SAP BI PLATFORM SAML SSO TO HANA DATABASE

Prerequisites:

HANA XS up and running with SSL configured

BI Platform up and running with SSL configured

We use a HANA database 1.0 without a tenant base and the xs classic webserver, on BI PLATFORM side we are on 4.2 SP 7

Configuration:

This section describes the configuration, first I describe the configuration of the BI Platform afterwards I describe the configuration of your HANA database.

Configure BI Platform

Logon to CMC using https://host:sslport/BOE/CMC

Navigate to Applications > HANA Authentication

Create Identity Provider for HDBC Connection to HANA

1. Select the connection type
   SAP HANA for native HANA connection, SAP HANA HTTP for HTTP and HTTPS connections
2. Enter the hostname of your HANA
3. HANA Port
   this should be the port your indexserver is running on
4. HANA Instance Number
   I always provided just the port
5. HANA Tenant Database
   As we are running on HANA 1.0 we don’t have tenant databases
6. Unique Identity Provider ID
   An ID of your choice my best practice is HANA_SIDBIP_SIDSAML_HDBC
7. Service Provider Name
   this must match the name of your HANA service provider, please see later in this post where to find the name on HANA side
8. Identity Provider Base64 Certificate
   the certificate is shown after you click oon the button Generate (9), this certificate needs to be imported in your HANA database to trust the identity provider we are creating
9. Generate
   By clicking on the button the Identity Provider Base64 Certificate gets generated, when you edit the hostname or port the certificate needs to be regenerated

 

Create Identity Provider for HTTPS Connection to HANA

I just explain the additional points, for the other points please see above

1. HANA Port
   here you have to provide the port your xs engine is running on
2. Secure Connection
   if you use https you have to select Secure Connection
3. Test Connection
   the user you provide for testing the connection must be configured for SAML and must have a mapping for the created identity provider, I describe the creation of the saml mapping later in this blog

 

Configure HANA database

First we have to import the certificate we generated on the BI Platform, afterwards we need to create an identity provider. There are several ways to do this. Here I will describe the steps using the SAP HANA Cockpit and the steps using the xs admin cockpit. Please be careful, if you are using file based certificates (pse files) you have to follow the steps I described here “certificate import using file based certificates” in this blog.

 

using the SAP HANA Cockpit

First we open the SAP HANA Cockpit and navigate to the HANA database we want to configure the SAML SSO for.

by clicking on the resource name you can open the System Overview of the database

now we search for saml and navigate to the certificate store

In the certificate store we click on Import to import the certificate we created on the BI Platform

Copy the certificate content on the BI Platform and paste it here, click on ok afterwards

The imported certificate is shown in the certificate list

Now we need to add the certificate to our saml certificate collection, therefore we search for saml on the system overview page again and click on certificate collections

Select your saml certificate collection, if you don’t have a saml certificate collection yet you can create a new one here, important is to set the purpose of the collection to saml

cilck on add certificate to add the imported certificate to your saml certificate collection

select the imported certificate from the list and click OK

Now we need to add an SAML identity provider from the system overview page we click on SAML Identity Provider

We wan’t to add a new identity provider

enter your identity provider name > this should be the same name as the one given on the BI Platform

the added identity provider should be shown in the list now

using xs admin

logon to your xs engine

check the name of the HANA SAML Service Provider

Go to trust manager > saml and selct import certificate

create your saml identity provider

certificate import using file based certificates

if your are using file based certificates (.pse files on the file system) in your hana database you need to import the certificates in the system PSE of your hana database. This can be done usind wdisp admin

select sapsrv.pse > Import certificate

select the certificate from BI Platform and paste it here then click on import

the successfull import is shown

create SAML Mapping

the saml mapping can be created using HANA studio or HANA cockpit

from the system overview page serch for user and navigate to User Management

I created a test user in the hana database and mapped it to the Administrator user of the BI Platform

configure the INA Service for SAML (required for HTTP and HTTPS connections)

you have to enable saml for the ina service, this is used to sign on using HTTP or HTTPS connections to your hana database. Select one of your identity providers here, it will work for all other identity providers on your hana too

 

test your connection

log on to the cmc of your BI Platform again, then navigate to Applications > HANA Authentication

click on test connection > the connection test should be successfull now