Skip to Content
Technical Articles
Author's profile photo Jagdeesh Neelakantan

SSO Setup for SAP Analytics Cloud using okta as an Identity Provider

This blog post is intended to help customers using okta as an IDP to configure SAML SSO between SAP Analytics Cloud and SAP HANA.

The setup of SSO between Sap Analytics Cloud(SAC) and HANA is divided into 2 parts :

  1. Setup of SSO between the IDP and SAC using SAML
  2. Setup of Live Connection between SAC and SAP HANA on-premise

 

Part 1. Setup of SSO between the IDP and SAC.

a. Login to the SAC application as an administrator and navigate to System -> Administration -> Security.

b. Click on Edit connection and choose SAML Single Sign-On

c. Download the service provider metadata.

This process would download a metadata file similar to this –

<ns3:EntityDescriptor

xmlns:ns2=”http://www.w3.org/2001/04/xmlenc#”

xmlns=”http://www.w3.org/2000/09/xmldsig#”

xmlns:ns4=”urn:oasis:names:tc:SAML:2.0:assertion”

xmlns:ns3=”urn:oasis:names:tc:SAML:2.0:metadata” ID=”S9653fde0-4faa-4ab4-bf3b-08cf21cb7715″ entityID=”XXXX.XXXX.XXXX”>

<ns3:SPSSODescriptor AuthnRequestsSigned=”true” protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>

<ns3:KeyDescriptor use=”signing”>

<KeyInfo>

<KeyName>XXXX.XXXX.XXXX</KeyName>

<X509Data>

<X509Certificate>MIIC9DCCAdygAwIBAgIIQUUHCtq7+SwwDQYJKoZIhvcNAQELBQAwOjE4MDYGA1UEAxMvaHR0cHM6Ly9hY2NvdW50LnVzMS5oYW5hLm9uZGVtYW5kLmNvbS9iZThhMTM2YWYwHhcNMTYxMDIwMDA0ODE1WhcNMTcxMDIwMDA0ODE1WjA6MTgwNgYDVQQDEy9odHRwczovL2FjY291bnQudXMxLmhhbmEub25kZW1hbmQuY29tL2JlOGExMzZhZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJj8+qGY4Y3ONYUpYOwMWyAG7t80DQnLh92ynfMtj8gZAvTijEdgZ896THWZxNg3P+xxxx.xxxx.xxxx+PECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEALcIqrJ40yhqswKXsCnORSuQqmhwj7PKM0DBxSRq9JWMl31iEjsPc2J7Ywz4opgILQYiFgSb2HON0iyKD1QyZJaA9OR0apjOcc/XXX.XXPeO0OA/Db4vv+PV4EM3C0D+yFwnlKvTIT39jH2yxHGWKiQKcow==</X509Certificate>

</X509Data>

</KeyInfo>

</ns3:KeyDescriptor>

<ns3:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://xxxx.xxxx.xxxx”/>

<ns3:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https:// xxxx.xxxx.xxxx “/>

<ns3:AssertionConsumerService index=”0″ isDefault=”true” Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https:// xxxx.xxxx.xxxx “/>

</ns3:SPSSODescriptor>

</ns3:EntityDescriptor>

d. In your okta system, add a new application and enter the values as requested by the okta application.

Ensure that you fill the values based on the metadata.xml output from the SAC application.

e. Create a .der file eg. SAC.der and create a certificate like this –

—–BEGIN CERTIFICATE—–

<Include your certificate from the metadata file that was generated>

—–END CERTIFICATE—–

f. Upload the certificate in the SAML settings of the okta application

g. Click on Next and Finish to create an application in okta.

h. Map the application to either send email-id, user-id or Custom SAML user Mapping. Your okta administrator should be able to take care of this part.

i. You should now be able to download a Metadata file from okta.

j.Upload this metadata file into your SAC application under the SAML SSO configuration.

k. Choose a user attribute to map to your identity provider.

l. Verify your account with the identity provider.

m. Once the account is verified Save the settings.

n. You should now be able to do a SSO to SAC based on your okta credentials.

 

Part 2. Setup of Live Connection between SAC and SAP HANA on-premise

Follow the official SAP documentation to setup the live connection between SAC and SAP HANA using a direct connection- https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/58c890e1c89d41e69b2cec31bac2d95f.html

You have now configured SSO between your SAC and HANA using Okta IDP.

You can go ahead and create models based on the newly created HANA connection as well as create stories and DiBO with this connection.

 

Additional helpful articles-

1. SAML authentication in SAP Analytics Cloud

https://blogs.sap.com/2017/07/13/saml-authentication-in-sap-analytics-cloud/

2. Multiple IDP’s for HANA XS Artifact – BusinessObjects Enterprise Platform Perspective

https://blogs.sap.com/2017/06/05/multiple-idps-for-hana-xs-artifact-businessobjects-enterprise-platform-perspective/

3. KBA 2487116 for AD FS configuration and KBA 2487567 with steps on troubleshooting SAML.

Assigned Tags

      16 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Henry Banks
      Henry Banks

      Great stuff Jagdeesh, thank you! Regards, H

      Author's profile photo Jagdeesh Neelakantan
      Jagdeesh Neelakantan
      Blog Post Author

      Thanks Henry!

