Skip to end of metadata
Go to start of metadata

Dear all,

find the latest How To Set up SSO using SAML between SAP HANA DB and SAP BI / SAP Analysis for Office attached to the below KBA 2593701.

More general:

1900023  - How to setup SAML SSO to HANA from BI


We recommend using the in database certificate store

2593701 - HOW-TO In-Memory Trust Store and HANA DB SSO SAML and BI Platform 4.2 / Analysis for Office 4.2

2743258 - How-To add a certificate into the HANA In-Memory Trust Store through SQL commands for SAML SSO


Beginning with HANA 1 SPS12 it is possible to use a certificate store within the HANA DB, instead of the file based.

The advantage of the in-database certificate store is, that

– a change in a certificate take effect immediately without restarting the DB

– the certificates will be part of the backup

– the certificates will be available on a system replication secondary DB without copying the files

SAP HANA Security Guide for SAP HANA Platform > Certificate Management in SAP HANA

SAP Note 2175664 – Migration of file system based X.509 certificate stores to in-database certificate stores


The file-based certificate store is outdated and can lead to connectivity issues

We recommend using the above described in-database certificate store, since the file based will no longer be evaluated when you use the in-database one.

That will be the case as soon as you use activate SAML SSO to HANA Cockpit 2:

2656666 - Migrate PSE to in-database store Before Enabling SSO in SAP HANA Cockpit 2

2743258 - How-To add a certificate into the HANA In-Memory Trust Store through SQL commands for SAML SSO

outdated 2374226 - SAP HANA DB: SAML Logon from BI Platform to SAP HANA Database is not working


SAP noted describing possible issues

2880635 - SAML fails due to conflicting PSE's

2148434 - SAML authentication with BI failed with error in libxmlsec

2374226 - SAP HANA DB: SAML Logon from BI Platform to SAP HANA Database is not working

2127582 - SAML SSO between HANA SP09 and BI fails with error: Assertion is not intended for this service provider

2515049 - How to Configure BI Certificate Trusts for Connections Using SSL to HANA

2284620 – HOW-TO HANA DB SSO SAML and BI Platform 4.2 SP4 and higher / AO 2.2 

Additional information

Microsoft Blog: Single Sign-On SAML protocol 





  • No labels

16 Comments

  1. Great overview! Have a question though. Is SSL required for SAML SSO? It's not listed as a prerequisite?

    1. Hi,

      Thank you for your question.

      Great recommendation. I will add this into the prerequisites. SSL is very strongly recommended in any SSO configuration.

      Cheers,
      Jimmy

       

       

  2. Former Member

    Hi Jimmy,

    We have SAML configured as mentioned in your blog in our landscape with both BOBJ and HANA On premise. Currently we are evaluating to move HANA to SAP cloud platform  with HANA DB as service and leave BOBJ on premise landscape. Can you please advise if above mentioned SAML configuration works between BOBJ(Intranet Zone) and HANA (Internet Zone) ?

    Thank you

    Ravi

    1. Hi Ravi,

      This should work as long as the network is set up so that the two systems can communicate.

      Cheers,
      Jimmy 

  3. Former Member

    Hi Jimmy,

    I was told this setup will not work if both systems are not on same network by SAP support. is that true statement?

    Thank you

    1. Private Message me your incident number I'll have a look. 

  4. Former Member

    163901/2017 , I m unable to find a way to private message you..

    1. Hi Ravi,

      I've taken a look at the incident and the statement may have been misinterpreted. I think what the engineer was stating was that if the BOBJ system cannot "talk" to the HCP system, then the authentication will not work.

      I have moved your incident to a team that specializes in cross system authentication questions. They should be able to assist you further and then get you to development if need be.

      Cheers,
      Jimmy

  5. Former Member

    Make sure the 'Disable ODBC/JDBC access' is UNCHECKED  when creating the SAML user or the test connection will not work!

     

    d14.png

    1. Great Catch. I didn't even realize I had that checked off.

      I'll update the picture.

  6. Hi,

    Great instructions, thank you!  

    This is the first document around this process that I have found that indicates a version perquisite of HANA SPS10 and I would like to confirm that this is a "hard requirement".  None of the other posts or OSS Notes that I have found on this subject mention this.  Before we invest time in this process ( we are on HANA 1.00.097) I am hoping that you can confirm.

    Thanks again for the detailed documentation.

    Rgds,

    Mel

    1. Hi Mel,

      I need to reword that section. That isn't so much a prerequisite, but just the version that this document is based on.

      Version 2 is in the works using the in-memory trust store so stay tuned.

      In the mean time, I'll update this document.

  7. sapsrv.pse → Default all tenant databases use the same trust store as the system database for SAML-based user authentication


    5.4 Import Certificate into HANA Security → For HANA MDC, it will be done in tenant DB level? right?


    1. Hi Nina,

      Yes this would be created on the tenants. 

      This wiki guide is a bit old. I think it's time to get it updated for 2.0! I'll work with some of my colleagues and get a new version out on this topic.

      Best Regards,

      Jimmy

  8. Hi Jimmy,

    I find the latest one:

    Note 2593701 - HOW-TO In-Memory Trust Store and HANA DB SSO SAML and BI Platform 4.2 / Analysis for Office 4.2

    Regards,

    Ning

    1. yes, I created that white paper. I just haven't had the time to convert it into this wiki page.