Skip to Content
Technical Articles
Author's profile photo Ankit Arora

Setup SAML in SAP HANA with external Identity Provider

SAP HANA application and services are being consumed in different other applications such as sap analytics cloud, business objects, other reporting tools etc. To access these services seamlessly, SSO plays important role.

SAP HANA applications can use single sign-on (SSO) authentication with SAML assertions to confirm the logon credentials of a user calling an application service. For Eg, if SAP analytics cloud seeking data from SAP HANA, end user needs to put credential every time they pull the latest data. With SAML enabled users this can be avoided and same credentials from calling application can get authenticated.

Pre-requisite

  1. Availability of SAML identity provider
  2. Administrator access in SAP HANA SAML service provider system
  • hana.xs.admin.roles::SAMLAdministrator
  • sap.hana.xs.admin.roles::RuntimeConfAdministrator

Its better if SSL is setup for XS, in case if SSL is not being used that should be okay provided your SAML IDP allows support for the HTTP protocol.

In case you want to setup SSL for  XS, you can follow article with the link below

1.       Setup SAP HANA XS with HTTPS.
https://blogs.sap.com/2022/05/04/setup-sap-hana-xs-with-https/

Steps

Login to below URL

https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin

Click on the main menu and select SAML Service Provider

Under the Metadata section, copy the content and save it locally with serviceprovider_hana.xml

Share this content with Identity provider team and ask for metadata for  the SAML identity provider (IDP)

Your IDP team will share the metadata for  the SAML identity provider

Upload this metadata in HANA

Go to below URL

https://<host_name>:<ssl_xs_port>/sap/hana/xs/admin

and click on SAML Identity provider

Click on the + icon in the bottom left corner to import IdP metadata you received from IDP team

Validate the details of the metadata that you imported. With this, the name of IDP will be updated on the page, Save this config.

Enable the service with SAML property which application is going consume.

SAP SAC will consume V2 service with full package path as below

navigate to sap -> bc -> ina -> service -> v2

In the XS Admin Page of your SAP HANA System, select Main Menu -> XS Artifact Administration

Navigate to V2 service and edit from right side bottom corner of the screen

Select the SAML checkbox, choose a SAML IdP that you have added in above steps

Now enable the user and assign it to SAML IDP, run below command

You may use below command

ALTER USER <HANA USER> ADD IDENTITY ‘<SAML MAPPING>’ FOR SAML PROVIDER <IMPORTED IdP NAME>;

or do the same in HANA Studio go to Security à User in hana studio  and add IDP

To test the configuration, go to below URL and you should be able to login with your IDP credentials

https://FQDN:4300/sap/bc/ina/v2

Hope this article will help you setting up the SAP HANA XS with HTTPS.

Thanks!!!

Kindly share feedback or thoughts in a comment or ask questions if any.

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Ben Carter
      Ben Carter

      Check out this, this might help : https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/8ccc7fb52a704881a4a2b2e2c927b6f8.html?version=2.0.04/EmployeeConnection.net Insite

      Author's profile photo Ankit Arora
      Ankit Arora
      Blog Post Author

      Thanks for sharing the link Ben, the actual purpose of this blog post covered via below blog

      https://blogs.sap.com/2022/05/10/sap-analytics-cloud-and-on-premise-sap-hana-sso-setup-with-external-identity-provider/

      Author's profile photo Senthil Murugan Jeya Pandi
      Senthil Murugan Jeya Pandi

      Thanks for the blog, useful. Can you please let me know from where to get the values for <SAML MAPPING>’

      Also our scenario is we have to enable SSO from SAC to HANA database (onprem), our SAC is getting authenticated with IAS (to our IDP), so in our case, which metadata we need to import from SAC or IAS or IDP?

      Author's profile photo Ankit Arora
      Ankit Arora
      Blog Post Author

      You need to Import metadata of IDP which is used to authenticate your SAC.

      For End to END SSO from SAC to On-prem HANA you need to use same Identity provider. Multiple IDPs not supported in this scenario.

      For complete details, follow the link

      https://blogs.sap.com/2022/05/10/sap-analytics-cloud-and-on-premise-sap-hana-sso-setup-with-external-identity-provider/

      Author's profile photo Lalitha Lakshmi Janakiram
      Lalitha Lakshmi Janakiram

      Hi! This is super useful. Would provisioning via JIT be possible along with this configuration as well? If yes is there any documentation around how this can be done?