      Author's profile photo Srikanth Madhunantuni
      Srikanth Madhunantuni

      Hi Jagdeesh,

      I have done SAML configuration for SAP HANA 2.0 But i am getting 403 forbidden error Can you please help which URL should i mention in single sign on URL field and audience URI field in okta and to which package in XS administration should i enable the SAML authentication.

      Author's profile photo Katy Carrillo
      Katy Carrillo

      Do  you have more details on which sections in the XML are used in each field in the OKTA side?

      that would be very helpul! thank you !

      Author's profile photo Koushik Maiti
      Koushik Maiti

      Few notes for mapping AD groups to Team/ Roles, when OKTA as IDP, is used.

      1. We need to have Groups=sac as static User attribute, not under Group Attribute Statement
      2. The attributes ‘custom1’, ‘custom2’ etc. needs to be under Group Attribute Statement, with the AD groups comparison.
      Author's profile photo Ivelina Kirilova
      Ivelina Kirilova

      Thank you for the nice article! It helped me a lot!

      I have few things to add:

      1. First of all it was a bit difficult to understand in what tag of the SAC XML file is the information needed in the specific Okta field. In the beginning we mixed up some of the fields.
      2. I don't know how was it when this article was written, but now Okta has Classic View and Developer console and you can only create apps like this in the Classic view
      3. I needed to set up SSO with SAP BW and I used the tutorials provided in SAC. I configured SAML 2.0 Local and trusted providers but the SAML 2.0 activation changed the SOAP default way of communication and our POS server stopped communicating with the BW PIPE. To fix the problem I changed the SOAP service setting to use SAML 1.1. Otherwise, BW always connects to Okta and pops up an error, because the sales server's user in not in the Okta users list and the machine isn't added as an app there.
      Author's profile photo Jagdeesh Neelakantan
      Jagdeesh Neelakantan
      Blog Post Author

      Thanks for your points, Ivelina. Yes, the blog was written nearly 4 years ago and I am sure that there are certain changes expected in the configuration mechanism.

      Regards,

      Jagdeesh

      Author's profile photo Abdus-Samad Peera
      Abdus-Samad Peera

      Hi Jagdeesh

      Just a little clarification on SSO.  It sounds like the users have to be manually created/uploaded to SAC beside being created in Okta.  My previous experience with BOBJ, you didn't have to do that once the user was defined in Active Directory and SSO was setup.  New users got imported into BOBJ whenever there were new users were added in AD (thru BOBJ background process).   Could you please clarify that for me?  Is there a way to automate this process (without manually creating users in SAC) once the SSO is setup?

       

      Thanks

      Abdul

      Author's profile photo Jagdeesh Neelakantan
      Jagdeesh Neelakantan
      Blog Post Author

      Hi Abdus-Samad,

      Kindly see the best practice section of this article where Matthew explains the Dynamic User Creation for automatic user creation in SAC - https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Managing+Licenses+with+Roles+and+Teams

      Cheers,

      Jagdeesh

      Author's profile photo Vi Tran
      Vi Tran

      As Jagdeesh Neelakantan stated Matthews article helps understand the process for setup up automatically created via Okta.  One option you need to make sure that's set is in Step 3 you have "Custom SAML user mapping" and check the "Dynamic User Creation" option to have users automatically created within SAC.

      Author's profile photo Karthick Balakrishnan
      Karthick Balakrishnan

      Hi Jagdeesh,

      I am trying to refer the steps for , but the link is not currently available. Could you please help me to provide me the document link for OKTA IDP?

      Part 2. Setup of SSO between the IDP and HANA.

      a. Refer to the documentation available here to set up SAML SSO between IDP and HANA https://help.sap.com/http.svc/rc/00f68c2e08b941f081002fd3691d86a7/release/en-US/780842e11ee44dd6b5e7bd23cf393aff.html

      Author's profile photo Jagdeesh Neelakantan
      Jagdeesh Neelakantan
      Blog Post Author

      Hi Karthick,

      I have updated the blog to reflect the current official documentation and removed the link that wasn't working.

      -Jagdeesh

      Author's profile photo Joseph yeruva
      Joseph yeruva

       

      Hi Jagdeesh,

      I am trying to refer the steps for , but the link is not currently available. Could you please help me to provide me the document link for OKTA IDP to HANA?

      Part 2. Setup of SSO between the IDP and HANA.

      Regards,

      Joseph

      Author's profile photo Jagdeesh Neelakantan
      Jagdeesh Neelakantan
      Blog Post Author

      Hi Joseph,

      Let me check with my HANA team for the updated link and edit the blog to include the new link.

      Regards,

      Jagdeesh

      Author's profile photo Jagdeesh Neelakantan
      Jagdeesh Neelakantan
      Blog Post Author

      New link updated in the blog.

      Author's profile photo Former Member
      Former Member

      Great post!

      I am trying to setup SAC OKTA but I cannot derive the URLs required for OKTA application

       

      Can we get an example of

      Sign on URL

      Entity ID

      Sign out URL

      required from OKTA application?

      How do we get them from SAC metadata?

       

      Thanks