Technical Articles
Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part III
We’re in the last part of Configuring Federated SAML: Azure AD to the SAP HANA Cockpit series.
To recap, here’re what we’ve covered so far:
- In Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part I
We covered the facts and restrictions in HANA Cockpit such as mapping IdP to local HANA users and configuration area you need not touch. - In Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part II
We cover these areas in details:- Add SAP HANA Enterprise Application
- Configure SAP HANA SAML in Azure Enteprise Application
- Assign Users to Azure Security Groups and the SSO Assignment
- Test SAP SAML Single Sign On on Azure
In this part we’ll make the configuration in the HANA XSA and fit the puzzle together:
- Import SAML Metadata from IdP
- Map IdP Security Group to XSA Role Collections
- Add a SAML Certificate with HANA Cockpit
- Assign Database Group
BASIC CONFIGURATION
Change the signature algorithm for SAML on XSA to SHA256
If you’re still using SHA1 (the default value in the older version of HANA), consider updating it as it is deprecated.
Make sure you have XS RUNTIME 1 Patch Collection 37 (build 1.0.68 / PL 68) or higher.
- Execute the following statement in the database:
ALTER SYSTEM ALTER CONFIGURATION ('xsuaaserver.ini','SYSTEM') SET ('login.yml','login.saml.signatureAlgorithm')='sha256' WITH RECONFIGURE; - Restart the XSUAA process via Eclipse/HANA Studio
Goto Landscape view and right click stop the xsuaaserver
Change Service Provider Information
in XSA, we can’t provide as much information on Organization as its XS admin counterpart.
For example, we can’t define Organization Name, Organization Display Name or Organization URL.
The only detail we can customize is the Entity Name, and it is via SQL command:
alter system alter configuration ('xsuaaserver.ini','SYSTEM') set ('login.yml','login.entityid')='yourentityidname' with reconfigure;Replace ‘yourentityidname’ to something meaningful and standard across your SAML implementation, for example: companyName:HANA-<HANA_SID>:saml2:idp
Restart the XSA:
XSA restartDownload the SAML metadata file from XSA
Once you’ve made a necessary change on signature algorithm and the SPI, you can download the metadata with this URL:
https://<uaa-server>:Authorization-end-point/saml/metadata
Note: Authorization end-point can be found by executing the command xs -v on the command line and looking for the key authorizationEndpoint.
e.g: https://sapzzzweb.internal.com:39632/uaa-security/saml/metadata
Provide the downloaded file to your federation team. They will import it into the IdP.
In case of Azure, we covered it on Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part II.
CONFIGURATION ON XSA
Importing SAML Metadata from IdP
I assume you have downloaded the IdP metadata or provided by you by IdP federation team. We covered it in the previous blog.
- Access your XSA Cockpit page
https://<uaa-server>:3<sys-nr>30/go/xsa-cockpit - Create New Trust Configuration
Follow the sequences.
The metadata will be parsed automatically.
To give meaningful text for SAML login link, fill in “Link Text” field. If left blank, HANA will use the Origin Key name.
Save it.
Map IdP Security Group to XSA Role Collections
While we’re in the Trust Configuration page, we may as well configure the mapping.
But before that, we need to know what roles are available, what functionality it covers, and how many job roles / functions should be defined based on that.
Standard Cockpit roles delivered by SAP:
| COCKPIT ROLE | XSA EQUIVALENT NAME | PERMIT ACCESS TO |
| Cockpit Administrator | COCKPIT_ADMIN | The Cockpit Settings section of the Cockpit Manager, where they can configure cockpit settings. |
| Cockpit Database Administrator | COCKPIT_RESOURCE_ADMIN | The Registered Resource and Resource Groups sections of the Cockpit Manager, where they can register resources, create resource groups, and assign cockpit users and registered resources to resource groups. |
| Cockpit User Administrator | COCKPIT_USER_ADMIN | The Manage Users section of the Cockpit Manager, where they can create and manage cockpit users. |
| Cockpit User | COCKPIT_USER_ADMIN | The SAP HANA cockpit, where they can view the resources in the resource groups to which they have been granted access. |
| Registers databases through the Cockpit Manager | COCKPIT_POWER_USER | System Configuration Template Administrator Role |
| System Configuration Template Administrator Role | COCKPIT_CONFIG_TEMPLATE_ADMIN | Creates, modifies and deletes system configuration templates |
| Cockpit Troubleshooting | COCKPIT_TROUBLESHOOTING | Views XSA logs in the Cockpit Manager |
To help with role mapping in a granular detail, we’ll use this authorization matrix.
