Skip to Content
Author's profile photo Christian Schmitz

SAML SSO for Analysis Office 2.x with BI Platform and HANA

This article describes the mandatory configuration steps for the setup of SAML SSO between BI Platform and SAP HANA with Analysis Office.

Step 1: Create OLAP Connection

  1. Open CMC and create a new OLAP connection of type “SAP HANA http”
  2. Enter the fully qualified HANA host name and HTTP port
  3. Select SSO as authentication
  4. Save the connection

 

Step 2: Create Certificate

  1. Open HANA XS Admin UI in the browser to find the name of the HANA service provider: http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/samlSP (the user needs the role “sap.hana.xs.admin.roles::SAMLAdministrator”)
  2. In this example the name is S1222
  3. Go back to CMC and open “Applications -> HANA Authentication”
  4. Create new connection
  5. Enter the exact same host name and exact same port like in step 1.2
  6. Enter a name for the unique identity provider ID. You can choose a arbitrary name here. It should somehow reflect you BI Platform system.
  7. Enter the service provider name
  8. Click on the “Generate” button to generate a certificate
  9. Copy the certificate to a text file
  10. Click Ok

Step 3: Import Certificate

  1. Open the Web Dispatcher Administration UI (http://<hana_host>:<hana_port>/sap/hana/xs/wdisp/admin/public/default.html) in your browser. The user needs the role “sap.hana.xs.wdisp.admin::WebDispatcherAdmin”
  2. Go to “PSE Management”
  3. Select “sapsrv.pse” in the dropdown box
  4. Click on “Import Certificate” and paste the certificate content of step 2.9
  5. Click on “Import”
  6. After that you should see the certificate metadata
  7. Copy the content of the “Subject” field. In my example it is “C=CA, SP=BC, O=SAP, OU=BOE, CN=BIP_IDP”
  8. Restart the “webdispatcher” and “xsengine” service of your HANA server.

Step 4: Create Identity Provider

  1. Open the HANA XS Admin UI: http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/samlIDP/0
  2. Create a new identity provider for your BI Platform system
  3. Enter the name of the identity provider from step 2.6
  4. Enter the subject from step 3.7 both for Subject and Issues
  5. For all other fields just enter “/”. For our use case the fields are not needed

Step 5: Assign identity provider to InA Service

  1. Navigate to http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2
  2. Enable SAML authentication and select your SAML Identity Provider. Important: please ensure that you only activate your SAML Identity Provider for the “sap.bc.ina.service.v2” package:

Step 6: Map the BI Platform user to your HANA user

  1. Go to HANA Studio
  2. Open your user and mark the “SAML” checkbox
  3. Click on “Configure” and Add a new mapping
  4. Select your Identity Provider
  5. Enter the name of your BI Platform user. You have to enter it case sensitive way. If your user is named “Smith” then you should enter it exactly this way. When you enter “smith” or “SMITH” it will not work later.

After all those steps the SSO procedure should work in Analysis Office. In case the SSO logon is not working the HANA “xsengine” trace contains valueable information about the root cause. In order to get all details in the trace you should set the trace level of all “authentication” components in the XSENGINE trace configuration to trace level DEBUG.

The used admin applications in CMC and HANA may look slightly different depending on your used versions.

Assigned tags

      19 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Henry Banks
      Henry Banks

      very helpful, thank you Christian!

      Author's profile photo Venkata Subhash Medisetty
      Venkata Subhash Medisetty

      Nice one christian 🙂

      Author's profile photo Alex Smith
      Alex Smith

      Christian,

      Very helpful thank you. There could be a prerequisite to enable HANA http connections in mdas.properties on the BOBJ side.

      Thanks

      Author's profile photo Christian Schmitz
      Christian Schmitz
      Blog Post Author

      Hi Alex,

      yes, that is correct. In the newer versions the HANA http connection is visible per default. That's why I forgot this point.

      Best regards, Christian

      Author's profile photo Utente Vimar Generico Utente Vimar Generico
      Utente Vimar Generico Utente Vimar Generico

      Hi Christian,

      thanks for guide.

      I configurated the SSO between BI Platform 4.2 and AFO and all works well with a Admin user, or a user belonging to the Administrators group. Do you know what roles/privilegies we need to configure to a user in CMC Console to access to the hana connections?

