Skip to Content
Technical Articles

Setting up END2END SAML integration between SAP Analytics Cloud and SAP HANA on Premise using ADFS Identity Provider

This blog describes How to implement END2END SAML using same Identity Provider (IdP) for SAP Analytics Cloud and SAP HANA

With this approach / configuration, users will have the advantage to use same IdP credentials only once while logging into SAP Analytics Cloud and don’t have to enter the credentials again while creating Live Connection to SAP HANA

The configuration of the trust relationship is necessary to link two user account to each other. This linkage provides access to data without exchanging user credentials. The identity provider (IdP) authenticates and authorizes the users. We will enable custom IdP (ADFS) for SAC. This IdP will be used for user authentication and authorization in our HANA system.

In our context, the SAML is used for exchanging data between the service providers (SAC and HANA) and the IdP (ADFS). SAML is an XML framework to describe and exchange security-related information.

In summary, the configuration provided in this document have been executed on the below mentioned platforms

  • SAP HANA 2.0 Rev46 (SUSE Linux 12 SP3) a data source as Service Provider
  • Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
  • SAP Analytics Cloud as Service Provider

We will divide the configuration into three sections.

  1. Setting up SAML between ADFS and SAP Analytics Cloud
  2. Setting up live data connection between SAP Analytics Cloud and SAP HANA
  3. Setting up SAML between ADFS and SAP HANA

Section – 1

Setting up SAML between ADFS and SAP Analytics Cloud

This configuration is already covered in one of my previous posts, follow the blog below.

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

Once the verification is completed successfully and is able to login into the SAP Analytics Cloud using SAML, proceed to Section 2.

Section – 2

Setting up live data connection between SAP Analytics Cloud and SAP HANA

SAP Analytics Cloud allows you to connect to live data in HANA databases.

Follow the below guided playlists to setup live data connection to SAP HANA on premise

https://www.sapanalytics.cloud/guided_playlists/sap-hana/

if the configuration is correct, SAP HANA live data connection should be created successfully using username and password method.

You must configure your on-premise SAP HANA system in order to support SSO for live data connections that use the direct connection type.

Section – 3

Setting up SAML between ADFS and SAP HANA

Setup of the Trust Relationship

Note the following roles needed for SAP HANA user to access XS Admin Page, for SAML configuration and for ide

  1. Navigate to the XS Admin Page of your SAP HANA system using https://<SAP HANA SYSTEM>:<Port>sap/hana/xs/admin

Replace <SAP HANA SYSTEM> with the name of your SAP HANA System

  1. Click on the main menu and select SAML Service Provider
  2. Under Service Provider Configuration, copy the name of the SAML Service Provider
  3. Under metadata copy the xml content from textbox and save it as HANAMetadata.xml (note – we will be using this file, while configuring ADFS)
  4. Click Save

Configuring ADFS

  1. Download ADFS metadata using below URL

https://<adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml.

Replace adfs-server with your adfs server name

Note – FederationMetadata.xml file will be download and we will be importing IdP metadata into HANA System SAML configuration

  1. Launch ADFS Management
  2. Under Trust Relationships right click on Relying Party Trusts
  3. Click start
  4. Select Import data about the relying party from a file and select file HANAMetadata.xml that we downloaded in step 4
  5. After importing file, click on next
  6. Specify Display name and click next
  7. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click next
  8. Issuance Authorization Rules, select Permit all users to access this relying party and click on next and finish
  9. Add Claim Rule for SAP HANA System
    Select Send LDAP Attribute as Claims and click on next
  10. Enter Claim Rule name
    SAM-AccountName
  11. Select attribute store – Active Directory and mapping of LDAP attributes

Configuring SAP HANA

  1. In the XS Admin Page of your SAP HANA System, select Main Menu -> SAML Identity Provider
  2. Click on the + icon in the bottom left corner to begin importing ADFS IdP metadata
  3. Open the FederationMedata.xml file that you have downloaded in step 1 of Configuring ADFS, copy the content of the file and paste it to the Metadata input area in the XS Admin Page of your HANA system
  4. Verify the details like name of the SAML IdP under General Tab etc and click on Save

