
ProxyPass /saml2/ https://nwidp.yourcompany.corp:50001/saml2/
ProxyPassReverse /saml2/ https://nwidp.yourcompany.corp:50001/saml2/
<Location /saml2/>
ProxyPassReverse /saml2/
ProxyPassReverseCookiePath "/" "/saml2/"
ProxyHTMLEnable on
SetOutputFilter proxy-html
ProxyHTMLCharsetOut *
RequestHeader unset Accept-Encoding
ProxyHTMLURLMap https://authn.us1.hana.ondemand.com/ /authn/
ProxyHTMLURLMap https://authn.us1.hana.ondemand.com:443/ /authn/
ProxyHTMLURLMap https://righana2.yourcompany.corp:4300 /righana2
</Location>
ProxyPass /logon_ui_resources/ https://nwidp.yourcompany.corp:50001/logon_ui_resources/
ProxyPassReverse /logon_ui_resources/ https://nwidp.yourcompany.corp:50001/logon_ui_resources/
#Proxy rules for SAC (Simple URL) at https://customer.us1.sapanalytics.cloud/
ProxyPass / https://customer.us1.sapanalytics.cloud/
ProxyPassReverse / https://customer.us1.sapanalytics.cloud/
ProxyPassReverse / https://customer.us1.sapanalytics.cloud:443/
<LocationMatch "^/$|^/sap/fpa/ui/tenants/.*|^/logout.*">
ProxyHTMLEnable on
ProxyHTMLDocType "<!DOCTYPE html>" XML
SetOutputFilter proxy-html
ProxyHTMLCharsetOut *
RequestHeader unset Accept-Encoding
ProxyHTMLURLMap https://authn.us1.hana.ondemand.com/ /authn/
ProxyHTMLURLMap https://authn.us1.hana.ondemand.com:443/ /authn/
Header edit Set-Cookie "^JSESSIONID=(.*)" "JSESSIONID_SAC=$1"
</LocationMatch>
<LocationMatch "^/$|^/sap/.*|^/t/.*|^/logout.*">
RequestHeader edit Cookie JSESSIONID_SAC JSESSIONID
</LocationMatch>
</virtualhost>Note:
- Depending on the SAML 2 IdP bindings used, the above configuration may need to adjust accordingly.
- In the proxy rules for SAC, it is critical to include this line as the built-in XML parser in Apache is not able to process the HTML 5 DOCTYPE properly by default: ProxyHTMLDocType “<!DOCTYPE html>” XML
- It is not recommended to turn on the ProxyPreserveHost directive (default=off). If for any reason you have to turn it on globally, add the following line to the proxy rules for SAC, so that it knows to which SAC tenant to forward the request: RequestHeader append X-Custom-Host <SAC_HOST>
- As the SAC URL is mapped to the root URL on the reverse proxy host, the ProxyPass rules for SAC must be placed after all the other ProxyPass rules to avoid conflicting proxy mappings to SAC, HANA, SAML IdP and the Central Redirect Node.
[Update] For a sample setup based on SAP Cloud Identity as the SAML 2 Identity Provider, refer to my blog Single Sign-On from BusinessObject Cloud to HANA – Reverse Proxy Rules for SAP Cloud Identity.
Enjoy setting the remote HANA connection up with end-to-end SAML 2 SSO in the new architecture. Till next time!
Wonderful content, thank you
Thanks Don, much appreciated
Many thanks for the content Dong,
Do you happen to know if this is the appropriate scenario for implementing a connection between Analytics Cloud and Hana Enterprise Cloud?
I am weighing up the alternatives and it would save us a lot of trial and error if you could advise whether this type of connection is considered SAP ERP (data import) or if it is in fact a SAP HANA (live-data) connection. Our client has the Business Suite on HEC and uses SAP GUI.
Kind regards
James Longstaff
Hello Dong,
I'm trying to set up connectivity between SCP and BoC.I've done configurations as per this link:
https://uacp2.hana.ondemand.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/a30b5127419a4fd0aeef7be91fdf9836.html
But still Live Connection does not work.
Any pointers will be a great help.
Thanks,
Swati
Check out this blog post: https://blogs.sap.com/2016/11/27/sap-businessobjects-cloud-live-data-connection-to-sap-hcp-with-sso-simple-urls/
For those interested,
here is a step-by-step blog with video tutorials which explains how you can configure Apache SSL reverse proxy for use with SAP Analytics Cloud for Live Connections using CORS to SAP HANA