Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML SSO for Analysis Office 2.x with BI Platform and HANA

christian_schmitz
Explorer
‎07-28-2017 9:47 AM
This article describes the mandatory configuration steps for the setup of SAML SSO between BI Platform and SAP HANA with Analysis Office.

Step 1: Create OLAP Connection



  1. Open CMC and create a new OLAP connection of type "SAP HANA http"

  2. Enter the fully qualified HANA host name and HTTP port

  3. Select SSO as authentication

  4. Save the connection




 

Step 2: Create Certificate



  1. Open HANA XS Admin UI in the browser to find the name of the HANA service provider: http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/samlSP (the user needs the role "sap.hana.xs.admin.roles::SAMLAdministrator")

  2. In this example the name is S1222

  3. Go back to CMC and open "Applications -> HANA Authentication"

  4. Create new connection

  5. Enter the exact same host name and exact same port like in step 1.2

  6. Enter a name for the unique identity provider ID. You can choose a arbitrary name here. It should somehow reflect you BI Platform system.

  7. Enter the service provider name

  8. Click on the "Generate" button to generate a certificate

  9. Copy the certificate to a text file

  10. Click Ok


Step 3: Import Certificate



  1. Open the Web Dispatcher Administration UI (http://<hana_host>:<hana_port>/sap/hana/xs/wdisp/admin/public/default.html) in your browser. The user needs the role "sap.hana.xs.wdisp.admin::WebDispatcherAdmin"

  2. Go to "PSE Management"

  3. Select "sapsrv.pse" in the dropdown box

  4. Click on "Import Certificate" and paste the certificate content of step 2.9

  5. Click on "Import"

  6. After that you should see the certificate metadata

  7. Copy the content of the "Subject" field. In my example it is "C=CA, SP=BC, O=SAP, OU=BOE, CN=BIP_IDP"

  8. Restart the "webdispatcher" and "xsengine" service of your HANA server.



Step 4: Create Identity Provider



  1. Open the HANA XS Admin UI: http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/samlIDP/0

  2. Create a new identity provider for your BI Platform system

  3. Enter the name of the identity provider from step 2.6

  4. Enter the subject from step 3.7 both for Subject and Issues

  5. For all other fields just enter "/". For our use case the fields are not needed


Step 5: Assign identity provider to InA Service



  1. Navigate to http://<hana_host>:<hana_port>/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2

  2. Enable SAML authentication and select your SAML Identity Provider. Important: please ensure that you only activate your SAML Identity Provider for the "sap.bc.ina.service.v2" package:


Step 6: Map the BI Platform user to your HANA user



  1. Go to HANA Studio

  2. Open your user and mark the "SAML" checkbox

  3. Click on "Configure" and Add a new mapping

  4. Select your Identity Provider

  5. Enter the name of your BI Platform user. You have to enter it case sensitive way. If your user is named "Smith" then you should enter it exactly this way. When you enter "smith" or "SMITH" it will not work later.


After all those steps the SSO procedure should work in Analysis Office. In case the SSO logon is not working the HANA "xsengine" trace contains valueable information about the root cause. In order to get all details in the trace you should set the trace level of all “authentication” components in the XSENGINE trace configuration to trace level DEBUG.

The used admin applications in CMC and HANA may look slightly different depending on your used versions.
19 Comments
Henry_Banks
Product and Topic Expert
Product and Topic Expert
‎08-02-2017 9:10 AM
0 Kudos
very helpful, thank you Christian!
former_member110741
Product and Topic Expert
Product and Topic Expert
‎08-17-2017 5:25 PM
0 Kudos
Nice one christian 🙂
alex_smith
Explorer
‎08-25-2017 3:31 PM
0 Kudos
Christian,

Very helpful thank you. There could be a prerequisite to enable HANA http connections in mdas.properties on the BOBJ side.

Thanks
former_member283197
Explorer
‎10-02-2017 11:18 AM
0 Kudos
Hi Christian,

thanks for guide.

I configurated the SSO between BI Platform 4.2 and AFO and all works well with a Admin user, or a user belonging to the Administrators group. Do you know what roles/privilegies we need to configure to a user in CMC Console to access to the hana connections?