Enabling SAML

  1. In the XS Admin Page of your SAP HANA System, select Main Menu -> XS Artifact Administration
  2. In the Packages, navigate to sap -> bc -> ina -> service -> v2
  3. Make sure to have navigated to correct directory sap -> bc -> ina -> service -> v2 to see the SAP Security Admin page
  4. Click on Edit in the bottom right corner
  5. Select the SAML checkbox, if it is not already enabled
    Choose a SAML IdP in case it is not already selected, the name of the IdP should be the name, you noted down in step 20 and click on Save
  6. Select sap -> bc -> ina -> service -> v2 and select CORS panel, and use the following instructions to edit your CORS configuration
    i . Select Enable Cross Origin Resource Sharing, if not already selected
    ii. Add the IdP host to Allowed Origins

Deploy the custom web content to your SAP HANA Server

To enable SSO when using a direct connection, you must some custom web content to your SAP HANA server. This web content is what will appear briefly to users once per session when they first create a live data connection to your SAP HANA system, or when they refresh charts or tables against that live data connection.

  1. Log on to your SAP HANA server’s Web IDE athttps://<xs-host:port>/sap/hana/ide/editor with the system user credentials
  2. Navigate to sap.bc.ina.service.v2
  3. Right click the v2 package, and select New -> Package
  4. In Package Name enter cors and click Create
  5. Right-click the cors package and select New -> File
  6. Enter auth.html and click Create
  7. Open auth.html, and add the following code
    <html>
     <script type="text/javascript">
      open(location, '_self').close();
     </script>
    </html>​
  8. Save auth.html
  9. Create another file under the cors package, and name it .xsaccess
  10. Open .xsaccess, and add the following code
    {"cache_control" : "no-cache, no-store"}​
  11. Save .xsaccess
  12. Right-click the cors package, and click Activate All
  13. In a new browser tab, go to the following URL
    https://<xs-host:port>/sap/bc/ina/service/v2/cors/auth.htmlif the html page is configured correctly, the page will load and close automatically.

User Mapping

User mapping to access your HANA database from SAC without re-authentication (ie – to use SSO). If you are using the same IdP for SAP HANA and SAC, you can automatically map all existing users to SAC.

Add SAP HANA host system in Trusted Sites

Internet Options -> Security -> Trusted Sites, add your domain name, the select Enable Protected Mode

Verification

Users will now be able to sign in to the SAP Analytics Cloud with the IdP ADFS server credentials and create a live data connection to the SAP HANA system without having to re-authenticate with SSO

  1. Login into SAP Analytics Cloud (enter SAC URL in browser)
  2. It redirects to IdP authentication page, enter your domain user details mapped with SAC user account
  3. After successfully logged into SAC, Create connection
  4. Goto Main Menu -> Connection -> Add Connection
    The Select a datasource dialog will appear
  5. Expand Connect to Live Data and select SAP HANA
  6. In the dialog, enter a name and description for your connection
  7. Set the connection type to Direct
  8. Add your SAP HANA hostname, and HTTPS port
  9. (Optional) Choose a Default Language from the list.
  10. Under Authentication Method select SAML Single Sign On
  11. Select OkIf all configuration and user mapping is correct, live data connection to SAP HANA will be created without re-authenticating using SAML SSO.

Learn More:

https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-cloud/

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-intelligence-platform/

3 Comments
You must be Logged on to comment or reply to a post.
  • Hi Mohammed Ashraf,

     

    Thanks for sharing, we are trying to established SAP HANA to ADFS sso integration only.

    I had a read on the Section – 3, do we need to perform both the below:

    1. Under metadata copy the xml content from textbox and save it as HANAMetadata.xml (note – we will be using this file, while configuring ADFS).
    2. Open the FederationMedata.xml file that you have downloaded in step 1 of Configuring ADFS, copy the content of the file and paste it to the Metadata input area in the XS Admin Page of your HANA system

    Thanks.

     

    Kind regards,

    Ian

    • Hi lan,

      Yes, it is an exchange of metadata (information) between applications, so we have to perform both the steps.

      Thanks
      Ashraf

  • Hi Mohammed,

    Could we integrate SAP BO with WS Federation ( not SAMLP2) ?  I wonder if this is possible or not.

    Thanks!