Wednesday, 25 December 2019

AppToAppSSO between SAP Cloud Platform and SAP HANA DB

Introduction


HTML5 or Java based application deployed in SAP Cloud Platform fetch data from backend source, display it in application. There are different methods to establish connection between two applications in SCP. One such method is using destination which is a service offered by SAP Cloud platform.

Using Destination in SCP you can connect Application hosted on SCP with other application or DB using HTTP, LDA, MAIL & RFC.

Destination service offers different types of authentication based on the connection type used to connect source system.

In this topic we are going to see how to establish AppToAppSSO authentication in destination, which connects application deployed in SAP Cloud Platform to HANA DB.

Application to Application SSO is an authentication mechanism available for an HTTP destination to propagate application user from SCP to SAP HANA.  AppToAppSSO has a trust relationship setup in XS like other SAML-based IdP.

Here the propagated user information can contain more information than just the user’s login name. Additional user attributes are also forwarded with the SAML Assertion. Therefore, the SAP HANA instance must be properly setup for SAML-based authentication as one of the following prerequisites.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

Pre-requisite


1. You have access to SAP Cloud Platform with administration role or manage destination role in respective subaccount in which the destination is created.

2. A HTML5 application or Java application is deployed in SAP Cloud platform NEO subaccount.

3. Destination must be created in the same SCP subaccount where the application is deployed.

4. HANA DB deployed in SAP Cloud Platform in NEO environment is the backend system from which application fetch and post data.

5. Make sure your HANA DB user has required roles to access the XS Admin tool, add all roles in SAP HANA Studio containing “xs.admin” to the user.

STEP 1: Configure Trust Management settings in SAP Cloud platform.


1.1) Open the respective subaccount in SCP where the application is deployed, navigate to Security->Trust it takes to Trust Management screen.

1.2) In Local service provider tab change configuration type from Default to Custom & click Generate key pair and Save the settings.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

1.3) Click Download metadata to download the metadata of subaccount in SAP Cloud Platform. Save this metadata on local desktop because this metadata will be used in next steps to establish trust in HANA XS.

1.4) By choosing Custom provider setting for SCP subaccount we need to define your own identity provider like Corporate IdP or SAP Cloud identity provider in Application Identity provider in trusted identity provider tab. If you plan to use SAP ID service as IdP then you must switch back Configuration type from Custom to Default and save the settings again. By Switching back to Default the custom changes made in step 1.2 is not lost and the downloaded metadata can be used for SAML authentication.

1.5) In this this example, I am using SAP Cloud Platform Identity provider, so I have updated the metadata downloaded from SAP Cloud Platform Identity provider and uploaded the same by clicking Add trusted Identity Provider in Application Identity provider tab. (Configuring external IdP for SAP Cloud platform is a separate topic which we will discuss in another thread).

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

STEP 2: Configure Trust management in HANA XS admin


2.1) Identity provider settings in HANA DB is configured in HANA XS admin. Make sure the HANA user id you use have access XS admin roles.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

2.2) Login to HANA XS admin using the URL https://<HANA-SID><subaccount-technical-name>.hanatrial.ondemand.com/sap/hana/xs/admin/

2.3) From menu of XS admin navigate to SAML Service Provider, define name and Organization name details in Service Provider information. Here the name can be any name of your choice and it is used to identify this system during trust call.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

2.4) In XS admin now navigate to SAML identity provider, Click + in SAML identity provider list and copy past the metadata of the system which HANA DB will use as IdP to authenticate. In our case add the metadata that you download in step 1.3, so the HANA DB will now trust the request from SAP sub-account based on SAML identity provider.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

2.5) Click on Save to store your settings. This SAML IdP setting in HANA can be verified by running the sql command SELECT * FROM _SYS_XS.HTTP_DESTINATIONS in SAP HANA Studio.The view _SYS_XS.HTTP_DESTINATIONS shows the details of the newly added SAML identity provider.

STEP 3: Configure Destination in SAP Cloud Platform Subaccount


3.1) Open the subaccount in SAP Cloud Platform and navigate to Connectivity -> Destination and click New Destination

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

3.2) Specify a Name for destination, choose type as HTTP, authentication as AppToAppSSO, URL – define the URL to access HANA DB (eg: https://<HANA-SID><subaccount-technical-name>. hanatrial.ondemand.com)

3.3) The important additional property is saml2_audience, here you give the HANA service provider name that you defined in step 2.3 as value for saml2_audience and click SAVE to create destination in SCP.

3.4) Once the destination is created, this destination name will be called in application deployed in SAP Cloud platform to fetch data from backend HANA DB.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

STEP 4: Configure SAML for HANA Package in XS admin


4.1) Now we define the SAML authentication for the package in HANA DB from which application in SCP fetch data using AppToAppSSO.

4.2) Login to HANA XS admin using the URL https://<HANA-SID><subaccount-technical-name>.hanatrial.ondemand.com/sap/hana/xs/admin/

4.3) In XS admin menu, navigate to XS Artifact Administration and select the HANA package which application use to fetch data. Select the SAML authentication check box and add the SAML identity provider added to HANA DB in step 2.4 and SAVE the changes.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

STEP 5: Configure SAML for HANA DB user


5.1) We use AppToAppSSO between application deployed in SAP Cloud Platform and HANA DB, so the Identity Provider (Either SAP Default SAP ID service user or Custom Identity Provider user) user used to authenticate the application in SCP will be propagated through destination to authenticate at HANA DB, for HANA to recognize this IdP user we need to configure SAML for the respective HANA user.

5.2) Login to HANA DB user management https://<HANA-SID><subaccount-technical-name>.hanatrial.ondemand.com/sap/hana/IdP/security/

Make sure you have User Admin system privilege to the user used to login HANA DB.

5.3) Open the HANA DB user corresponding to the application user, select SAML check box, click add to add identity provider then define the User ID against it, SAVE the settings.

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

SAP Cloud Platform, SAP HANA, SAP HANA Tutorial and Material, SAP HANA Certifications, SAP HANA Exam, SAP HANA Prep

With this, configuration for AppToAppSSO is completed.

No comments:

Post a Comment