 

Best regards,

Denis.

 
chini_dar
Discoverer
‎11-13-2017 10:22 PM
0 Kudos
Hi Christian,

 

Thanks a lot for this blog.  I have set up the SSO between AO and HANA with your help.  I noticed that after I did this, MY XS Engine stopped working. I am not able to see the Login screen for XSEngine.

 

Regards,
Chinmay Vyas
christian_schmitz
Explorer
‎11-15-2017 6:53 AM
0 Kudos
Hi Chinmay,

it is important that you enable SAML only for package 'sap.bc.ina.service.v2' and not for the root package 'sap' (see step 5).

Best regards, Christian
christian_schmitz
Explorer
‎11-15-2017 6:54 AM
0 Kudos
Hi Alex,

yes, that is correct. In the newer versions the HANA http connection is visible per default. That's why I forgot this point.

Best regards, Christian
christian_schmitz
Explorer
‎11-15-2017 6:55 AM
0 Kudos
Hi Denis,

I'm sorry but I do not know this in detail. The BI Platform Administrator guide should give you answers here.

Best regards, Christian
former_member283197
Explorer
‎12-22-2017 9:26 AM
0 Kudos
Hi Christian,

I'm here again to ask your support.

As I said I configurated the SSO between BI Platform 4.2 and AFO SP02 Patch 1 and all worked well. I have tried to upgrade the client to version 2.5 SP03 Patch0 and also to version 2.6 SP00 Patch0. After the upgrade SSO stops to work.

Any clue?

Thanks a lot,

Denis.

 
christian_schmitz
Explorer
‎12-22-2017 12:11 PM
0 Kudos
Hi,

unfortunately this is a regression in 2.5 SP03 and 2.6 SP00. It will be fixed with a patch for both SPs. As soon as I have more details I will post it here.

Best regards, Christian
former_member283197
Explorer
‎12-22-2017 2:36 PM
0 Kudos
Ok Christian,

thank you very much for your support.

 

Best regards,
Denis.

 
christian_schmitz
Explorer
‎01-19-2018 11:44 AM
0 Kudos
FYI: 2.5 SP03 Patch 1 is now available on SMP. This version will fix the regression and SSO is possible again.

Best regards, Christian
chini_dar
Discoverer
‎02-02-2018 1:26 AM
0 Kudos
Thanks Christian,  You are right, that was the issue.  I resolved it by setting the SAML for service.v2.

Thanks.

Chinmay Vyas
arne_vanhoof2
Explorer
‎07-16-2018 11:18 AM
Thanks for this guide. Very useful.

I followed it step by step.
However when I test it in analysis for office I get following error:

"cannot handle redirect from http/https protocols to other dissimilar ones.

Invalid url: the hostname could not be parsed".

Any idea what's going wrong?

When in CMC, Applications, HANA Authentication and when I test it for a specific user it's working perfectly.

It's correct the mapped BO user to a user in HANA does not need to have the same username?
christian_schmitz
Explorer
‎09-03-2018 9:50 AM
0 Kudos
Hi Arne,

do you still have this issue or has it been solved in the meantime?

Best regards, Christian
former_member594870
Discoverer
‎01-06-2020 10:09 PM
0 Kudos
Hi Christian,

 

Would this method be applicable to my scenario? We have S4 hana 1709 with BI embedded.

I have SSO for GUI running using SNC, it is authenticating against our Solman java system to work with Okta.

Have you worked on this scenario by any chance?

 
christian_schmitz
Explorer
‎01-08-2020 1:40 PM
0 Kudos
Hi Curtis,

to be honest I did not get your described scenario.

Kind regards, Christian
koushik_maiti
Explorer
‎01-08-2020 6:05 PM
0 Kudos
This guide is very helpful. In case, someone needs to setup both A-Office and SAC or multiple BOBJ systems, the below guide helped me to achieve this, without setting up SAML for ‘sap.bc.ina.service.v2

https://blogs.sap.com/2017/06/05/multiple-idps-for-hana-xs-artifact-businessobjects-enterprise-platf...
DayaG
Explorer
‎08-11-2020 12:35 AM
0 Kudos
Hi Arne,

Can you please post how was this resolved for you?  I'm getting this same error "Cannot handle redirect from HTTP/HTTPS protocols to other dissimilar ones. Invalid URI: The hostname could not be parsed."

Thanks,

Daya

 
Labels in this area
Popular Blog Posts