This blog describes How to implement END2END SAML using same Identity Provider (IdP) for SAP Analytics Cloud and SAP HANA
Section – 1
Section – 2
Section – 3
With this approach / configuration, users will have the advantage to use same IdP credentials only once while logging into SAP Analytics Cloud and don’t have to enter the credentials again while creating Live Connection to SAP HANA
The configuration of the trust relationship is necessary to link two user account to each other. This linkage provides access to data without exchanging user credentials. The identity provider (IdP) authenticates and authorizes the users. We will enable custom IdP (ADFS) for SAC. This IdP will be used for user authentication and authorization in our HANA system.
In our context, the SAML is used for exchanging data between the service providers (SAC and HANA) and the IdP (ADFS). SAML is an XML framework to describe and exchange security-related information.
In summary, the configuration provided in this document have been executed on the below mentioned platforms
◉ SAP HANA 2.0 Rev46 (SUSE Linux 12 SP3) a data source as Service Provider
◉ Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
◉ SAP Analytics Cloud as Service Provider
We will divide the configuration into three sections.
1. Setting up SAML between ADFS and SAP Analytics Cloud
2. Setting up live data connection between SAP Analytics Cloud and SAP HANA
3. Setting up SAML between ADFS and SAP HANA
Section – 1
Setting up SAML between ADFS and SAP Analytics Cloud
Once the verification is completed successfully and is able to login into the SAP Analytics Cloud using SAML, proceed to Section 2.
Section – 2
Setting up live data connection between SAP Analytics Cloud and SAP HANA
SAP Analytics Cloud allows you to connect to live data in HANA databases.
Follow the below guided playlists to setup live data connection to SAP HANA on premise
https://www.sapanalytics.cloud/guided_playlists/sap-hana/
if the configuration is correct, SAP HANA live data connection should be created successfully using username and password method.
You must configure your on-premise SAP HANA system in order to support SSO for live data connections that use the direct connection type.
Section – 3
Setting up SAML between ADFS and SAP HANA
Setup of the Trust Relationship
Note the following roles needed for SAP HANA user to access XS Admin Page, for SAML configuration and for ide
1. Navigate to the XS Admin Page of your SAP HANA system using https://<SAP HANA SYSTEM>:<Port>sap/hana/xs/admin
Replace <SAP HANA SYSTEM> with the name of your SAP HANA System
2. Click on the main menu and select SAML Service Provider
3. Under Service Provider Configuration, copy the name of the SAML Service Provider
4. Under metadata copy the xml content from textbox and save it as HANAMetadata.xml (note – we will be using this file, while configuring ADFS)
5. Click Save
Configuring ADFS
1. Download ADFS metadata using below URL
https://<adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml.
Replace adfs-server with your adfs server name
Note – FederationMetadata.xml file will be download and we will be importing IdP metadata into HANA System SAML configuration
2. Launch ADFS Management
3. Under Trust Relationships right click on Relying Party Trusts
4. Click start
5. Select Import data about the relying party from a file and select file HANAMetadata.xml that we downloaded in step 4
6. After importing file, click on next
7. Specify Display name and click next
8. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click next
9. Issuance Authorization Rules, select Permit all users to access this relying party and click on next and finish
10. Add Claim Rule for SAP HANA System
Select Send LDAP Attribute as Claims and click on next
11. Enter Claim Rule name
SAM-AccountName
12. Select attribute store – Active Directory and mapping of LDAP attributes
Configuring SAP HANA
1. In the XS Admin Page of your SAP HANA System, select Main Menu -> SAML Identity Provider
2. Click on the + icon in the bottom left corner to begin importing ADFS IdP metadata
3. Open the FederationMedata.xml file that you have downloaded in step 1 of Configuring ADFS, copy the content of the file and paste it to the Metadata input area in the XS Admin Page of your HANA system
4. Verify the details like name of the SAML IdP under General Tab etc and click on Save
Enabling SAML
1. In the XS Admin Page of your SAP HANA System, select Main Menu -> XS Artifact Administration
2. In the Packages, navigate to sap -> bc -> ina -> service -> v2
3. Make sure to have navigated to correct directory sap -> bc -> ina -> service -> v2 to see the SAP Security Admin page
4. Click on Edit in the bottom right corner
5. Select the SAML checkbox, if it is not already enabled
Choose a SAML IdP in case it is not already selected, the name of the IdP should be the name, you noted down in step 20 and click on Save
6. Select sap -> bc -> ina -> service -> v2 and select CORS panel, and use the following instructions to edit your CORS configuration
i . Select Enable Cross Origin Resource Sharing, if not already selected
ii. Add the IdP host to Allowed Origins
Deploy the custom web content to your SAP HANA Server
To enable SSO when using a direct connection, you must some custom web content to your SAP HANA server. This web content is what will appear briefly to users once per session when they first create a live data connection to your SAP HANA system, or when they refresh charts or tables against that live data connection.
1. Log on to your SAP HANA server’s Web IDE athttps://<xs-host:port>/sap/hana/ide/editor with the system user credentials
2. Navigate to sap.bc.ina.service.v2
3. Right click the v2 package, and select New -> Package
4. In Package Name enter cors and click Create
5. Right-click the cors package and select New -> File
6. Enter auth.html and click Create
7. Open auth.html, and add the following code
<html>
<script type="text/javascript">
open(location, '_self').close();
</script>
</html>
8. Save auth.html
9. Create another file under the cors package, and name it .xsaccess
10. Open .xsaccess, and add the following code
{"cache_control" : "no-cache, no-store"}
11. Save .xsaccess
12. Right-click the cors package, and click Activate All
13. In a new browser tab, go to the following URL
https://<xs-host:port>/sap/bc/ina/service/v2/cors/auth.htmlif the html page is configured correctly, the page will load and close automatically.
User Mapping
User mapping to access your HANA database from SAC without re-authentication (ie – to use SSO). If you are using the same IdP for SAP HANA and SAC, you can automatically map all existing users to SAC.
Add SAP HANA host system in Trusted Sites
Internet Options -> Security -> Trusted Sites, add your domain name, the select Enable Protected Mode
Verification
Users will now be able to sign in to the SAP Analytics Cloud with the IdP ADFS server credentials and create a live data connection to the SAP HANA system without having to re-authenticate with SSO
1. Login into SAP Analytics Cloud (enter SAC URL in browser)
2. It redirects to IdP authentication page, enter your domain user details mapped with SAC user account
3. After successfully logged into SAC, Create connection
4. Goto Main Menu -> Connection -> Add Connection
5. The Select a datasource dialog will appear
6. Expand Connect to Live Data and select SAP HANA
7. In the dialog, enter a name and description for your connection
8. Set the connection type to Direct
9. Add your SAP HANA hostname, and HTTPS port
(Optional) Choose a Default Language from the list.
10. Under Authentication Method select SAML Single Sign On
11. Select Ok
If all configuration and user mapping is correct, live data connection to SAP HANA will be created without re-authenticating using SAML SSO.
No comments:
Post a Comment