Here’re important things to know:
- Every Cockpit user need object ‘cockpit!i1.landscape_view’ to be able to login successfully
- By default, only user with COCKPIT_RESOURCE_ADMIN role assigned will be able to view all database resources / groups. This means only admin user will be able to view databases without further configuration
Based on the matrix, an administrator will need following role collections to do all HANA Cockpit operations:
- COCKPIT_ADMIN
- COCKPIT_RESOURCE_ADMIN
- COCKPIT_USER_ADMIN
- COCKPIT_CONFIG_TEMPLATE_ADMIN
Now that you have clear understanding on the concept, let’s implement it.
Navigate to Role Collection Mappings and follow the sequences to define new mapping.
*Value in point no. 4 is the AD security group we defined earlier.
Repeat step 2-5 to define all mappings, both for admin and non-admin Cockpit users.
CONFIGURATION ON HANA COCKPIT
Adding a Certificate with HANA Cockpit
In our example, we’ll use HANA Cockpit. Other way is by using SQL command.
Prerequisites:
- You have downloaded SAML certificate / got it from IdP federation team.
In case of Azure AD IdP, we covered it in Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part II of the series. - You have added SAP HANA Cockpit Database to Database Directory with SAP HANA Cockpit Admin
- You have CATALOG READ, TRUST ADMIN, CERTIFICATE ADMIN, and USER ADMIN authorization
Importing Certificate
- Access “Certificate Store” from “Security Related Links” section in Database Overview of your HANA Cockpit database.
- On Certificate Store page, import your certificates.
Highlighted red is the imported certificate.
Also ensure that the entire certificate chain of the X.509 certificate is available.
Assign Certificate to Certificate Collection
A certificate collection is equivalent to internal personal security environment (PSE).
This is a secure location within a SAP HANA Database where public and private key certificates are stored. By default, standard installation will create a SAML PSE. We’ll import our certificate there.
- Access “Certificate Collections” from “Security Related Links” section in Database Overview of your HANA Cockpit database.
- On Certificate Collections page, filter the purpose of the PSE to “SAML”, and add the certificate
Add a SAML Identity Provider in SAP HANA Cockpit
- On the Database Overview page, with the Security and User Management or All view selected, navigate to Security Related Links and choose SAML Identity Providers.
- Choose “Add Identity Provider” and import your certificate from the certificate store
At this point, you should now have a working SSO.
TESTING THE SSO
- Goto your SAP HANA Cockpit login page.
To login with SAML, click the SAML login link.
Remember that the login link text depends on your configuration.
- Provide your IdP account
- You’re now logged in and able to see the Cockpit launch page
ASSIGN DATABASE GROUP TO NON-ADMIN USER
If you recall from our first blog series, there’s no HANA user defined locally in HANA Cockpit SAML setup. So how do we assign the groups if no user existed in the first place?
In HANA Cockpit SAML scenario, the system will populate Cockpit users locally after first time successful login with their IdP credentials. You cannot change anything on the user, but you can assign database groups to it.
To assign a group:
- Make sure user has login at least once with SAML
- Make sure you have created database groups
- From SAP HANA Cockpit Admin User Details, assign group(s) to each individual user
AUTOMATIC LOGIN
To redirect user automatically without login screen in HANA Cockpit page:
- Delete the other IdP, if you have several configured
- Set parameter uaa.oidc.enableoidc = false in the xsuaaserver.ini configuration file. If the issue persists and you are on XSA 1.0.99, remove the parameter uaa.oidc.providerlinktext.
- Execute the following statement in the database
ALTER SYSTEM ALTER CONFIGURATION ('xsuaaserver.ini','SYSTEM') SET ('environment','saml_auto_redirect')='true'; - Restart XSA
Now everytime you access the COCKPIT Admin page, you will automatically use your SAML assertion token.
Hint: if you have the auto redirect option enabled, but you would like to authenticate using the standard logon page with local HANA users, you can access the login endpoint of UAA with the URL parameter origin=uaa: https://<uaa-server>:3<sys-nr>32/uaa-security/login?origin=uaa. This feature was delivered with XSA 1.0.88
CONCLUSION
You should now have a basic understanding on how to setup SAML SSO for SAP HANA Cockpit in your organization. We use Azure AD as our example, but the overall configuration will apply to other IdP as well.
Another important point before we conclude the series is, although we do not cover SSL configuration it is highly recommended to implement one, as the token contains sensitive information of your organization.
