Technical Articles
Setup SAML in SAP HANA with external Identity Provider
SAP HANA application and services are being consumed in different other applications such as sap analytics cloud, business objects, other reporting tools etc. To access these services seamlessly, SSO plays important role.
SAP HANA applications can use single sign-on (SSO) authentication with SAML assertions to confirm the logon credentials of a user calling an application service. For Eg, if SAP analytics cloud seeking data from SAP HANA, end user needs to put credential every time they pull the latest data. With SAML enabled users this can be avoided and same credentials from calling application can get authenticated.
Pre-requisite
- Availability of SAML identity provider
- Administrator access in SAP HANA SAML service provider system
- hana.xs.admin.roles::SAMLAdministrator
-
sap.hana.xs.admin.roles::RuntimeConfAdministrator
Its better if SSL is setup for XS, in case if SSL is not being used that should be okay provided your SAML IDP allows support for the HTTP protocol.
In case you want to setup SSL for XS, you can follow article with the link below
1. Setup SAP HANA XS with HTTPS. |
https://blogs.sap.com/2022/05/04/setup-sap-hana-xs-with-https/ |
Steps
Login to below URL
https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin
Click on the main menu and select SAML Service Provider
Under the Metadata section, copy the content and save it locally with serviceprovider_hana.xml
Share this content with Identity provider team and ask for metadata for the SAML identity provider (IDP)
Your IDP team will share the metadata for the SAML identity provider
Upload this metadata in HANA
Go to below URL
https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin
and click on SAML Identity provider
Click on the + icon in the bottom left corner to import IdP metadata you received from IDP team
Validate the details of the metadata that you imported. With this, the name of IDP will be updated on the page, Save this config.
Enable the service with SAML property which application is going consume.
SAP SAC will consume V2 service with full package path as below
navigate to sap -> bc -> ina -> service -> v2
In the XS Admin Page of your SAP HANA System, select Main Menu -> XS Artifact Administration
Navigate to V2 service and edit from right side bottom corner of the screen
Select the SAML checkbox, choose a SAML IdP that you have added in above steps
Now enable the user and assign it to SAML IDP, run below command
You may use below command
ALTER USER <HANA USER> ADD IDENTITY ‘<SAML MAPPING>’ FOR SAML PROVIDER <IMPORTED IdP NAME>;
or do the same in HANA Studio go to Security à User in hana studio and add IDP
To test the configuration, go to below URL and you should be able to login with your IDP credentials
https://FQDN:4300/sap/bc/ina/v2
Hope this article will help you setting up the SAP HANA XS with HTTPS.
Thanks!!!
Kindly share feedback or thoughts in a comment or ask questions if any.
Check out this, this might help : https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/8ccc7fb52a704881a4a2b2e2c927b6f8.html?version=2.0.04/EmployeeConnection.net Insite
Thanks for sharing the link Ben, the actual purpose of this blog post covered via below blog
https://blogs.sap.com/2022/05/10/sap-analytics-cloud-and-on-premise-sap-hana-sso-setup-with-external-identity-provider/
Thanks for the blog, useful. Can you please let me know from where to get the values for <SAML MAPPING>’
Also our scenario is we have to enable SSO from SAC to HANA database (onprem), our SAC is getting authenticated with IAS (to our IDP), so in our case, which metadata we need to import from SAC or IAS or IDP?
You need to Import metadata of IDP which is used to authenticate your SAC.
For End to END SSO from SAC to On-prem HANA you need to use same Identity provider. Multiple IDPs not supported in this scenario.
For complete details, follow the link
https://blogs.sap.com/2022/05/10/sap-analytics-cloud-and-on-premise-sap-hana-sso-setup-with-external-identity-provider/