Multiple IDP’s for HANA XS Artifact – BusinessObjects Enterprise Platform Perspective
SAML has become a standardized way of authenticating and authorizing a Principal (user) between different parties, usually within a Service Provider (SP) and an Identity Provider (IdP). SP requests and obtains identity assertions from IdP for the user requesting the service.
SAP HANA platform provides different types of services to various entities, and thus, in this case, it acts as an SP. But today there is a limitation that:
– I can map only 1 IDP to HANA XS artifact
– and, dynamically changing IDP at runtime is not possible.
This becomes a problem for me when I have various applications connecting to different IdPs and at times even some of the applications themselves can act as IdPs. So, the problem arises on how do I handle the mapping of multiple IDPs to a single HANA XS artifact.
Consider a customer landscape that contains standard cloud IDP provider such as SAP Cloud Identity,Microsoft Active Directory Federation Services (ADFS) amongst other, and cloud applications such as SAP Analytics Cloud or SAP AnalyticsHub that can leverage the same cloud IDP.
But on the other hand, on-premise applications such as SAP BusinessObjects Enterprise Platform themselves acts as an IDP.
So, if I wants to achieve SAML Authentication (SSO) for the same HANA XS artifact through both the applications cloud and on-premise (SAP Analytics Cloud or Analysis Hub and BusinessObjects Enterprise Platform – Analysis Office etc.), there is a perception that the authentication cannot be achieved for both types of applications due to the limitations mentioned above.
In this post, I will try to provide a working solution to the problem mentioned above from SAP BOE customer’s perspective.
Note: Please follow official documentation of SAC to setup SAML on SAC
Note: For my testing I have been concerned about HANA XS artifact /sap/bc/ina/service/v2.1, but theoretically this should be same behavior with other artifacts as well.
Here, step 1-6 involves configuring Cloud IDP in HANA, and steps 7-14 involves BOE platform related configuration.
Step 1: Configure IDP of my choice in HANA XS admin page by importing the IDP metadata xml. This IDP should be my Cloud IDP such as SAP Cloud IDP or ADFS.
This will look something like:
Step 2: Upload the certificate of your IDP in the HANA truststore in HANA Web Dispatcher Admin Page.
Step 3. Map the IDP and External identity (IDP user) with your HANA user in HANA Studio.
Step 4: Enable SAML authentication and map the HANA XS artifact with the above created IDP, by logging to HANA XS admin page and navigating to XS artifact administration.
Step 5: Do the required configuration on your IDP for the HANA XS SP.
Step 6: To check if the entire configuration is successfully done, access the below URL for HANA HTTP Connection:
On hitting the URL, I should be re-directed to my IDP logon screen, something like,
or if SSO is configured, it will directly log me in.
On successful authentication, it should display something like:
Step 7: Go to BOE -> CMC –> Applications –> HANA Authentication. Create a new HANA HTTP(s) connection by providing all the details and generating the certificate.
Note: HTTP/HTTPs connection type apart from JDBC for Test Connection from BOE Platform to HANA for SAML SSO has been introduced from 4.2 SP04.
Step 8:Copy the certificate generated above and import it in HANA truststore similar to step 2.
Step 9: Open HANA Studio. Go to Security -> SAML Identity Providers Tab and click on new entry. Provide the IDP details from the certificate generated in BOE platform
Step 10: Map this IDP and external identity (BOE user) with HANA user, like what was done in step 3 above.
Step 11: Do a Test Connection in BOE for the connection created in Step 5 above. The status should be Success.
Step 12: Create a new HANA HTTP OLAP connection by navigating to BOE -> CMC -> OLAP connection.
Step 13: Launch Analysis Office and connect to BOE platform. It will list the connection created in the step above.
Step 14: Double clicking the connection will log you in to HANA through SAML SSO, without prompting for user/password.
In case if I want to configure more than 1 BOE landscape as an IDP to HANA XS artifact, I can repeat from step 7 onwards.