Symptom
After configuring SAML SSO from Business Objects (BO) to Hana you receive the following errors while testing the connection:
Connection Failed: The test of the HANA SSO ticket used to log onto theHANA DB has failed due to: [10]: invalid username or password: . (FWM 02133)
In the index server trace files you find the following entry:
2015-03-14 02:24:33.944069 i Authentication SAMLAuthenticator.cpp(00387) : SAML provider does not exist
Connection Failed: The test of the HANA SSO ticket used to log onto theHANA DB has failed due to: [10]: invalid username or password: . (FWM 02133)
In the index server trace files you find the following entry:
2015-03-14 02:24:33.944069 i Authentication SAMLAuthenticator.cpp(00387) : SAML provider does not exist
Environment
SAML SSO;Business Objects;BO;HANA
Cause
Increase the Authentication trace to info by executing the following as the SYSTEM user:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set ('trace', 'authentication') = 'info' with reconfigure;
Reproduce the failed logon attempt then undo the configuration change:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'authentication');
In the index server traces you find the following:
[62766]{-1}[-1/-1] 2015-03-14 02:24:33.943545 i Authentication SAMLAuthenticator.cpp(00749) : XML Signature - Certificate Subject: C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
[62766]{-1}[-1/-1] 2015-03-14 02:24:33.943548 i Authentication SAMLAuthenticator.cpp(00754) : XML Signature - Certificate Issuer: C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
Compared to the output of `select * from sys.saml_providers;`:
There is inconsistent white space in the Distinguished Names (DN) of
the certificate provided by BO, and the SAML Provider configured in
Hana:
C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
C = CA,ST = BC,O = SAP,OU = BOE,CN = SAPDGSAML
While the individual properties of the certificate matches the configured provider, the entire DN string is compared to the DN strings of available SAML providers.
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set ('trace', 'authentication') = 'info' with reconfigure;
Reproduce the failed logon attempt then undo the configuration change:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'authentication');
In the index server traces you find the following:
[62766]{-1}[-1/-1] 2015-03-14 02:24:33.943545 i Authentication SAMLAuthenticator.cpp(00749) : XML Signature - Certificate Subject: C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
[62766]{-1}[-1/-1] 2015-03-14 02:24:33.943548 i Authentication SAMLAuthenticator.cpp(00754) : XML Signature - Certificate Issuer: C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
Compared to the output of `select * from sys.saml_providers;`:
| SAML_PROVIDER_NAME | SUBJECT_NAME | ISSUER_NAME |
| HANA_BO_PROVIDER | C = CA,ST = BC,O = SAP,OU = BOE,CN = SAPDGSAML | C = CA,ST = BC,O = SAP,OU = BOE,CN = SAPDGSAML |
C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
C = CA,ST = BC,O = SAP,OU = BOE,CN = SAPDGSAML
While the individual properties of the certificate matches the configured provider, the entire DN string is compared to the DN strings of available SAML providers.
Resolution
Correct the inconsistent whitespace by changing the Subject and Issuer properties of the configured SAML provider in HANA.
C = CA,ST = BC,O = SAP,OU = BOE,CN = SAPDGSAML
->
C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
C = CA,ST = BC,O = SAP,OU = BOE,CN = SAPDGSAML
->
C=CA, ST=BC, O=SAP, OU=BOE, CN=SAPDGSAML
See Also
Setup SAML SSO from BI to Hana using SAP crypto libraries
Configuring SAML with SAP Hana and SAP BusinessObjects 41 Part 1
SAP Note 1900023 How to setup SAML SSO to HANA from BI
SAP Note 2083682 How to Enhance Tracing for SAP HANA SSO Login Issues
Configuring SAML with SAP Hana and SAP BusinessObjects 41 Part 1
SAP Note 1900023 How to setup SAML SSO to HANA from BI
SAP Note 2083682 How to Enhance Tracing for SAP HANA SSO Login Issues
Keywords
SAML;SSO;HANA;BO;provider;authentication
No comments:
Post a Comment