Setup SAML in SAP HANA with external Identity Provider

SAP HANA application and services are being consumed in different other applications such as sap analytics cloud, business objects, other reporting tools etc. To access these services seamlessly, SSO plays important role.

SAP HANA applications can use single sign-on (SSO) authentication with SAML assertions to confirm the logon credentials of a user calling an application service. For Eg, if SAP analytics cloud seeking data from SAP HANA, end user needs to put credential every time they pull the latest data. With SAML enabled users this can be avoided and same credentials from calling application can get authenticated.

Pre-requisite

1. Availability of SAML identity provider
2. Administrator access in SAP HANA SAML service provider system

• hana.xs.admin.roles::SAMLAdministrator

• sap.hana.xs.admin.roles::RuntimeConfAdministrator

Its better if SSL is setup for XS, in case if SSL is not being used that should be okay provided your SAML IDP allows support for the HTTP protocol.

In case you want to setup SSL for  XS, you can follow article with the link below

Steps

Login to below URL

https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin

Click on the main menu and select SAML Service Provider

Under the Metadata section, copy the content and save it locally with serviceprovider_hana.xml

Share this content with Identity provider team and ask for metadata for  the SAML identity provider (IDP)

Your IDP team will share the metadata for  the SAML identity provider

Upload this metadata in HANA

Go to below URL

https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin

and click on SAML Identity provider

Click on the + icon in the bottom left corner to import IdP metadata you received from IDP team

Validate the details of the metadata that you imported. With this, the name of IDP will be updated on the page, Save this config.

Enable the service with SAML property which application is going consume.

SAP SAC will consume V2 service with full package path as below

navigate to sap -> bc -> ina -> service -> v2

In the XS Admin Page of your SAP HANA System, select Main Menu -> XS Artifact Administration

Navigate to V2 service and edit from right side bottom corner of the screen

Select the SAML checkbox, choose a SAML IdP that you have added in above steps

Now enable the user and assign it to SAML IDP, run below command

You may use below command

ALTER USER <HANA USER> ADD IDENTITY ‘<SAML MAPPING>’ FOR SAML PROVIDER <IMPORTED IdP NAME>;

or do the same in HANA Studio go to Security à User in hana studio  and add IDP

To test the configuration, go to below URL and you should be able to login with your IDP credentials

https://FQDN:4300/sap/bc/ina/v2

Hope this article will help you setting up the SAP HANA XS with HTTPS.

Thanks!!!

Kindly share feedback or thoughts in a comment or ask questions if any.