Multiple Identity Providers for END2END SSO with SAP Analytics Cloud and SAP HANA Database – Part 1

https://blogs.sap.com/2022/09/30/multiple-identity-providers-for-end2end-sso-with-sap-analytics-cloud-and-sap-hana-database-part-1/

Live Data Connection with SAML SSO using Multiple IdPs

In this scenario, we have two options to configure SAP HANA with SAML SSO

1. Using IdP proxy to Multiple IdP
2. Directly using IdP

1. Using ldP proxy to Multiple ldP

Similar to what we have configured for SAP Analytics Cloud, you can still make use of IdP proxy which is already configured with your Multiple IdP. The only configuration is to establish the trust between SAP HANA and IdP proxy and define the rule for employees to be authenticated via IdP.

1.1 SAP HANA to IdP proxy

a. Note the following roles needed for SAP HANA user to access XS Admin Page, for SAML configuration and for ide

b. Navigate to the XS Admin Page of your SAP HANA system using https://<SAP HANA SYSTEM>:   <Port>/sap/hana/xs/admin

Replace <SAP HANA SYSTEM> with the name of your SAP HANA System

c. Click on the main menu and select SAML Service Provider

d. Under Service Provider Information, enter the details of the SAML Service Provider

Ex – Name – H000

Organisation Name – SAP

Organisation Display Name – SAP Labs

Organisation URL – https://www.sap.com

e. Under metadata copy the xml content from textbox and save it as HANAMetadata.xml (note – we will be using this file, while configuring IdP proxy)

f. Click Save

g. In the XS Admin Page of your SAP HANA System, select Main Menu –> SAML Identity Provider

h. Click on the + icon in the bottom left corner to begin importing IdP proxy metadata

i. Open the downloaded metadata of IdP proxy, copy the content of the file and paste it to the       Metadata input area in the XS Admin Page of your HANA system

j. Verify the details like the name of the SAML IdP under General Tab etc and click on Save

Enabling SAML

1. In the XS Admin Page of your SAP HANA System, select Main Menu –> XS Artifact Administration
2. In the Packages, navigate to sap -> bc -> ina -> service -> v2
3. Make sure to have navigated to correct directory sap -> bc -> ina -> service -> v2 to see the SAP Security Admin page
4. Click on Edit in the bottom right corner
5. Select the SAML checkbox, if it is not already enabled
   Choose a SAML IdP in case it is not already selected, the name of the IdP should be the name, you noted down in step 20 and click on Save
6. Select sap -> bc -> ina -> service -> v2 and select CORS panel, and use the following instructions to edit your CORS configuration
   i . Select Enable Cross Origin Resource Sharing, if not already selected
   ii. Add the IdP host to Allowed Origins

Deploy the custom web content to your SAP HANA Server

To enable SSO when using a direct connection, you must some custom web content to your SAP HANA server. This web content is what will appear briefly to users once per session when they first create a live data connection to your SAP HANA system, or when they refresh charts or tables against that live data connection.

1. Log on to your SAP HANA server’s Web IDE athttps://<xs-host:port>/sap/hana/ide/editor with the system user credentials
2. Navigate to sap.bc.ina.service.v2
3. Right click the v2 package, and select New -> Package
4. In Package Name enter cors and click Create
5. Right-click the cors package and select New -> File
6. Enter auth.html and click Create
7. Open auth.html, and add the following code

   <html>
    <script type="text/javascript">
     open(location, '_self').close();
    </script>
   </html>

8. Save auth.html
9. Create another file under the cors package, and name it .xsaccess
10. Open .xsaccess, and add the following code

    {"cache_control" : "no-cache, no-store"}

11. Save .xsaccess
12. Right-click the cors package, and click Activate All
13. In a new browser tab, go to the following URL
    https://<xs-host:port>/sap/bc/ina/service/v2/cors/auth.htmlif the html page is configured correctly, the page will load and close automatically.

User Mapping

Map the HANA user to the IdP user

Add SAP HANA host system in Trusted Sites

Internet Options -> Security -> Trusted Sites, add your domain name, the select Enable Protected Mode

1.2 ldP proxy to SAP HANA

Switch to IdP proxy administration console and create an application user Applications and Resources menu.

Under Trust, set the below values

Type – SAML 2.0

SAML 2.0 Configuration – Upload the metadata from SAP HANA

User logon using Conditional Authentication

Similarly, like SAP Analytics Cloud, different users can logon SAP HANA via different identity providers, we need to use Conditional Authentication in IAS.

SAP HANA Database application – Conditional Authentication and set the following rules, based the user logged into SAP Analytics Cloud, a request to the respective IdP will be redirected

Create a Live connection to SAP HANA using Single Sign On, the SSO connection should be created to the HANA system using the TESTUSER

2. Directly using ldP

You can also configure SAP HANA as a Service Provider directly in your Corporate IdP. In this case, the employee will not go through IdP proxy, and the trust relationship will be established between SAP HANA and Corporate IdP.

For configuring directly using IdP, follow the Section – 3 from below blog, the configuration is mentioned with SAP HANA and Microsoft ADFS.

https://blogs.sap.com/2020/07/06/setting-up-end2end-saml-integration-between-sap-analytics-cloud-and-sap-hana-on-premise-using-adfs-identity-provider/

Learn More:

https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-cloud/

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-intelligence-platform/