Skip to Content
Technical Articles

Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part II

In Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part I we covered the short background of SAML. Please read it if you haven’t so, as it covered some important aspects and restrictions of implementation in SAP HANA Cockpit.

In this part, we will walk through configuration in AD, including:

  • Add SAP HANA Enterprise Application
  • Configure SAP HANA SAML in Azure Enteprise Application
  • Assign Users to Azure Security Groups and the SSO Assignment
  • Test SAP SAML Single Sign On on Azure

Configure Azure AD

Prerequisite:

  • An Azure AD subscription. If you don’t have an Azure AD environment, you can get one-month trial here
  • SAP HANA single sign-on enabled subscription

Add SAP HANA Enterprise Application

From Home Portal, select Azure Active Directory

 

Select Create Enterprise Applications

 

Search “HANA” and select “SAP HANA”, give it a name and Add.

Choose “Set up single sign on”

 

Select SAML

 

Configure SAP HANA SAML

Now, we’ll upload the metadata from our Service Provider, which is our SAP HANA.
We cover metadata generation in part III.

Azure will parse the data and automatically filled the required field.

The XSA system needs the SAML Attribute Groups for role mapping. Currently, this is the only attribute allowed. Azure does not provide it by default. We will create it. Click edit.

Choose the attributes which should be returned in the claim (Security groups).
Give the name as “Groups” (capital G), and remove namespace. Save.

Download the certificate and and IdP metadata xml.

 

Assign Users to Groups and SSO Assignment

In this last part, we will create the AD users, assigning it to Groups and give it access to our SAML application. If you already have AD users, you can skip part A.

We do it in from Azure Active Directory service.

A. Create New User

Choose Manage Users

 

 

B. Create Groups

Groups are essential because it controls user authorization.
Without group assignment, your user will be able to login to HANA Cockpit but will not have authorization. Goto Manage Groups.

 

Select New Group.

Create your groups. Group name could be anything meaningful. We’ll map this group to XSA role collections later.

 

At this point, you should have already defined what your SoD / role position in your organization would look like. For example, mine would look like this:

  • HANA_COCKPIT_ADMIN
    Users who will have authority to assign groups, create template, adding database resource, etc
  • HANA_COCKPIT_USER
    These users will be able to access particular database group assigned to them and monitor the resource

SAP provides up to five roles you could use.

 

C. Assign Users to Groups

We can assign groups from User or Group view.
In this example, we assign it from Group view.
Navigate to Manage –> Members

Add users that will part of this Admin group, for example HANA_COCKPIT_ADMIN user we created earlier.

 

Repeat the step to assign user to other group.

 

D. Assign Users to SAP HANA Application

Finally, we’ll assign our user to the SAP HANA Enterprise Application.

Go to SAP HANA | Single sign-on application directory.
Select Manage –> Users and groups.

 

Select all users that will be part of SSO.

 

Test to see if single sign-on is working

Go to your SAP HANA Enterprise Applications, and click Test.


We will test with the user we created.
Provide AD username and password.
If everything is configured correctly, user will be authenticated and able to access the HANA Cockpit page.

Conclusion

You should now be able to configure SAML 2.0 SSO in Azure Active Directory as Identity Provider for SAP HANA Cockpit.

In the next part of our series, we’ll touch configuration from SAP HANA perspective:
Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part III

 

Additional Reference

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/saphana-tutorial#configure-azure-ad-single-sign-on

2 Comments
You must be Logged on to comment or reply to a post.