Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ConfiguringSAMLwithSAPHANAandSAPBusiness...|SCN
GettingStarted Newsletters
Hi,Guest
LogOn
JoinUs
Store
SearchtheCommunity
Products
Services&Support
AboutSCN
Downloads
Industries
Training&Education
Partnership
DeveloperCenter
Activity
LinesofBusiness
UniversityAlliances
Events&Webinars
Innovation
Browse
Communications
Actions
SAPHANAandInMemoryComputing
ConfiguringSAMLwithSAPHANAandSAP
BusinessObjects4.1Part1
PostedbyVishalDhirinSAPHANAandInMemoryComputingonAug1,20136:39:01PM
Share
Tweet
Like
SAPBusinessObjects4.0(BI)allowedforSingleSignOn(SSO)toSAPHANA(HANA)configuredviaKerberos.Now,
inBI4.1wecansetupSSOtoHANAviatheSecurityAssertionMarkupLanguage(SAML).SowhatisSAML?SAML
isanXMLstandardthatallowsparties(inourcaseBIandHANA)toexchangeauthenticationandauthorizationdata.
WithSAMLwehaveaServiceProvider(SP)thatcancontactanIdentityProvider(IdP)toauthenticateuserstryingto
accesssecurecontent.Inoursetupwehave,
AclientForexampleBILaunchpad
AIdPBI4.1
ASPHANA
Insimplifiedterms,afterauserhasbeenAuthenticatedbytheBIserver,itwillgenerateaSAMLassertionfortheuser
andpassittoHANAforSSO.
InPart1wewillcovertheconfigurationstepsrequiredforHANAandBI4.1.InPart2,theendtoendSSO
configurationstepsrequiredforBI4.1.
Prerequisites
AuserthatcanlogintoBIusinganytypeoflogin(ActiveDirectory,LDAP,SAP,orEnterprise)
AuserthatcanlogintoSAPHANA
SSLhasconfiguredforHANA
ItishighlyrecommendedtohaveSSLsetupinHANAasweareessentiallycreatingatrustisbeingcreatedbetween
theBIserverandHANAserver,thusthisconnectionstreamshouldbeencryptedtopreventpacketsniffing.To
configureSSLforHANArefertomyblog,
SSLwithHANAandBI4FeaturePack3
ToconfirmSSLhasbeensetupyouwillneedtoclickonthe"ConnectusingSSL"optioninthepropertiesofthe
connection.
Oncedone,alockwillappearintheconnectioninHANAStudio,
InBI4.1
BI4.1nowcomeswithanewapplicationcalled"HANAAuthentication".It'sfoundintheCMC,underApplications.
ThepurposeofthisapplicationistocreateacertificatethatwecaninstallontheHANAserver,meaningthatHANAwill
trustBItodotheauthentication.ThisapplicationwillalsoallowustotesttheSAMLconfiguration.
http://scn.sap.com/community/hanainmemory/blog/2013/08/01/configuringsamlwithsaphanaandsapbusinessobjects41part1
1/6
2/3/2016
ConfiguringSAMLwithSAPHANAandSAPBusiness...|SCN
YouwillneedtoknowyourHANAHostnameandPortforthistoworkcorrectly.The"UniqueIdentityProviderID"can
becalledanything.ThiswillbecometheCommonName(CN)intheDistinguishedName(DN),whichyouwillcreate
below.Anexamplesetupis,
Intheprerequisites,SSLwasrecommended.IfyouhavesetupSSL,youwillhaveatrust.pemfilelocatedhere(orin
anotherfolder),
/usr/sap/<HANAInstanceName>/home/.ssl
Inthistrust.pemfile,wewillappendthecertificatethat'sbeencreatedbyBI.Beforewecandothat,weneedtoconvert
thecertificatetothecorrectformat.
1)Gotothecertificatedecodersite,forthepurposesofthisblogwewillusehttp://certlogik.com/decoder/
2)CopyandpastethecertificatefromCMCtothedecoderandhitDecode
http://scn.sap.com/community/hanainmemory/blog/2013/08/01/configuringsamlwithsaphanaandsapbusinessobjects41part1
2/6
2/3/2016
ConfiguringSAMLwithSAPHANAandSAPBusiness...|SCN
4)Copythedecodedcertificateandpasteitunderthecurrentcertificateinthetrust.pemfile(aftertheEND
CERTIFICATEline,pastethenewcertificate).Likeso,
4.SavethefileandrestartHANA
InHANA
InHANAtheSAMLproviderneedstobeconfiguredandaHANAuserneedstohaveanidentityaddedforSAML.The
stepsare,
1.CreatetheSAMLprovider
GotothecertificatedecoderwebsiteandscrolldownuntilyoufindIssuerandSubjectunderProperties
ThecreateSAMLprovidersyntaxis,
CREATESAMLPROVIDER<PROVIDERNAME>WITHSUBJECT'<SubjectDN>'ISSUER'<IssuerDN>'
Inthisexample,itwouldbe,
CREATESAMLPROVIDERHANA_BI_PROVIDER WITHSUBJECT'C=CA,ST=BC,O=SAP,OU=BOE,
CN=BI4SAML'ISSUER'C=CA,ST=BC,O=SAP,OU=BOE,CN=BI4SAML'
Note:InourcaseheretheDNisnotinthenormalCN,OU,DCorder,itneedstobeintheexactsameorderasthe
certificateshownabove.
