Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part II
In Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part I we covered the short background of SAML. Please read it if you haven’t so, as it covered some important aspects and restrictions of implementation in SAP HANA Cockpit.
In this part, we will walk through configuration in AD, including:
- Add SAP HANA Enterprise Application
- Configure SAP HANA SAML in Azure Enteprise Application
- Assign Users to Azure Security Groups and the SSO Assignment
- Test SAP SAML Single Sign On on Azure
Configure Azure AD
- An Azure AD subscription. If you don’t have an Azure AD environment, you can get one-month trial here
- SAP HANA single sign-on enabled subscription
Add SAP HANA Enterprise Application
From Home Portal, select Azure Active Directory
Select Create Enterprise Applications
Search “HANA” and select “SAP HANA”, give it a name and Add.
Choose “Set up single sign on”
Configure SAP HANA SAML
Now, we’ll upload the metadata from our Service Provider, which is our SAP HANA.
We cover metadata generation in part III.
Azure will parse the data and automatically filled the required field.
The XSA system needs the SAML Attribute Groups for role mapping. Currently, this is the only attribute allowed. Azure does not provide it by default. We will create it. Click edit.
Choose the attributes which should be returned in the claim (Security groups).
Give the name as “Groups” (capital G), and remove namespace. Save.
Download the certificate and and IdP metadata xml.
Assign Users to Groups and SSO Assignment
In this last part, we will create the AD users, assigning it to Groups and give it access to our SAML application. If you already have AD users, you can skip part A.
We do it in from Azure Active Directory service.
A. Create New User
Choose Manage Users
B. Create Groups
Groups are essential because it controls user authorization.
Without group assignment, your user will be able to login to HANA Cockpit but will not have authorization. Goto Manage Groups.
Select New Group.
Create your groups. Group name could be anything meaningful. We’ll map this group to XSA role collections later.
At this point, you should have already defined what your SoD / role position in your organization would look like. For example, mine would look like this:
Users who will have authority to assign groups, create template, adding database resource, etc
These users will be able to access particular database group assigned to them and monitor the resource
SAP provides up to five roles you could use.
C. Assign Users to Groups
We can assign groups from User or Group view.
In this example, we assign it from Group view.
Navigate to Manage –> Members
Add users that will part of this Admin group, for example HANA_COCKPIT_ADMIN user we created earlier.
Repeat the step to assign user to other group.
D. Assign Users to SAP HANA Application
Finally, we’ll assign our user to the SAP HANA Enterprise Application.
Select all users that will be part of SSO.
Test to see if single sign-on is working
Go to your SAP HANA Enterprise Applications, and click Test.
You should now be able to configure SAML 2.0 SSO in Azure Active Directory as Identity Provider for SAP HANA Cockpit.
In the next part of our series, we’ll touch configuration from SAP HANA perspective:
Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part III