Skip to Content
Technical Articles

Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part III

We’re in the last part of Configuring Federated SAML: Azure AD to the SAP HANA Cockpit series.
To recap, here’re what we’ve covered so far:

In this part we’ll make the configuration in the HANA XSA and fit the puzzle together:

  • Import SAML Metadata from IdP
  • Map IdP Security Group to XSA Role Collections
  • Add a SAML Certificate with HANA Cockpit
  • Assign Database Group

 

BASIC CONFIGURATION

Change the signature algorithm for SAML on XSA to SHA256

If you’re still using SHA1 (the default value in the older version of HANA), consider updating it as it is deprecated.
Make sure you have XS RUNTIME 1 Patch Collection 37 (build 1.0.68 / PL 68) or higher.

  1. Execute the following statement in the database:
    ALTER SYSTEM ALTER CONFIGURATION ('xsuaaserver.ini','SYSTEM') SET ('login.yml','login.saml.signatureAlgorithm')='sha256' WITH RECONFIGURE;​
  2. Restart the XSUAA process via Eclipse/HANA Studio
    Goto Landscape view and right click stop the xsuaaserver

Change Service Provider Information

in XSA, we can’t provide as much information on Organization as its XS admin counterpart.
For example, we can’t define Organization Name, Organization Display Name or Organization URL.
The only detail we can customize is the Entity Name, and it is via SQL command:

alter system alter configuration ('xsuaaserver.ini','SYSTEM') set ('login.yml','login.entityid')='yourentityidname' with reconfigure;

Replace ‘yourentityidname’ to something meaningful and standard across your SAML implementation, for example: companyName:HANA-<HANA_SID>:saml2:idp

Restart the XSA:

XSA restart

Download the SAML metadata file from XSA

Once you’ve made a necessary change on signature algorithm and the SPI, you can download the metadata with this URL:

https://<uaa-server>:Authorization-end-point/saml/metadata

Note: Authorization end-point can be found by executing the command xs -v on the command line and looking for the key authorizationEndpoint.

e.g: https://sapzzzweb.internal.com:39632/uaa-security/saml/metadata

Provide the downloaded file to your federation team. They will import it into the IdP.
In case of Azure, we covered it on Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part II.

 

CONFIGURATION ON XSA

Importing SAML Metadata from IdP

I assume you have downloaded the IdP metadata or provided by you by IdP federation team. We covered it in the previous blog.

  1. Access your XSA Cockpit page
    https://<uaa-server>:3<sys-nr>30/go/xsa-cockpit
  2. Create New Trust Configuration

    Follow the sequences.
    The metadata will be parsed automatically.
    To give meaningful text for SAML login link, fill in “Link Text” field. If left blank, HANA will use the Origin Key name.
    Save it.

Map IdP Security Group to XSA Role Collections

While we’re in the Trust Configuration page, we may as well configure the mapping.
But before that, we need to know what roles are available, what functionality it covers, and how many job roles / functions should be defined based on that.

Standard Cockpit roles delivered by SAP:

COCKPIT ROLE XSA EQUIVALENT NAME PERMIT ACCESS TO
Cockpit Administrator COCKPIT_ADMIN The Cockpit Settings section of the Cockpit Manager, where they can configure cockpit settings.
Cockpit Database Administrator COCKPIT_RESOURCE_ADMIN The Registered Resource and Resource Groups sections of the Cockpit Manager, where they can register resources, create resource groups, and assign cockpit users and registered resources to resource groups.
Cockpit User Administrator COCKPIT_USER_ADMIN The Manage Users section of the Cockpit Manager, where they can create and manage cockpit users.
Cockpit User COCKPIT_USER_ADMIN The SAP HANA cockpit, where they can view the resources in the resource groups to which they have been granted access.
Registers databases through the Cockpit Manager COCKPIT_POWER_USER System Configuration Template Administrator Role
System Configuration Template Administrator Role COCKPIT_CONFIG_TEMPLATE_ADMIN Creates, modifies and deletes system configuration templates
Cockpit Troubleshooting COCKPIT_TROUBLESHOOTING Views XSA logs in the Cockpit Manager

To help with role mapping in a granular detail, we’ll use this authorization matrix.