2)CreateaHANAuser
CREATEUSERTESTSAMLPASSWORDAbcd1234
3)EnabletheuserforSAMLauthentication
ALTERUSERTESTENABLESAML
4)AddanidentitytotheHANAuserwhichistheBIuser
ALTERUSERTESTADDIDENTITY'Administrator'FORSAMLPROVIDERHANA_BI_PROVIDER
Toverifytheabovesteps,ifweopenthepropertiesoftheuseryouwillseethattheSAMLcheckboxisenabledand
clickingon"Configure"willshowtheSAMLproviderthatwecreatedabove,
http://scn.sap.com/community/hanainmemory/blog/2013/08/01/configuringsamlwithsaphanaandsapbusinessobjects41part1
3/6
2/3/2016
ConfiguringSAMLwithSAPHANAandSAPBusiness...|SCN
TestSAMLAuthentication
TotestifSAMLisworking,logintotheCMCandgotoApplications>HANAAuthentication.Onthisscreen,youwill
see"Testtheconnectionforthisuser".HerewewanttoentertheBIusername,rememberweaddedthisidentityto
ourHANAuserinstep4above.
Iftheconnectionissuccessful,youwillsee,
Ifnot,youwillsee,
Troubleshooting
Asscreenintheabovefailedlogin,theerrormessagereceivedisverygeneric.TotroubleshootSAMLissues,start
withthebasics,
1)DoyouhaveSSLsetupandworkinginHANA(meaning:doyouseethelockicononyourconnection?)
2)AfteraddingtheBIcertificatetothePEMfile,didyourestartHANA?
3)CheckthattheDNiscorrectandinthecorrectorderasmentionedabove
4)EnabletheauthenticationtraceintheINDEXSERVER
Oncethetracehasbeenenabled,youwillgetsomethingsimilartowhatyouseeinthelogbelow.Fromhereyoucan
determinewhaterrormessagesarebeingthrownaswellasverifytheCertificateSubjectandIssuer.Forthelog
below,youcanseethattheSAMLprovidercreatediswrong,thusadoesnotexisterrorisbeingthrownbyHANA.
http://scn.sap.com/community/hanainmemory/blog/2013/08/01/configuringsamlwithsaphanaandsapbusinessobjects41part1
4/6
2/3/2016
19723Views
ConfiguringSAMLwithSAPHANAandSAPBusiness...|SCN
Products:sap_hanaTags:bi,hana,business_intelligence_(businessobjects),analytics
AverageUserRating
(7ratings)
Share
Tweet
Like
6Comments
AbhikGuptaFeb6,20145:12AM
Verynicepost,Vishal!
Like(0)
SwaparnaKumarApr28,20147:47PM
HiVishal,
IfusershavesameidinBIandHana.Forexistingusersinthehanasystem,dowerunthe'ALTER
USERTESTENABLESAML'statementafterwehaveenabledSAMLSSO.Isthereaneedtochange
thepasswordonhanaorrunanyotherstatements.
Pleaseadvise.
Like(1)
KalyanYarlagaddaDec2,20149:25PM
Nicepost,
CanyousendpostthePart2alsoifpossible
Like(0)
VenkateswaraGupthaDec5,20144:44AM
ExcellentBlog.
CanyoupleaseprovidetheEndtoEndconfigurationsteps?Orthestepsprovidedaboveare
sufficientforEndtoEndSSO,pleaseclarify.
Like(0)
AbaniPattanayakFeb18,20153:29AM
Thanksforputtingthistogether.
Like(0)
BhargavMalsaniFeb18,20155:21PM
nicepost...canyouprovidethelinktopart2.
Like(0)
SiteIndex
ContactUs
SAPHelpPortal
http://scn.sap.com/community/hanainmemory/blog/2013/08/01/configuringsamlwithsaphanaandsapbusinessobjects41part1
5/6
2/3/2016
Privacy
ConfiguringSAMLwithSAPHANAandSAPBusiness...|SCN
TermsofUse
LegalDisclosure
Copyright
http://scn.sap.com/community/hanainmemory/blog/2013/08/01/configuringsamlwithsaphanaandsapbusinessobjects41part1
FollowSCN
6/6