Technical Articles
SAP Analytics Cloud and On-Premise SAP HANA SSO Setup With Azure Identity Provider
Overview
Under this blog, I have outlined the SAP analytics cloud to on-premise SAP HANA SAML SSO setup via AZURE identity provider.
SAP SAC cloud and backend systems should be connected via the same IDP provider.
DISCLAIMER
The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.
Purpose
This document tried to include all Basis steps for SAP SAC live data connection via SAML SSO.
SAP SAC Data Source HANA Live Connection via SAML SSO AZ IDP
Steps: –
- Setup SAP SAC Authentication via AZURE IDP SAML SSO
- Setup Hana XS SSL (Enable HTTPS) for SAC CORS setup
- Setup HANA Live Connection via SAML SSO AZ IDP
Setup SAP SAC Authentication via AZURE IDP SAML SSO
Followed the below blog to setup SAP Analytics Cloud with Azure AD
https://blogs.sap.com/2019/08/19/integrating-sap-analytics-cloud-with-azure-ad-saml/
Setup Hana XS SSL (Enable https) for SAC CORS setup
Followed the below blog to setup for SAC CORS setup
Setup SAP SAC HANA Live Connection via SAML SSO AZ IDP
- Azure AD SSO for SAP HANA
Follow these steps to enable Azure AD SSO in the Azure portal.
Go to Azure AD:- Enterprise Application –> SAP HANA –> Set up single sign-on with SAML
Login into Hana xs admin URL (Login into https://<HANA Host name>:httpsport/sap/hana/xs/admin/) –> SAML Service Provide
Download the below Metadata from HANA admin xs URL
Provide SAP Hana DB Basis SAML details or upload Hana metadata XML into the below AZURE Screen
- On the Basic SAML Configuration section, enter the values for the following fields:In the Reply URL text box, type a URL using the following pattern: https://<Customer-SAP-instance-url>/sap/hana/xs/saml/login.xscfunc
- SAP HANA application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the User Attributes section on the application integration page. On the Set up Single Sign-On with SAML page, click the Edit button to open User Attributes dialog.
3. In the User attributes section on the User Attributes & Claims dialog, perform the following steps:
- Click the Edit icon to open the Manage user claims dialog.
- From the Transformation list, select ExtractMailPrefix().
- From the Parameter 1 list, select user.mail.
- Click Save.
4. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Federation Metadata XML from the given options as per your requirement and save it on your computer.
Assign the Azure AD user
ADD Assign users or groups to the below screen
Configure SAP HANA SSO with Azure IDP
- Login into https://<HANA Host name>:https port/sap/hana/xs/admin/
Go to SAML Identity Provider and add (upload) azure federation metadata XML
copy paste azure idp metadata into the below screen (downloaded from Federation Metadata XML)
All below details automatically populate after upload the above XML
Enabled Dynamic User Creation
Copy and paste the base URL into singleLogout URL
- In HANA DB assertion_timeoutparameter is from 10 sec to 120 sec.
- Enable SAML
Into Hana xs Hana admin –> XS Artifact Administration
Go to sap -> bc -> ina -> service -> v2 to see the SAP Security Admin page
Enable SAML and add azure IDP on INA, Service, and V2 xs artifact
CORS is already enabled, make sure exposed below Headers
- Custom web content needed for SAC live data connection
- Log on to your SAP HANA server’s Web IDE –> https://<xs-host:port>/sap/hana/ide/editor with the system user credentials
- Navigate to sap.bc.ina.service.v2 and right click on v2 and create a new package with cors name and under that create file with the auth.html name
Copy and paste the below code
Right-click on V2 and activate all
Create one more file under the cors package with the name .xsaccess and copy the below note syntax and activate all.
2596646 – Failed to connect to System in SAP Analytics Cloud (SAC)
- User Mapping Map Hana user with AZURE AD email id or user
Enable SAML configuration (You will see AZ IDP while clicking on ADD), after adding SAML IDP and providing external identity user email
You can map multiple users with one Hana user-id
Note:- Make sure external identity email latter should be same as AZURE AD
- Make sure the below roles are assigned to user Hana user
sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::TrustStoreAdministrator
sap.hana.xs.wdisp.admin::WebDispatcherAdmin
sap.hana.xs.admin.roles::RuntimeConfAdministrator
sap.bc.ina.service.v2.userRole::INA_USER
Create SAP SAC cloud Hana live data connection
- Login into SAC
Go to connections and click on +
Select SAP HANA
Provide Hana hostname and HTTPS port number with a direct connection
Click ok, and one pop-up will come and go automatically, and the connection setup
Verify connection:-
Go to Modeler –> live data model –> select SAP HANA and choose the connection name
Once you click on the data source you will see all backend Hana source
Reference SAP Notes:-
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/saphana-tutorial2821994 – SAML SSO to HANA fails due to missing user parameter mapping
2596646 – Failed to connect to System in SAP Analytics Cloud (SAC)
2935113 – Live HANA connection with SAML SSO enabled with Azure AD as Identity Provider (IdP) suddenly stops working with the following error in SAP Analytics Cloud (SAC)
2933072 – Error We couldn’t connect to your HANA system. Possible causes: Third-party cookies are blocked, or CORS is not configured correctly happens when creating live HANA connection in SAP Analytics Cloud (SAC)
Advantages:-
After configuration and user mapping, live data connection to SAP HANA will be created without re-authenticating using SAML SSO
I hope this document will help you with the SAP Analytics Cloud and On-Premise SAP HANA SSO Setup With Azure Identity Provider.
Cheers!
Anikesh Jyotishi
Good Blog with all steps.
Do we need to have both SAC & SAP HANA on Azure cloud?
Thanks,
Anikesh Jyotishi