Skip to Content
Technical Articles
Author's profile photo Nico Luhr

SAP BI PLATFORM SAML SSO TO HANA DATABASE

Prerequisites:

HANA XS up and running with SSL configured

BI Platform up and running with SSL configured

We use a HANA database 1.0 without a tenant base and the xs classic webserver, on BI PLATFORM side we are on 4.2 SP 7

Configuration:

This section describes the configuration, first I describe the configuration of the BI Platform afterwards I describe the configuration of your HANA database.

Configure BI Platform

Logon to CMC using https://host:sslport/BOE/CMC

Navigate to Applications > HANA Authentication

Create Identity Provider for HDBC Connection to HANA

  1. Select the connection type
    SAP HANA for native HANA connection, SAP HANA HTTP for HTTP and HTTPS connections
  2. Enter the hostname of your HANA
  3. HANA Port
    this should be the port your indexserver is running on
  4. HANA Instance Number
    I always provided just the port
  5. HANA Tenant Database
    As we are running on HANA 1.0 we don’t have tenant databases
  6. Unique Identity Provider ID
    An ID of your choice my best practice is HANA_SIDBIP_SIDSAML_HDBC
  7. Service Provider Name
    this must match the name of your HANA service provider, please see later in this post where to find the name on HANA side
  8. Identity Provider Base64 Certificate
    the certificate is shown after you click oon the button Generate (9), this certificate needs to be imported in your HANA database to trust the identity provider we are creating
  9. Generate
    By clicking on the button the Identity Provider Base64 Certificate gets generated, when you edit the hostname or port the certificate needs to be regenerated

 

Create Identity Provider for HTTPS Connection to HANA

I just explain the additional points, for the other points please see above

  1. HANA Port
    here you have to provide the port your xs engine is running on
  2. Secure Connection
    if you use https you have to select Secure Connection
  3. Test Connection
    the user you provide for testing the connection must be configured for SAML and must have a mapping for the created identity provider, I describe the creation of the saml mapping later in this blog

 

Configure HANA database

First we have to import the certificate we generated on the BI Platform, afterwards we need to create an identity provider. There are several ways to do this. Here I will describe the steps using the SAP HANA Cockpit and the steps using the xs admin cockpit. Please be careful, if you are using file based certificates (pse files) you have to follow the steps I described here “certificate import using file based certificates” in this blog.

 

using the SAP HANA Cockpit

First we open the SAP HANA Cockpit and navigate to the HANA database we want to configure the SAML SSO for.

by clicking on the resource name you can open the System Overview of the database

now we search for saml and navigate to the certificate store

In the certificate store we click on Import to import the certificate we created on the BI Platform

Copy the certificate content on the BI Platform and paste it here, click on ok afterwards

The imported certificate is shown in the certificate list

Now we need to add the certificate to our saml certificate collection, therefore we search for saml on the system overview page again and click on certificate collections

Select your saml certificate collection, if you don’t have a saml certificate collection yet you can create a new one here, important is to set the purpose of the collection to saml

cilck on add certificate to add the imported certificate to your saml certificate collection

select the imported certificate from the list and click OK

Now we need to add an SAML identity provider from the system overview page we click on SAML Identity Provider

We wan’t to add a new identity provider

enter your identity provider name > this should be the same name as the one given on the BI Platform

the added identity provider should be shown in the list now

using xs admin

logon to your xs engine

check the name of the HANA SAML Service Provider

Go to trust manager > saml and selct import certificate

create your saml identity provider

certificate import using file based certificates

if your are using file based certificates (.pse files on the file system) in your hana database you need to import the certificates in the system PSE of your hana database. This can be done usind wdisp admin

select sapsrv.pse > Import certificate

select the certificate from BI Platform and paste it here then click on import

the successfull import is shown

create SAML Mapping

the saml mapping can be created using HANA studio or HANA cockpit

from the system overview page serch for user and navigate to User Management

I created a test user in the hana database and mapped it to the Administrator user of the BI Platform

configure the INA Service for SAML (required for HTTP and HTTPS connections)

you have to enable saml for the ina service, this is used to sign on using HTTP or HTTPS connections to your hana database. Select one of your identity providers here, it will work for all other identity providers on your hana too

 

test your connection

log on to the cmc of your BI Platform again, then navigate to Applications > HANA Authentication

click on test connection > the connection test should be successfull now

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Denys van Kempen
      Denys van Kempen

      Hi Nico,

      Are you familiar with the guided answer and KBA on the topic? If so, it is always good to mention SAP documentation and resources as reference.

      Out of curiosity, has anything changed? Is there any information missing in the official resources?

      Thx

      Author's profile photo Yann MIQUEL
      Yann MIQUEL

      Hi Denys van Kempen ,

      The wiki is not available anymore despite the SAP Note still refers to it. Could you please forward the need to maintain the SAP guidance up to date ?

      Thanks

      Yann

      Author's profile photo Denys van Kempen
      Denys van Kempen

      Hi Yann,

      I have requested the processor (Jimmy Yang) to update the note. Thanks for alerting us to this issue.

      https://launchpad.support.sap.com/#/notes/0002284620

      Author's profile photo Axel Utz
      Axel Utz

      In case other applications are using the in database certificate store SAML and SSO from BoBj or AO fail, please read SAP note

      2880635 - SAML fails due to conflicting PSE's

       

      Best regards

      Axel

      Author's profile photo Darryl Griffiths
      Darryl Griffiths

      I think the "Unique Identity Provider ID" corresponds to the "Entity ID" in the SAML RFC.
      This is described as being a URI, in the format of a URL.  So something like https://someuniqueid.here/idp     but it doesn't need to be resolvable.    HANA doesn't use this ID anyway, it's just looking up the CN (subject) of the certificate that has been sent.

      Author's profile photo Axel Utz
      Axel Utz

      Dear all,

      find the latest How To Set up SSO using SAML between SAP HANA DB and SAP BI / SAP Analysis for Office attached to the below KBA.

       

      Use of in database certificate store (recommended)

       

      2593701 - HOW-TO In-Memory Trust Store and HANA DB SSO SAML and BI Platform 4.2 / Analysis for Office 4.2

       

      Beginning with HANA 1 SPS12 it is possible to use a certificate store within the HANA DB, instead of the file based.

       

      The advantage of the in-database certificate store is, that

      – a change in a certificate take effect immediately without restarting the DB

      – the certificates will be part of the backup

      – the certificates will be available on a system replication secondary DB without copying the files

       

      SAP HANA Security Guide for SAP HANA Platform > Certificate Management in SAP HANA

       

      SAP Note 2175664 – Migration of file system based X.509 certificate stores to in-database certificate stores

       

      Use of file-based certificate store (outdated)

      We recommend using the above described in-database certificate store, since the file based will no longer be evaluated when you use the in-database one. That will be the case as soon as you use activate SAML SSO to HANA Cockpit 2.

      For details refer to SAP Note 2656666 – Migrate PSE to in-database store before enabling SSO

      2284620 – HOW-TO HANA DB SSO SAML and BI Platform 4.2 SP4 and higher / AO 2.2

       

      Best regards

      Axel Utz