SAP HANA platform provides different types of services to various entities, and thus in this case acts as a SP. But today we have a limitation that:
- we can map only 1 IDP to HANA XS artifact
- and, dynamically changing IDP at runtime is not possible.
This becomes a problem when you have various applications connecting to different IdPs and at times even some of the applications themselves can act as IdPs. So, the problem arises on how to handle the mapping of multiple IDPs to a single HANA XS artifact.
Consider a customer landscape that contains standard cloud IDP provider such as SAP Cloud Identity, ADFS amongst other, and cloud applications such as SAP Analytics Cloud or SAP AnalyticsHub that can leverage the same cloud IDP.
But on the other hand, on-premise applications such as SAP BusinessObjects Enterprise Platform themselves acts as an IDP.
So, when a customer wants to achieve SAML Authentication (SSO) for the same HANA XS artifact through both the applications cloud and on-premise (SAP Analytics Cloud or Analysis Hub and BOE - Analysis Office etc.), there is a perception that the authentication cannot be achieved for both types of applications due to the limitations mentioned above.
In this wiki, I will try to provide a working solution to the problem mentioned above from SAP BOE customer’s perspective.
Note: For our testing we have been concerned about HANA XS artifact /sap/bc/ina/service/v2.1, but theoretically this should be same behavior with other artifacts as well.
Before you start, make sure you have the necessary authorizations and privileges assigned in HANA. Refer SAP Note 2315536 and 2097965.
Here, step 1-6 involves configuring Cloud IDP in HANA, and steps 7-14 involves BOE platform related configuration.
Step 1: Configure IDP of your choice in HANA XS admin page by importing the IDP metadata xml. This IDP should be your Cloud IDP such as SAP Cloud IDP or ADFS.
This will look something like:
Step 2: Upload the certificate of your IDP in the HANA truststore in HANA Web Dispatcher Admin Page.
Step 3. Map the IDP and External identity (IDP user) with your HANA user in HANA Studio.
Step 4: Enable SAML authentication and map the HANA XS artifact with the above created IDP, by logging to HANA XS admin page and navigating to XS artifact administration.
Step 5: Do the required configuration on your IDP for the HANA XS SP.
Step 6: To check if the entire configuration is successfully done, access the below URL for HANA HTTP Connection:
http(s)://<server>:<port>/sap/bc/ina/service/v2/GetServerInfo
On hitting the URL, you should be re-directed to your IDP logon screen, something like,
or if SSO is configured, it will directly log you in.
On successful authentication, it should display something like:
Step 7: Go to BOE -> CMC –> Applications –> HANA Authentication. Create a new HANA HTTP(s) connection by providing all the details and generating the certificate.
Note: HTTP/HTTPs connection type apart from JDBC for Test Connection from BOE Platform to HANA for SAML SSO has been introduced from 4.2 SP04.
Step 8:Copy the certificate generated above and import it in HANA truststore similar to step 2.
Step 9: Open HANA Studio. Go to Security -> SAML Identity Providers Tab and click on new entry. Provide the IDP details from the certificate generated in BOE platform.
Step 10: Map this IDP and external identity (BOE user) with HANA user, like what was done in step 3 above.
Step 11: Do a Test Connection in BOE for the connection created in Step 5 above. The status should be Success.
Step 12: Create a new HANA HTTP OLAP connection by navigating to BOE -> CMC -> OLAP connection.
Step 13: Launch Analysis Office and connect to BOE platform. It will list the connection created in the step above.
Step 14: Double clicking the connection will log you in to HANA through SAML SSO, without prompting for user/password.
In case you want to configure more than 1 BOE landscape as an IDP to HANA XS artifact, you can repeat from step 7 onwards.