SAP Analytics Cloud and On-Premise SAP HANA SSO Setup With Azure Identity Provider

Overview

Under this blog, I have outlined the SAP analytics cloud to on-premise SAP HANA SAML SSO setup via AZURE identity provider.

SAP SAC cloud and backend systems should be connected via the same IDP provider.

DISCLAIMER

The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.

Purpose           

This document tried to include all Basis steps for SAP SAC live data connection via SAML SSO.

SAP SAC Data Source HANA Live Connection via SAML SSO AZ IDP

Steps: –

• Setup SAP SAC Authentication via AZURE IDP SAML SSO
• Setup Hana XS SSL (Enable HTTPS) for SAC CORS setup
• Setup HANA Live Connection via SAML SSO AZ IDP

Setup SAP SAC Authentication via AZURE IDP SAML SSO

Followed the below blog to setup SAP Analytics Cloud with Azure AD

https://blogs.sap.com/2019/08/19/integrating-sap-analytics-cloud-with-azure-ad-saml/

Setup Hana XS SSL (Enable https) for SAC CORS setup

Followed the below blog to setup for SAC CORS setup

https://blogs.sap.com/2018/01/30/establishing-the-live-hana-on-premise-connection-from-sap-analytics-cloud-using-cors/

Setup SAP SAC HANA Live Connection via SAML SSO AZ IDP

• Azure AD SSO for SAP HANA

Follow these steps to enable Azure AD SSO in the Azure portal.

Go to Azure AD:- Enterprise Application –> SAP HANA –> Set up single sign-on with SAML 

Login into Hana xs admin URL (Login into https://<HANA Host name>:httpsport/sap/hana/xs/admin/) –> SAML Service Provide

Download the below Metadata from HANA admin xs URL

Provide SAP Hana DB Basis SAML details or upload Hana metadata XML into the below AZURE Screen

1. On the Basic SAML Configuration section, enter the values for the following fields:In the Reply URL text box, type a URL using the following pattern:                                 https://<Customer-SAP-instance-url>/sap/hana/xs/saml/login.xscfunc
2. SAP HANA application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the User Attributes section on the application integration page. On the Set up Single Sign-On with SAML page, click the Edit button to open User Attributes dialog.

3. In the User attributes section on the User Attributes & Claims dialog, perform the following            steps:

• Click the Edit icon to open the Manage user claims dialog.
• From the Transformation list, select ExtractMailPrefix().
• From the Parameter 1 list, select user.mail.
• Click Save.

     4. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section,               click Download to download the Federation Metadata XML from the given options as per your requirement and save it on your computer.

Assign the Azure AD user

ADD Assign users or groups to the below screen

Configure SAP HANA SSO with Azure IDP

• Login into https://<HANA Host name>:https port/sap/hana/xs/admin/

Go to SAML Identity Provider and add (upload) azure federation metadata XML

copy paste azure idp metadata into the below screen (downloaded from Federation Metadata XML)

All below details automatically populate after upload the above XML

Enabled Dynamic User Creation

Copy and paste the base URL into singleLogout URL

• In HANA DB assertion_timeoutparameter is from 10 sec to 120 sec.

• Enable SAML

Into Hana xs Hana admin –> XS Artifact Administration

Go to sap -> bc -> ina -> service -> v2 to see the SAP Security Admin page

Enable SAML and add azure IDP on INA, Service, and V2 xs artifact

CORS is already enabled, make sure exposed below Headers

• Custom web content needed for SAC live data connection

1. Log on to your SAP HANA server’s Web IDE –> https://<xs-host:port>/sap/hana/ide/editor with the system user credentials
2. Navigate to sap.bc.ina.service.v2 and right click on v2 and create a new package with cors name and under that create file with the auth.html name

Copy and paste the below code

Right-click on V2 and activate all

Create one more file under the cors package with the name .xsaccess and copy the below note syntax and activate all.

2596646 – Failed to connect to System in SAP Analytics Cloud (SAC)

• User Mapping Map Hana user with AZURE AD email id or user

Enable SAML configuration (You will see AZ IDP while clicking on ADD), after adding SAML IDP and providing external identity user email

You can map multiple users with one Hana user-id

Note:- Make sure external identity email latter should be same as AZURE AD

• Make sure the below roles are assigned to user Hana user

sap.hana.xs.admin.roles::SAMLAdministrator

sap.hana.xs.admin.roles::TrustStoreAdministrator

sap.hana.xs.wdisp.admin::WebDispatcherAdmin

sap.hana.xs.admin.roles::RuntimeConfAdministrator

sap.bc.ina.service.v2.userRole::INA_USER

Create SAP SAC cloud Hana live data connection  

• Login into SAC

Go to connections and click on +

Select SAP HANA

Provide Hana hostname and HTTPS port number with a direct connection

Click ok, and one pop-up will come and go automatically, and the connection setup

Verify connection:-

Go to Modeler –> live data model –> select SAP HANA and choose the connection name

Once you click on the data source you will see all backend Hana source

Reference SAP Notes:-

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/saphana-tutorial2821994 – SAML SSO to HANA fails due to missing user parameter mapping

2596646 – Failed to connect to System in SAP Analytics Cloud (SAC)

2935113 – Live HANA connection with SAML SSO enabled with Azure AD as Identity Provider (IdP) suddenly stops working with the following error in SAP Analytics Cloud (SAC)

2933072 – Error We couldn’t connect to your HANA system. Possible causes: Third-party cookies are blocked, or CORS is not configured correctly happens when creating live HANA connection in SAP Analytics Cloud (SAC)

Advantages:-

After configuration and user mapping, live data connection to SAP HANA will be created without re-authenticating using SAML SSO

I hope this document will help you with the SAP Analytics Cloud and On-Premise SAP HANA SSO Setup With Azure Identity Provider.

Cheers!

Anikesh Jyotishi