Saml Sso For Bi Platform To Hana V 1 0 0
Saml Sso For Bi Platform To Hana V 1 0 0
Saml Sso For Bi Platform To Hana V 1 0 0
Applicable Releases:
Topic Area:
Installation, Configuration, Security, Troubleshooting
Capability:
SAP HANA Database, Single Sign-On, SSO, SAML, IDP
Version 1.0.0
February 2016
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
Document History
1.0.1 Updated Applicable Releases. The steps appear will work with
2
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
Typographical Conventions
Type Style Description
Example text File and directory names and their paths, messages,
names of variables and parameters, source text, and
names of installation, upgrade and database tools.
Example text User entry texts. These are words or characters that
you enter in the system exactly as they appear in the
documentation.
<Example text> Variable user entry. Angle brackets indicate that you
replace these words and characters with appropriate
entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Description
Note
Recommendation
3
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
TABLE OF CONTENTS
1 BUSINESS SCENARIO .................................................................................................................... 5
2 PREREQUISITES .............................................................................................................................. 5
3 BACKGROUND INFORMATION ...................................................................................................... 5
3.1 Single Sign-On ........................................................................................................................................5
3.2 Definitions ...............................................................................................................................................5
4 PREREQUISITES .............................................................................................................................. 6
4.1 Network Requirements ...........................................................................................................................6
4.2 Software Requirements ..........................................................................................................................6
5 STEP-BY-STEP CONFIGURATION ................................................................................................. 7
5.1 Overview ..................................................................................................................................................7
5.2 Generate a Certificate from BI Platform ...............................................................................................7
5.3 Import the Certificate into the HANA Trust Store ................................................................................9
5.4 Import Certificate into HANA Security ................................................................................................12
5.5 Create a HANA user with SAML ..........................................................................................................14
5.6 Validation ...............................................................................................................................................16
6 APPENDIX....................................................................................................................................... 22
6.1 Tracing and Troubleshooting ..............................................................................................................22
6.1.1 Debug Tracing ........................................................................................................................................22
6.2 Common Errors ....................................................................................................................................23
6.2.1 SAML Service Provider Name mismatch ...............................................................................................23
6.2.2 Error 403 – Forbidden error ....................................................................................................................23
6.2.3 Test Connection fails in the CMC ...........................................................................................................24
6.2.4 IDT Test Connection fails .......................................................................................................................26
6.3 References and Notes ..........................................................................................................................26
4
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
1 BUSINESS SCENARIO
The objective of this document is to provide step-by-step instructions on how to configure Single Sign-On (SSO)
using Security Assertion Markup Language (SAML) between SAP BusinessObjects BI Platform 4.1 (BI Platform)
and SAP HANA Database SPS10 (HANA).
2 PREREQUISITES
This guide is geared towards HANA Database Administrators or SAP BusinessObjects BI Platform
Administrators.
3 BACKGROUND INFORMATION
Single Sign-On (SSO) allows a user to log on once and gain access to multiple systems and services without
being asked to produce credentials again.
Security Assertion Markup Language (SAML) Kerberos is one of many ways for realizing SSO (other examples
are Kerberos, SAP Logon Ticket or X.509 certificates).
Depending on how SSO has been setup, it could permit the user logon to just a front end application or it can
enable SSO all the way down to the database in what’s known as SSO to database
(SSO2DB).
Example
An example of SSO that is relevant to many office workers day-to-day is the use of Microsoft Outlook and the
absence of a login and password to access your email and address book. When a user logs into a workstation, they
enter a username and password. Shortly afterwards the desktop appears. If you start Outlook, you are not
prompted for the login and password you just entered. The mechanisms of this are described in detail later in this
document.
3.2 Definitions
There will be several references to specific HANA and BI Platform systems in the guide and also in the
screenshots. The following systems are used:
5
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
Instance: 00
System ID (SID): SL1
Revision: 102.4
Operating System: SUSE Linux 11.3
Web Dispatcher: Internal
Crypto Provider: CommonCrypto
This guide will reference the placeholders identified in the following table:
Placeholder Description
<Web Application Server> Hostname of the Web Application Server hosting the BI Platform
system.
<Web Application Server Port> Port number of the Web Application Server hosting the BI Platform
system.
4 PREREQUISITES
Hostname resolution must be possible between the HANA system and the BI Platform System (ping <BI
System> and ping <HANA System> )
6
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
5 STEP-BY-STEP CONFIGURATION
5.1 Overview
To setup SAML authentication, a trust must be established between the HANA and BI Platform System. At a
high level, the steps include:
After that trust has been estabilished, the last step is to setup the security on the HANA system:
Generating a HANA certificate is performed through the BI Platform Central Management Console (CMC).
1. Open a browser and go to http://< Web Application Server >:< Web Application Server Port >/BOE/CMC
Example:
7
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
HANA Port SQL Port for the HANA indexserver. HANA Studio > Administration
Unique Identifier Provider ID: Unique Name of the certificate
Service Provider Name: Configuration setting (default is SpID).