Hi Bobby,
Thanks for a very detailed blog, it has been our goto guide. Looking forward to many more articles from you. Have a few questions:
3. Cockpit logs -
pc1adm@WEPG70PC1DB:/usr/sap/PC1/HDB00> xs logs --recent cockpit-web-app
Connected, dumping recent logs for app "cockpit-web-app"
9/11/20 2:44:24.959 PM [APP/4-0] SYS #
9/11/20 2:44:24.959 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:24:955#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##
========================================
Registering application middleware (for persistency service)
========================================
#
9/11/20 2:44:24.959 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:24:955#+00:00#INFO#/toggles.js#####keycq96i##########keycq96i#PLAIN##Send request for toggles to: https://sappc1db.unite.swissre.com:51011/v1/toggles#
9/11/20 2:44:25.235 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:235#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##Toggles: {}#
9/11/20 2:44:25.242 PM [APP/4-0] ERR Fri, 11 Sep 2020 14:44:25 GMT body-parser deprecated bodyParser: use individual json/urlencoded middlewares at node_modules/@sap/site-entry/server.js:77:53
9/11/20 2:44:25.242 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:235#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##bodyParser is set for personalization with the limit: 15MB#
9/11/20 2:44:25.256 PM [APP/4-0] ERR Fri, 11 Sep 2020 14:44:25 GMT body-parser deprecated undefined extended: provide extended option at node_modules/body-parser/index.js:105:29
9/11/20 2:44:25.258 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:257#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##
========================================
Strating server ...
========================================
#
9/11/20 2:44:25.258 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:257#+00:00#INFO#/server.js#####keycq96i##########keycq96i#PLAIN##Support independent app toggle: undefined#
9/11/20 2:44:25.280 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:277#+00:00#INFO#/approuter#####keycq9fj##########keycq9fj#PLAIN##Application router version 6.7.2#
9/11/20 2:44:25.293 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:293#+00:00#INFO#/Configuration#####keycq9fx##########keycq9fx#PLAIN##No COOKIES environment variable#
9/11/20 2:44:25.304 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^(\\/v\\d+\\.\\d+\\.\\d+)?\\/sap\\/hana\\/cst\\/api\\/socket.io/ is vulnerable to ReDoS attacks#
9/11/20 2:44:25.304 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^(\\/v\\d+\\.\\d+\\.\\d+)?\\/sap\\/hana\\/cst\\/api\\/(.*)$/ is vulnerable to ReDoS attacks#
9/11/20 2:44:25.304 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^(\\/v\\d+\\.\\d+\\.\\d+)?\\/metadataapi\\/(.*)$/ is vulnerable to ReDoS attacks#
9/11/20 2:44:25.305 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:304#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^\\/sap\\/hana\\/cst(\\/v\\d+\\.\\d+\\.\\d+)?\\/catalog\\/index.html/ is vulnerable to ReDoS attacks#
9/11/20 2:44:25.305 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:305#+00:00#WARNING#/Configuration#####keycq9g8##########keycq9g8#PLAIN##Route with source /^\\/sap\\/hana\\/cst(\\/v\\d+\\.\\d+\\.\\d+)?\\/catalog\\/cockpit-index.html/ is vulnerable to ReDoS attacks#
9/11/20 2:44:25.313 PM [APP/4-0] SYS #2.0#2020 09 11 14:44:25:312#+00:00#INFO#/approuter#####keycq9fj##########keycq9fj#PLAIN##Application router is listening on port: 40323#
Hi Harika,
Thank you for commenting.
_Bobby
Hi Bobby,
You mention that .....
In HANA Cockpit SAML scenario, the system will populate Cockpit users locally after first time successful login with their IdP credentials.
I'm able to successful login with IdP credentials but I don't see my id in Cockpit Manager or even in the DB. Do you know what am I missing? Thanks.
Regards,
Noel.
Hi Mohamad,
In Cockpit Manager > Cockpit Users
Yours should be listed with "Authentication type" : Single Sign-On with SAML
_Bobby
Hello Bobby,
we are trying to set it up / and we managed to connect with AD users. However role collection mapping does not work, we mapped all HANA COCKPIT admin roles to AD security Group we created HANA_COCKPIT_ADMIN.
So, we are connecting and getting that -> You're not authorized to open the SAP HANA Cockpit,
depsite having mapped that roles to HANA_COCKPIT_ADMIN, and assigned AD user the AD sec group HANA_COCKPIT_ADMIN under HANA application we created at Azure
Can you please advise?
Thanks,
John K
Kostas,
As mentioned in the blog,
Please read the subsequent point and you'll be fine.
_bobby
Hi John,
The issue is with role mapping HANA_COCKPIT_ADMIN role is only gives access to manage hana cockpit itself. Try using another role mapping such as HANA_POWER_USER it will work. You can try hana cockpit admin manager URL 5<nr>28 instead of cockpit resource manager 5<nr>26. Let me know if you have any issues.
Thanks
Harish
Hello Harish/Bobby,
Could you kindly specify how do I provide the authorization object cockpit!i1.landscape_view to users?
I am also facing the same issue.
Regards,
Denzil