Here’re important things to know:

  • Every Cockpit user need object ‘cockpit!i1.landscape_view’ to be able to login successfully
  • By default, only user with COCKPIT_RESOURCE_ADMIN role assigned will be able to view all database resources / groups. This means only admin user will be able to view databases without further configuration

Based on the matrix, an administrator will need following role collections to do all HANA Cockpit operations:

  • COCKPIT_ADMIN
  • COCKPIT_RESOURCE_ADMIN
  • COCKPIT_USER_ADMIN
  • COCKPIT_CONFIG_TEMPLATE_ADMIN

Now that you have clear understanding on the concept, let’s implement it.

Navigate to Role Collection Mappings and follow the sequences to define new mapping.

*Value in point no. 4 is the AD security group we defined earlier.

Repeat step 2-5 to define all mappings, both for admin and non-admin Cockpit users.

 

CONFIGURATION ON HANA COCKPIT

Adding a Certificate with HANA Cockpit

In our example, we’ll use HANA Cockpit. Other way is by using SQL command.

Prerequisites:

  • You have downloaded SAML certificate / got it from IdP federation team.
    In case of Azure AD IdP, we covered it in Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part II of the series.
  • You have added SAP HANA Cockpit Database to Database Directory with SAP HANA Cockpit Admin
  • You have CATALOG READ, TRUST ADMIN, CERTIFICATE ADMIN, and USER ADMIN authorization

Importing Certificate

  • Access “Certificate Store” from “Security Related Links” section in Database Overview of your HANA Cockpit database.
  • On Certificate Store page, import your certificates.
    Highlighted red is the imported certificate.
    Also ensure that the entire certificate chain of the X.509 certificate is available.

Assign Certificate to Certificate Collection

A certificate collection is equivalent to internal personal security environment (PSE).
This is a secure location within a SAP HANA Database where public and private key certificates are stored. By default, standard installation will create a SAML PSE. We’ll import our certificate there.

  • Access “Certificate Collections” from “Security Related Links” section in Database Overview of your HANA Cockpit database.
  • On Certificate Collections page, filter the purpose of the PSE to “SAML”, and add the certificate

 

Add a SAML Identity Provider in SAP HANA Cockpit

  • On the Database Overview page, with the Security and User Management or All view selected, navigate to Security Related Links and choose SAML Identity Providers.
  • Choose “Add Identity Provider” and import your certificate from the certificate store

At this point, you should now have a working SSO.

TESTING THE SSO

  • Goto your SAP HANA Cockpit login page.
    To login with SAML, click the SAML login link.
    Remember that the login link text depends on your configuration.
  • Provide your IdP account
  • You’re now logged in and able to see the Cockpit launch page

ASSIGN DATABASE GROUP TO NON-ADMIN USER

If you recall from our first blog series, there’s no HANA user defined locally in HANA Cockpit SAML setup. So how do we assign the groups if no user existed in the first place?

In HANA Cockpit SAML scenario, the system will populate Cockpit users locally after first time successful login with their IdP credentials. You cannot change anything on the user, but you can assign database groups to it.

To assign a group:

  • Make sure user has login at least once with SAML
  • Make sure you have created database groups
  • From SAP HANA Cockpit Admin User Details, assign group(s) to each individual user

 

AUTOMATIC LOGIN

To redirect user automatically without login screen in HANA Cockpit page:

  • Delete the other IdP, if you have several configured
  • Set parameter uaa.oidc.enableoidc = false in the xsuaaserver.ini configuration file. If the issue persists and you are on XSA 1.0.99, remove the parameter uaa.oidc.providerlinktext.
  • Execute the following statement in the database
    ALTER SYSTEM ALTER CONFIGURATION ('xsuaaserver.ini','SYSTEM') SET ('environment','saml_auto_redirect')='true';​
  • Restart XSA

Now everytime you access the COCKPIT Admin page, you will automatically use your SAML assertion token.

Hint: if you have the auto redirect option enabled, but you would like to authenticate using the standard logon page with local HANA users, you can access the login endpoint of UAA with the URL parameter origin=uaahttps://<uaa-server>:3<sys-nr>32/uaa-security/login?origin=uaa. This feature was delivered with XSA 1.0.88

 

CONCLUSION

You should now have a basic understanding on how to setup SAML SSO for SAP HANA Cockpit in your organization. We use Azure AD as our example, but the overall configuration will apply to other IdP as well.