Example:
The text “After the certificate is generated, copy it to your HANA deployment’s “trust.pem” file” is not
applicable in this case because CommonCrypto is used. A trust.pem is used for OpenSSL.
5. Select Generate and copy the entire certificate into the clipboard.
6. Select OK to save the connection
7. Create a new certificate file by pasting the certificate into a text editor.
8. Save the file as a .cer extension.
Example:
8
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
To find out which trust store is used by HANA, check the configuration setting global.ini > [communication] >
ssltruststore.
By default, the value is sapsrv.pse. This means the sapsrv.pse is located in the $SECUDIR/sapsrv.pse
There are two methods of importing the certificate into the trust store:
1. On the HANA O/S directly using sapgepse commands.
2. Using the internal Web Dispatcher Administration console.
The following steps will be performed using the Web Dispatcher Adminstration console
9
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
2. Login with a HANA user (In this case, the SYSTEM user)
Example:
10
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
7. Select Import
8. The certificate should appear in the Trusted Certificates section
11
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
The next step is to import the same certificate into HANA Security. This step is needed to create the SAML
Identity Provider (IdP).
1. Open HANA Studio and Login to the HANA System using the SYSTEM user (or an equivalent user)
2. Expand Security Folder and select Security
3. Select the SAML Identity Providers tab and select the Import button
12
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
5. Fill in the Identity Provider Name. This can be any name and does not have to match the CN name. The
Entity ID is optional as well.
13
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
The certificate has been generated and imported into the truststore and also into HANA Security. The next step
is to assign a HANA user to a BI Platform user.
1. Open HANA Studio and Login to the HANA System using the SYSTEM user (or an equivalent user)
2. Expand the Security folder and right click Users and select New User
3. Specify a username and a password.
4. Select the check box SAML and select Configure.
5. Select Add and there should be the SAML Identity Provider in the list.
14
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
15
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
5.6 Validation
The next section outlines the steps to validate that the SSO is working.
1. Open a browser and go to http://< Web Application Server >:< Web Application Server Port >/BOE/CMC
2. Go to CMC Home > Applications > HANA Authentication
16
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
This user must match the External Identity user that was configured earlier.
In this example, Administrator is used.
17
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
18
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
6. Expand SAP > SAP HANA Database 1.0 > JDBC Drivers
19
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
7. Select Use Single Sign On from the Authentication Mode drop down. This will grey out the username and
password
8. Specify the hostname of the HANA system and the instance number
20
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
9. Select Test connection. If the test is successful, the following popup will appear
21
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
6 APPENDIX
Debug tracing can be enabled to get more information on potential errors. Use this if there is an error not
mentioned in this guide.
3. Reproduce the error and disable the trace by running the command:
22
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
6. Open the indexserver trace file and search for the line:
During the step of creating a HANA certificate from the CMC. The value for Service Provider Name is not the
same.
Solution: These two Service Provider names need to match. Change the saml_service_provider_name to match
the certificate.
For example:
After logging into the Web Dispatcher Administration console, a 403 Forbidden error appears.
For example:
23
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
Solution: Grant the role sap.hana.xs.wdisp.admin::WebDispatcherAdmin role to the user trying to login.
When testing the HANA Authentication connection in the CMC > Applications > HANA Authorization, an error
occurs.
Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]:
authentication failed. (FWM 02133)
24
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
Solution:
Make sure the case sensitivity is correct for the “External Identity” and the BI Platform user.
After importing the certificate from SAP Web Dispatcher, the HANA system is restarted.
Ensure that the Service Provider Name matches the saml_service_provider_name. See Service
Provider Name Common Errors
Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: SAP
DBTech JDBC: Cannot connect to jdbc:sap://LSLES11SP3x64:30011/ [Cannot connect to host
LSLES11SP3x64:30011 [Connection refused: connect], -813.].. (FWM 02133)
Solution: The BI Platform system cannot reach the HANA system. Make sure to check the following:
Check if the firewall is blocking the connectity between BI Platform and SAP HANA System.
Make sure the HANA port is the correct port. This is especially important when configuring SAML with a
mult-tenant HANA system.
25
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
Fail to create an instance of Job : Cannot cast class java.util.ArrayList to class java.lang.String
Solution: The connection test has failed. Most likely, this error appears when the CMC connection test also fails.
Click here to go to that section.
26
HOW TO CONFIGURE SSO WITH SAP HANA SAML AND SAP BUSINESSOBJECTS BI PLATFORM 4.1
1718944 - SAP HANA DB: Securing External SQL Setup SSL on a HANA system.
Communication (CommonCryptoLib)
2087537 - How to Configure SAML SSO Between HANA DB and Configuration Steps of HANA and BI
Business Intelligence using CommonCrypto
1900023 - How to setup SAML SSO to HANA from BI Known issues and setup guide for HANA and BI
with SAML SSO
27
www.sap.com
28