       

      Best regards,

      Denis.

       

      Author's profile photo Christian Schmitz
      Christian Schmitz
      Blog Post Author

      Hi Denis,

      I'm sorry but I do not know this in detail. The BI Platform Administrator guide should give you answers here.

      Best regards, Christian

      Author's profile photo Chinmay Vyas
      Chinmay Vyas

      Hi Christian,

       

      Thanks a lot for this blog.  I have set up the SSO between AO and HANA with your help.  I noticed that after I did this, MY XS Engine stopped working. I am not able to see the Login screen for XSEngine.

       

      Regards,
      Chinmay Vyas

      Author's profile photo Christian Schmitz
      Christian Schmitz
      Blog Post Author

      Hi Chinmay,

      it is important that you enable SAML only for package 'sap.bc.ina.service.v2' and not for the root package 'sap' (see step 5).

      Best regards, Christian

      Author's profile photo Chinmay Vyas
      Chinmay Vyas

      Thanks Christian,  You are right, that was the issue.  I resolved it by setting the SAML for service.v2.

      Thanks.

      Chinmay Vyas

      Author's profile photo Utente Vimar Generico Utente Vimar Generico
      Utente Vimar Generico Utente Vimar Generico

      Hi Christian,

      I'm here again to ask your support.

      As I said I configurated the SSO between BI Platform 4.2 and AFO SP02 Patch 1 and all worked well. I have tried to upgrade the client to version 2.5 SP03 Patch0 and also to version 2.6 SP00 Patch0. After the upgrade SSO stops to work.

      Any clue?

      Thanks a lot,

      Denis.

       

      Author's profile photo Christian Schmitz
      Christian Schmitz
      Blog Post Author

      Hi,

      unfortunately this is a regression in 2.5 SP03 and 2.6 SP00. It will be fixed with a patch for both SPs. As soon as I have more details I will post it here.

      Best regards, Christian

      Author's profile photo Utente Vimar Generico Utente Vimar Generico
      Utente Vimar Generico Utente Vimar Generico

      Ok Christian,

      thank you very much for your support.

       

      Best regards,
      Denis.

       

      Author's profile photo Christian Schmitz
      Christian Schmitz
      Blog Post Author

      FYI: 2.5 SP03 Patch 1 is now available on SMP. This version will fix the regression and SSO is possible again.

      Best regards, Christian

      Author's profile photo Arne Vanhoof
      Arne Vanhoof

      Thanks for this guide. Very useful.

      I followed it step by step.
      However when I test it in analysis for office I get following error:

      "cannot handle redirect from http/https protocols to other dissimilar ones.

      Invalid url: the hostname could not be parsed".

      Any idea what's going wrong?

      When in CMC, Applications, HANA Authentication and when I test it for a specific user it's working perfectly.

      It's correct the mapped BO user to a user in HANA does not need to have the same username?

      Author's profile photo Christian Schmitz
      Christian Schmitz
      Blog Post Author

      Hi Arne,

      do you still have this issue or has it been solved in the meantime?

      Best regards, Christian

      Author's profile photo Dayanand Gavas
      Dayanand Gavas

      Hi Arne,

      Can you please post how was this resolved for you?  I'm getting this same error "Cannot handle redirect from HTTP/HTTPS protocols to other dissimilar ones. Invalid URI: The hostname could not be parsed."

      Thanks,

      Daya

       

      Author's profile photo Fincher Curtis
      Fincher Curtis

      Hi Christian,

       

      Would this method be applicable to my scenario? We have S4 hana 1709 with BI embedded.

      I have SSO for GUI running using SNC, it is authenticating against our Solman java system to work with Okta.

      Have you worked on this scenario by any chance?

       

      Author's profile photo Christian Schmitz
      Christian Schmitz
      Blog Post Author

      Hi Curtis,

      to be honest I did not get your described scenario.

      Kind regards, Christian

      Author's profile photo Koushik Maiti
      Koushik Maiti

      This guide is very helpful. In case, someone needs to setup both A-Office and SAC or multiple BOBJ systems, the below guide helped me to achieve this, without setting up SAML for ‘sap.bc.ina.service.v2

      https://blogs.sap.com/2017/06/05/multiple-idps-for-hana-xs-artifact-businessobjects-enterprise-platform-perspective/