Monday, 6 July 2020

Setting up END2END SAML integration between SAP Analytics Cloud and SAP HANA on Premise using ADFS Identity Provider

This blog describes How to implement END2END SAML using same Identity Provider (IdP) for SAP Analytics Cloud and SAP HANA

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

With this approach / configuration, users will have the advantage to use same IdP credentials only once while logging into SAP Analytics Cloud and don’t have to enter the credentials again while creating Live Connection to SAP HANA

The configuration of the trust relationship is necessary to link two user account to each other. This linkage provides access to data without exchanging user credentials. The identity provider (IdP) authenticates and authorizes the users. We will enable custom IdP (ADFS) for SAC. This IdP will be used for user authentication and authorization in our HANA system.

In our context, the SAML is used for exchanging data between the service providers (SAC and HANA) and the IdP (ADFS). SAML is an XML framework to describe and exchange security-related information.

In summary, the configuration provided in this document have been executed on the below mentioned platforms

◉ SAP HANA 2.0 Rev46 (SUSE Linux 12 SP3) a data source as Service Provider
◉ Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
◉ SAP Analytics Cloud as Service Provider

We will divide the configuration into three sections.

1. Setting up SAML between ADFS and SAP Analytics Cloud
2. Setting up live data connection between SAP Analytics Cloud and SAP HANA
3. Setting up SAML between ADFS and SAP HANA

Section – 1
Setting up SAML between ADFS and SAP Analytics Cloud


Once the verification is completed successfully and is able to login into the SAP Analytics Cloud using SAML, proceed to Section 2.

Section – 2
Setting up live data connection between SAP Analytics Cloud and SAP HANA


SAP Analytics Cloud allows you to connect to live data in HANA databases.

Follow the below guided playlists to setup live data connection to SAP HANA on premise

https://www.sapanalytics.cloud/guided_playlists/sap-hana/

if the configuration is correct, SAP HANA live data connection should be created successfully using username and password method.

You must configure your on-premise SAP HANA system in order to support SSO for live data connections that use the direct connection type.

Section – 3
Setting up SAML between ADFS and SAP HANA


Setup of the Trust Relationship

Note the following roles needed for SAP HANA user to access XS Admin Page, for SAML configuration and for ide

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

1. Navigate to the XS Admin Page of your SAP HANA system using https://<SAP HANA SYSTEM>:<Port>sap/hana/xs/admin

Replace <SAP HANA SYSTEM> with the name of your SAP HANA System

2. Click on the main menu and select SAML Service Provider

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

3. Under Service Provider Configuration, copy the name of the SAML Service Provider

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

4. Under metadata copy the xml content from textbox and save it as HANAMetadata.xml (note – we will be using this file, while configuring ADFS)

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

5. Click Save

Configuring ADFS

1. Download ADFS metadata using below URL
https://<adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml.

Replace adfs-server with your adfs server name

Note – FederationMetadata.xml file will be download and we will be importing IdP metadata into HANA System SAML configuration

2. Launch ADFS Management

3. Under Trust Relationships right click on Relying Party Trusts

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

4. Click start

5. Select Import data about the relying party from a file and select file HANAMetadata.xml that we downloaded in step 4

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

6. After importing file, click on next

7. Specify Display name and click next

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

8. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click next

9. Issuance Authorization Rules, select Permit all users to access this relying party and click on next and finish

10. Add Claim Rule for SAP HANA System
Select Send LDAP Attribute as Claims and click on next

11. Enter Claim Rule name
SAM-AccountName

12. Select attribute store – Active Directory and mapping of LDAP attributes

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

Configuring SAP HANA

1. In the XS Admin Page of your SAP HANA System, select Main Menu -> SAML Identity Provider

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

2. Click on the + icon in the bottom left corner to begin importing ADFS IdP metadata

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

3. Open the FederationMedata.xml file that you have downloaded in step 1 of Configuring ADFS, copy the content of the file and paste it to the Metadata input area in the XS Admin Page of your HANA system

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

4. Verify the details like name of the SAML IdP under General Tab etc and click on Save

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

Enabling SAML

1. In the XS Admin Page of your SAP HANA System, select Main Menu -> XS Artifact Administration

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

2. In the Packages, navigate to sap -> bc -> ina -> service -> v2

3. Make sure to have navigated to correct directory sap -> bc -> ina -> service -> v2 to see the SAP Security Admin page

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

4. Click on Edit in the bottom right corner

5. Select the SAML checkbox, if it is not already enabled
Choose a SAML IdP in case it is not already selected, the name of the IdP should be the name, you noted down in step 20 and click on Save

6. Select sap -> bc -> ina -> service -> v2 and select CORS panel, and use the following instructions to edit your CORS configuration
i . Select Enable Cross Origin Resource Sharing, if not already selected
ii. Add the IdP host to Allowed Origins

Deploy the custom web content to your SAP HANA Server

To enable SSO when using a direct connection, you must some custom web content to your SAP HANA server. This web content is what will appear briefly to users once per session when they first create a live data connection to your SAP HANA system, or when they refresh charts or tables against that live data connection.

1. Log on to your SAP HANA server’s Web IDE athttps://<xs-host:port>/sap/hana/ide/editor with the system user credentials

2. Navigate to sap.bc.ina.service.v2

3. Right click the v2 package, and select New -> Package

4. In Package Name enter cors and click Create

5. Right-click the cors package and select New -> File

6. Enter auth.html and click Create

7. Open auth.html, and add the following code
<html>
 <script type="text/javascript">
  open(location, '_self').close();
 </script>
</html>​

8. Save auth.html

9. Create another file under the cors package, and name it .xsaccess

10. Open .xsaccess, and add the following code
{"cache_control" : "no-cache, no-store"}​

11. Save .xsaccess

12. Right-click the cors package, and click Activate All

13. In a new browser tab, go to the following URL
https://<xs-host:port>/sap/bc/ina/service/v2/cors/auth.htmlif the html page is configured correctly, the page will load and close automatically.

User Mapping

User mapping to access your HANA database from SAC without re-authentication (ie – to use SSO). If you are using the same IdP for SAP HANA and SAC, you can automatically map all existing users to SAC.

Add SAP HANA host system in Trusted Sites

Internet Options -> Security -> Trusted Sites, add your domain name, the select Enable Protected Mode

Verification

Users will now be able to sign in to the SAP Analytics Cloud with the IdP ADFS server credentials and create a live data connection to the SAP HANA system without having to re-authenticate with SSO

1. Login into SAP Analytics Cloud (enter SAC URL in browser)
2. It redirects to IdP authentication page, enter your domain user details mapped with SAC user account

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

3. After successfully logged into SAC, Create connection
4. Goto Main Menu -> Connection -> Add Connection
5. The Select a datasource dialog will appear
6. Expand Connect to Live Data and select SAP HANA
7. In the dialog, enter a name and description for your connection
8. Set the connection type to Direct
9. Add your SAP HANA hostname, and HTTPS port
(Optional) Choose a Default Language from the list.
10. Under Authentication Method select SAML Single Sign On
11. Select Ok

SAP Analytics Cloud, SAP HANA, SAP HANA Live, SAP HANA Exam Prep

If all configuration and user mapping is correct, live data connection to SAP HANA will be created without re-authenticating using SAML SSO.

No comments:

Post a Comment