Skip to Content

SAML SSO for Analysis Office 2.x with BI Platform and HANA

This article describes the mandatory configuration steps for the setup of SAML SSO between BI Platform and SAP HANA with Analysis Office.

Step 1: Create OLAP Connection

  1. Open CMC and create a new OLAP connection of type “SAP HANA http”
  2. Enter the fully qualified HANA host name and HTTP port
  3. Select SSO as authentication
  4. Save the connection


Step 2: Create Certificate

  1. Open HANA XS Admin UI in the browser to find the name of the HANA service provider: http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/samlSP (the user needs the role “sap.hana.xs.admin.roles::SAMLAdministrator”)
  2. In this example the name is S1222
  3. Go back to CMC and open “Applications -> HANA Authentication”
  4. Create new connection
  5. Enter the exact same host name and exact same port like in step 1.2
  6. Enter a name for the unique identity provider ID. You can choose a arbitrary name here. It should somehow reflect you BI Platform system.
  7. Enter the service provider name
  8. Click on the “Generate” button to generate a certificate
  9. Copy the certificate to a text file
  10. Click Ok

Step 3: Import Certificate

  1. Open the Web Dispatcher Administration UI (http://<hana_host>:<hana_port>/sap/hana/xs/wdisp/admin/public/default.html) in your browser. The user needs the role “sap.hana.xs.wdisp.admin::WebDispatcherAdmin”
  2. Go to “PSE Management”
  3. Select “sapsrv.pse” in the dropdown box
  4. Click on “Import Certificate” and paste the certificate content of step 2.9
  5. Click on “Import”
  6. After that you should see the certificate metadata
  7. Copy the content of the “Subject” field. In my example it is “C=CA, SP=BC, O=SAP, OU=BOE, CN=BIP_IDP”
  8. Restart the “webdispatcher” and “xsengine” service of your HANA server.

Step 4: Create Identity Provider

  1. Open the HANA XS Admin UI: http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/samlIDP/0
  2. Create a new identity provider for your BI Platform system
  3. Enter the name of the identity provider from step 2.6
  4. Enter the subject from step 3.7 both for Subject and Issues
  5. For all other fields just enter “/”. For our use case the fields are not needed

Step 5: Assign identity provider to InA Service

  1. Navigate to http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2
  2. Enable SAML authentication and select your SAML Identity Provider. Important: please ensure that you only activate your SAML Identity Provider for the “sap.bc.ina.service.v2” package:

Step 6: Map the BI Platform user to your HANA user

  1. Go to HANA Studio
  2. Open your user and mark the “SAML” checkbox
  3. Click on “Configure” and Add a new mapping
  4. Select your Identity Provider
  5. Enter the name of your BI Platform user. You have to enter it case sensitive way. If your user is named “Smith” then you should enter it exactly this way. When you enter “smith” or “SMITH” it will not work later.

After all those steps the SSO procedure should work in Analysis Office. In case the SSO logon is not working the HANA “xsengine” trace contains valueable information about the root cause. In order to get all details in the trace you should set the trace level of all “authentication” components in the XSENGINE trace configuration to trace level DEBUG.

The used admin applications in CMC and HANA may look slightly different depending on your used versions.

You must be Logged on to comment or reply to a post.
  • Christian,

    Very helpful thank you. There could be a prerequisite to enable HANA http connections in on the BOBJ side.


    • Hi Alex,

      yes, that is correct. In the newer versions the HANA http connection is visible per default. That’s why I forgot this point.

      Best regards, Christian

  • Hi Christian,

    thanks for guide.

    I configurated the SSO between BI Platform 4.2 and AFO and all works well with a Admin user, or a user belonging to the Administrators group. Do you know what roles/privilegies we need to configure to a user in CMC Console to access to the hana connections?


    Best regards,



  • Hi Christian,


    Thanks a lot for this blog.  I have set up the SSO between AO and HANA with your help.  I noticed that after I did this, MY XS Engine stopped working. I am not able to see the Login screen for XSEngine.


    Chinmay Vyas

  • Hi Christian,

    I’m here again to ask your support.

    As I said I configurated the SSO between BI Platform 4.2 and AFO SP02 Patch 1 and all worked well. I have tried to upgrade the client to version 2.5 SP03 Patch0 and also to version 2.6 SP00 Patch0. After the upgrade SSO stops to work.

    Any clue?

    Thanks a lot,



  • Thanks for this guide. Very useful.

    I followed it step by step.
    However when I test it in analysis for office I get following error:

    “cannot handle redirect from http/https protocols to other dissimilar ones.

    Invalid url: the hostname could not be parsed”.

    Any idea what’s going wrong?

    When in CMC, Applications, HANA Authentication and when I test it for a specific user it’s working perfectly.

    It’s correct the mapped BO user to a user in HANA does not need to have the same username?