Technical Articles
SAP BI PLATFORM SAML SSO TO HANA DATABASE
Prerequisites:
HANA XS up and running with SSL configured
BI Platform up and running with SSL configured
We use a HANA database 1.0 without a tenant base and the xs classic webserver, on BI PLATFORM side we are on 4.2 SP 7
Configuration:
This section describes the configuration, first I describe the configuration of the BI Platform afterwards I describe the configuration of your HANA database.
Configure BI Platform
Logon to CMC using https://host:sslport/BOE/CMC
Navigate to Applications > HANA Authentication
Create Identity Provider for HDBC Connection to HANA
- Select the connection type
SAP HANA for native HANA connection, SAP HANA HTTP for HTTP and HTTPS connections - Enter the hostname of your HANA
- HANA Port
this should be the port your indexserver is running on - HANA Instance Number
I always provided just the port - HANA Tenant Database
As we are running on HANA 1.0 we don’t have tenant databases - Unique Identity Provider ID
An ID of your choice my best practice is HANA_SIDBIP_SIDSAML_HDBC - Service Provider Name
this must match the name of your HANA service provider, please see later in this post where to find the name on HANA side - Identity Provider Base64 Certificate
the certificate is shown after you click oon the button Generate (9), this certificate needs to be imported in your HANA database to trust the identity provider we are creating - Generate
By clicking on the button the Identity Provider Base64 Certificate gets generated, when you edit the hostname or port the certificate needs to be regenerated
Create Identity Provider for HTTPS Connection to HANA
I just explain the additional points, for the other points please see above
- HANA Port
here you have to provide the port your xs engine is running on - Secure Connection
if you use https you have to select Secure Connection - Test Connection
the user you provide for testing the connection must be configured for SAML and must have a mapping for the created identity provider, I describe the creation of the saml mapping later in this blog
Configure HANA database
First we have to import the certificate we generated on the BI Platform, afterwards we need to create an identity provider. There are several ways to do this. Here I will describe the steps using the SAP HANA Cockpit and the steps using the xs admin cockpit. Please be careful, if you are using file based certificates (pse files) you have to follow the steps I described here “certificate import using file based certificates” in this blog.
using the SAP HANA Cockpit
First we open the SAP HANA Cockpit and navigate to the HANA database we want to configure the SAML SSO for.
by clicking on the resource name you can open the System Overview of the database
now we search for saml and navigate to the certificate store
In the certificate store we click on Import to import the certificate we created on the BI Platform
Copy the certificate content on the BI Platform and paste it here, click on ok afterwards
The imported certificate is shown in the certificate list
Now we need to add the certificate to our saml certificate collection, therefore we search for saml on the system overview page again and click on certificate collections
Select your saml certificate collection, if you don’t have a saml certificate collection yet you can create a new one here, important is to set the purpose of the collection to saml
cilck on add certificate to add the imported certificate to your saml certificate collection
select the imported certificate from the list and click OK
Now we need to add an SAML identity provider from the system overview page we click on SAML Identity Provider
We wan’t to add a new identity provider
enter your identity provider name > this should be the same name as the one given on the BI Platform
the added identity provider should be shown in the list now
using xs admin
logon to your xs engine
check the name of the HANA SAML Service Provider
Go to trust manager > saml and selct import certificate
create your saml identity provider
certificate import using file based certificates
if your are using file based certificates (.pse files on the file system) in your hana database you need to import the certificates in the system PSE of your hana database. This can be done usind wdisp admin
select sapsrv.pse > Import certificate
select the certificate from BI Platform and paste it here then click on import
the successfull import is shown
create SAML Mapping
the saml mapping can be created using HANA studio or HANA cockpit
from the system overview page serch for user and navigate to User Management
I created a test user in the hana database and mapped it to the Administrator user of the BI Platform
configure the INA Service for SAML (required for HTTP and HTTPS connections)
you have to enable saml for the ina service, this is used to sign on using HTTP or HTTPS connections to your hana database. Select one of your identity providers here, it will work for all other identity providers on your hana too
test your connection
log on to the cmc of your BI Platform again, then navigate to Applications > HANA Authentication
click on test connection > the connection test should be successfull now
Hi Nico,
Are you familiar with the guided answer and KBA on the topic? If so, it is always good to mention SAP documentation and resources as reference.
(with step-by-step guide SAML SSO for BI Platform to HANA V 1.0.2.pdf attached)
Out of curiosity, has anything changed? Is there any information missing in the official resources?
Thx
Hi Denys van Kempen ,
The wiki is not available anymore despite the SAP Note still refers to it. Could you please forward the need to maintain the SAP guidance up to date ?
Thanks
Yann
Hi Yann,
I have requested the processor (Jimmy Yang) to update the note. Thanks for alerting us to this issue.
https://launchpad.support.sap.com/#/notes/0002284620
In case other applications are using the in database certificate store SAML and SSO from BoBj or AO fail, please read SAP note
2880635 - SAML fails due to conflicting PSE's
Best regards
Axel
I think the "Unique Identity Provider ID" corresponds to the "Entity ID" in the SAML RFC.
This is described as being a URI, in the format of a URL. So something like https://someuniqueid.here/idp but it doesn't need to be resolvable. HANA doesn't use this ID anyway, it's just looking up the CN (subject) of the certificate that has been sent.
Dear all,
find the latest How To Set up SSO using SAML between SAP HANA DB and SAP BI / SAP Analysis for Office attached to the below KBA.
Use of in database certificate store (recommended)
2593701 - HOW-TO In-Memory Trust Store and HANA DB SSO SAML and BI Platform 4.2 / Analysis for Office 4.2
Beginning with HANA 1 SPS12 it is possible to use a certificate store within the HANA DB, instead of the file based.
The advantage of the in-database certificate store is, that
– a change in a certificate take effect immediately without restarting the DB
– the certificates will be part of the backup
– the certificates will be available on a system replication secondary DB without copying the files
SAP HANA Security Guide for SAP HANA Platform > Certificate Management in SAP HANA
SAP Note 2175664 – Migration of file system based X.509 certificate stores to in-database certificate stores
Use of file-based certificate store (outdated)
We recommend using the above described in-database certificate store, since the file based will no longer be evaluated when you use the in-database one. That will be the case as soon as you use activate SAML SSO to HANA Cockpit 2.
For details refer to SAP Note 2656666 – Migrate PSE to in-database store before enabling SSO
2284620 – HOW-TO HANA DB SSO SAML and BI Platform 4.2 SP4 and higher / AO 2.2
Best regards
Axel Utz