AppToAppSSO between SAP Cloud Platform and SAP HANA DB
HTML5 or Java based application deployed in SAP Cloud Platform fetch data from backend source, display it in application. There are different methods to establish connection between two applications in SCP. One such method is using destination which is a service offered by SAP Cloud platform.
Using Destination in SCP you can connect Application hosted on SCP with other application or DB using HTTP, LDA, MAIL & RFC.
Destination service offers different types of authentication based on the connection type used to connect source system.
In this topic we are going to see how to establish AppToAppSSO authentication in destination, which connects application deployed in SAP Cloud Platform to HANA DB.
Application to Application SSO is an authentication mechanism available for an HTTP destination to propagate application user from SCP to SAP HANA. AppToAppSSO has a trust relationship setup in XS like other SAML-based IdP.
Here the propagated user information can contain more information than just the user’s login name. Additional user attributes are also forwarded with the SAML Assertion. Therefore, the SAP HANA instance must be properly setup for SAML-based authentication as one of the following prerequisites.
- You have access to SAP Cloud Platform with administration role or manage destination role in respective subaccount in which the destination is created.
- A HTML5 application or Java application is deployed in SAP Cloud platform NEO subaccount.
- Destination must be created in the same SCP subaccount where the application is deployed.
- HANA DB deployed in SAP Cloud Platform in NEO environment is the backend system from which application fetch and post data.
- Make sure your HANA DB user has required roles to access the XS Admin tool, add all roles in SAP HANA Studio containing “xs.admin” to the user.
STEP 1: Configure Trust Management settings in SAP Cloud platform.
1.1) Open the respective subaccount in SCP where the application is deployed, navigate to Security->Trust it takes to Trust Management screen.
1.2) In Local service provider tab change configuration type from Default to Custom & click Generate key pair and Save the settings.
1.3) Click Download metadata to download the metadata of subaccount in SAP Cloud Platform. Save this metadata on local desktop because this metadata will be used in next steps to establish trust in HANA XS.
1.4) By choosing Custom provider setting for SCP subaccount we need to define your own identity provider like Corporate IdP or SAP Cloud identity provider in Application Identity provider in trusted identity provider tab. If you plan to use SAP ID service as IdP then you must switch back Configuration type from Custom to Default and save the settings again. By Switching back to Default the custom changes made in step 1.2 is not lost and the downloaded metadata can be used for SAML authentication.
1.5) In this this example, I am using SAP Cloud Platform Identity provider, so I have updated the metadata downloaded from SAP Cloud Platform Identity provider and uploaded the same by clicking Add trusted Identity Provider in Application Identity provider tab. (Configuring external IdP for SAP Cloud platform is a separate topic which we will discuss in another thread).
STEP 2: Configure Trust management in HANA XS admin
2.1) Identity provider settings in HANA DB is configured in HANA XS admin. Make sure the HANA user id you use have access XS admin roles.
2.2) Login to HANA XS admin using the URL https://<HANA-SID><subaccount-technical-name>.hanatrial.ondemand.com/sap/hana/xs/admin/
2.3) From menu of XS admin navigate to SAML Service Provider, define name and Organization name details in Service Provider information. Here the name can be any name of your choice and it is used to identify this system during trust call.
2.4) In XS admin now navigate to SAML identity provider, Click + in SAML identity provider list and copy past the metadata of the system which HANA DB will use as IdP to authenticate. In our case add the metadata that you download in step 1.3, so the HANA DB will now trust the request from SAP sub-account based on SAML identity provider.
2.5) Click on Save to store your settings. This SAML IdP setting in HANA can be verified by running the sql command SELECT * FROM _SYS_XS.HTTP_DESTINATIONS in SAP HANA Studio.The view _SYS_XS.HTTP_DESTINATIONS shows the details of the newly added SAML identity provider.
STEP 3: Configure Destination in SAP Cloud Platform Subaccount
3.1) Open the subaccount in SAP Cloud Platform and navigate to Connectivity -> Destination and click New Destination
3.2) Specify a Name for destination, choose type as HTTP, authentication as AppToAppSSO, URL – define the URL to access HANA DB (eg: https://<HANA-SID><subaccount-technical-name>. hanatrial.ondemand.com)
3.3) The important additional property is saml2_audience, here you give the HANA service provider name that you defined in step 2.3 as value for saml2_audience and click SAVE to create destination in SCP.
3.4) Once the destination is created, this destination name will be called in application deployed in SAP Cloud platform to fetch data from backend HANA DB.
STEP 4: Configure SAML for HANA Package in XS admin
4.1) Now we define the SAML authentication for the package in HANA DB from which application in SCP fetch data using AppToAppSSO.
4.2) Login to HANA XS admin using the URL https://<HANA-SID><subaccount-technical-name>.hanatrial.ondemand.com/sap/hana/xs/admin/
4.3) In XS admin menu, navigate to XS Artifact Administration and select the HANA package which application use to fetch data. Select the SAML authentication check box and add the SAML identity provider added to HANA DB in step 2.4 and SAVE the changes.
STEP 5: Configure SAML for HANA DB user
5.1) We use AppToAppSSO between application deployed in SAP Cloud Platform and HANA DB, so the Identity Provider (Either SAP Default SAP ID service user or Custom Identity Provider user) user used to authenticate the application in SCP will be propagated through destination to authenticate at HANA DB, for HANA to recognize this IdP user we need to configure SAML for the respective HANA user.
5.2) Login to HANA DB user management https://<HANA-SID><subaccount-technical-name>.hanatrial.ondemand.com/sap/hana/IdP/security/
Make sure you have User Admin system privilege to the user used to login HANA DB.
5.3) Open the HANA DB user corresponding to the application user, select SAML check box, click add to add identity provider then define the User ID against it, SAVE the settings.
With this, configuration for AppToAppSSO is completed.
Now I will quickly summarize the above AppToAppSSO setup and how the authentication flows from Application in SCP to HANA DB.
I have deployed an application in a subaccount in SAP Cloud Platform, also I have defined SAP Cloud identity provider to the SCP subaccount for authenticating application users. I have configured AppToAppSSO in Destination of SCP subaccount, destination pointing to back-end DB & configured SAML trust relation between Destination in subaccount and HANA DB.
When the user tries to access the application, he is redirected to SAP Cloud IdP where he gets authenticated and login to application. When application user tries to fetch data in application, the xsjs service calls destination which points to DB, this request from destination is authenticated by backend DB using SAML authentication. Hence the application user able to successfully fetch data from backend HANA DB using AppToAppSSO.
Could you please list out the scenario of using this method or any example to understand the concept easily