Another important point before we conclude the series is, although we do not cover SSL configuration it is highly recommended to implement one, as the token contains sensitive information of your organization.

 

 

2 Comments
You must be Logged on to comment or reply to a post.
  • Hi Bobby,

     

    Thanks for a very detailed blog, it has been our goto guide. Looking forward to many more articles from you. Have a few questions:

    1. Replace ‘yourentityidname’ to something meaningful and standard across your SAML implementation, for example: companyName:HANA-<HANA_SID>:saml2:idp –> Can this entity ID be anything ? Is there a format ?
    2. I generated a metadata file with PC1 as the entity ID which is our SID for cockpit. I’m unable to parse it, it says invalid entry. Is this something you can help me with ? I’m attaching the metadata file, screenshot and the cockpit logs.

     

     

    3. Cockpit logs –

     

    pc1adm@WEPG70PC1DB:/usr/sap/PC1/HDB00> xs logs –recent cockpit-web-app

    Connected, dumping recent logs for app “cockpit-web-app”
    9/11/20 2:44:24.959 PM [APP/4-0] SYS #
    9/11/20 2:44:24.959 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:24:955#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##
    ========================================
    Registering application middleware (for persistency service)
    ========================================
    #
    9/11/20 2:44:24.959 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:24:955#+00:00#INFO#/toggles.js#####keycq96i##########keycq96i#PLAIN##Send request for toggles to: https://sappc1db.unite.swissre.com:51011/v1/toggles#
    9/11/20 2:44:25.235 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:235#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##Toggles: {}#
    9/11/20 2:44:25.242 PM [APP/4-0] ERR Fri, 11 Sep 2020 14:44:25 GMT body-parser deprecated bodyParser: use individual json/urlencoded middlewares at node_modules/@sap/site-entry/server.js:77:53
    9/11/20 2:44:25.242 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:235#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##bodyParser is set for personalization with the limit: 15MB#
    9/11/20 2:44:25.256 PM [APP/4-0] ERR Fri, 11 Sep 2020 14:44:25 GMT body-parser deprecated undefined extended: provide extended option at node_modules/body-parser/index.js:105:29
    9/11/20 2:44:25.258 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:257#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##
    ========================================
    Strating server …
    ========================================
    #
    9/11/20 2:44:25.258 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:257#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##Support independent app toggle: undefined#
    9/11/20 2:44:25.280 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:277#+00:00#INFO#/approuter#####keycq9fj##########keycq9fj#PLAIN##Application router version 6.7.2#
    9/11/20 2:44:25.293 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:293#+00:00#INFO#/Configuration#####keycq9fx##########keycq9fx#PLAIN##No COOKIES environment variable#
    9/11/20 2:44:25.304 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^(\\/v\\d+\\.\\d+\\.\\d+)?\\/sap\\/hana\\/cst\\/api\\/socket.io/ is vulnerable to ReDoS attacks#
    9/11/20 2:44:25.304 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^(\\/v\\d+\\.\\d+\\.\\d+)?\\/sap\\/hana\\/cst\\/api\\/(.*)$/ is vulnerable to ReDoS attacks#
    9/11/20 2:44:25.304 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^(\\/v\\d+\\.\\d+\\.\\d+)?\\/metadataapi\\/(.*)$/ is vulnerable to ReDoS attacks#
    9/11/20 2:44:25.305 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^\\/sap\\/hana\\/cst(\\/v\\d+\\.\\d+\\.\\d+)?\\/catalog\\/index.html/ is vulnerable to ReDoS attacks#
    9/11/20 2:44:25.305 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:305#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^\\/sap\\/hana\\/cst(\\/v\\d+\\.\\d+\\.\\d+)?\\/catalog\\/cockpit-index.html/ is vulnerable to ReDoS attacks#
    9/11/20 2:44:25.313 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:312#+00:00#INFO#/approuter#####keycq9fj##########keycq9fj#PLAIN##Application router is listening on port: 40323#

     

    /
    • Hi Harika,

      Thank you for commenting.

      1. It can be anything, there’s no specific format to follow
      2. You need to send SAML metadata to Federation team, then they’ll give you another metadata for you to import (exchanging metadata), as mentioned in section “Download the SAML metadata file from XSA”. The reason you’re getting the error is because you tried to import HANA own metadata, which won’t work.

      _Bobby