Symptom
You would like to use SAML Single Sign On between BI and HANA
Other Terms
SSO, Single Sign On, SAML, BI, Business Intellegence, HANA, Crypto, SAPCrypto, Common Crypto
Reason and Prerequisites
Before using this guide, please ensure you have SSL enabled and configured on your HANA Appliance.
To use the certificate import functions of HANA Studio, please ensure you are using version 80+.
To use SAML, please ensure your BI version is 4.1 or greater.
To use the certificate import functions of HANA Studio, please ensure you are using version 80+.
To use SAML, please ensure your BI version is 4.1 or greater.
Solution
Start Your Programs
Begin by opening the following programs:
In your CMC window, navigate to "Applications" -> "HANA Authentication"
You will see a screen with editable text boxes for "HANA Hostname", "HANA Port", "Unique Identity Provider ID"
Copy the full text of the Base64 Certificate to a text file called "bi.cer" and save it to $SECUDIR on your HANA Appliance and to a location on the machine that you have HANA Studio installed on.
Import Your Certificate to sapsrv.pse
Add the bi.cer to your sapsrv.pse by issuing the following command from $SECUDIR:
$DIR_SECURITY_LIB/sapgenpse maintain_pk -p sapsrv.pse -a bi.cer
Create a SAML Identity Provider
Next, please start HANA Studio and connect to your HANA Appliance.
In the tab "Systems" right click on your system name and select "Security" -> "Open Security Console"
Select the tab "SAML Identity Providers"
Select the radio button next to "SAP Cryptographic Library"
Click the blue arrow pointing down and left - the label is "Import SAML Identity Provider From Certificate File"
Select the bi.cer that we created earlier.
The fields "Issued To" and "Issued By" will become populated. Fill in the Identity Provider Name with the same value you entered in CMC as "Unique Identity Provider ID"
Once this is complete, press f8 to deploy the changes.
Once deployed, please restart the HANA Instance - Cryptography information is cached on startup.
Map a HANA User to a BI User
At this point, all the back end configuration is complete and all that remains to do is map a BI user to a HANA user and test the connection.
To make a HANA user called "saml_test_user" with the password ToughPassword1 mapped to the BI Username "Administrator" for the SAML Provider (Unique Identity Provider ID) SAMLPROVIDER, issue the following SQL command:
CREATE USER saml_test_user PASSWORD ToughPassword1 WITH IDENTITY 'Administrator' FOR SAML PROVIDER SAMLPROVIDER;
At this point, please switch back to the CMC window we used previously. At the bottom of the screen with the connection details you will see a text box populated with "Administrator" and a button to "Test Connection". Press the button "Test Connection" and you should see "Connection Successful". If any error occurs, you will get the error "The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password" - this is a generic error message and so you should not assume there is an issue with the username and password.
Troubleshooting
If the "invalid username and password" error occurs, please perform the following steps:
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set ('trace', 'crypto') = 'info' with reconfigure;
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set ('trace', 'Authentication') = 'info' with reconfigure;
Press "Test Connection" again
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'crypto') with reconfigure;
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'Authentication') with reconfigure;
Your indexserver will now have a detailed error message as to why the connection failed.
Begin by opening the following programs:
- Central Management Console ("CMC") in BI
- Create a SSH Connection to your HANA Appliance
- Start HANA Studio
In your CMC window, navigate to "Applications" -> "HANA Authentication"
You will see a screen with editable text boxes for "HANA Hostname", "HANA Port", "Unique Identity Provider ID"
- HANA Hostname should contain the fully qualified domain name for your HANA Appliance that you used when generating the HANA SSL Certificate.
- HANA Port should be the JDBC port for the HANA Appliance. This is in the format 3<instance number>15
- Unique Identity Provider ID should be a string that will be used to identify the SAML connection.
Copy the full text of the Base64 Certificate to a text file called "bi.cer" and save it to $SECUDIR on your HANA Appliance and to a location on the machine that you have HANA Studio installed on.
Import Your Certificate to sapsrv.pse
Add the bi.cer to your sapsrv.pse by issuing the following command from $SECUDIR:
$DIR_SECURITY_LIB/sapgenpse maintain_pk -p sapsrv.pse -a bi.cer
Create a SAML Identity Provider
Next, please start HANA Studio and connect to your HANA Appliance.
In the tab "Systems" right click on your system name and select "Security" -> "Open Security Console"
Select the tab "SAML Identity Providers"
Select the radio button next to "SAP Cryptographic Library"
Click the blue arrow pointing down and left - the label is "Import SAML Identity Provider From Certificate File"
Select the bi.cer that we created earlier.
The fields "Issued To" and "Issued By" will become populated. Fill in the Identity Provider Name with the same value you entered in CMC as "Unique Identity Provider ID"
Once this is complete, press f8 to deploy the changes.
Once deployed, please restart the HANA Instance - Cryptography information is cached on startup.
Map a HANA User to a BI User
At this point, all the back end configuration is complete and all that remains to do is map a BI user to a HANA user and test the connection.
To make a HANA user called "saml_test_user" with the password ToughPassword1 mapped to the BI Username "Administrator" for the SAML Provider (Unique Identity Provider ID) SAMLPROVIDER, issue the following SQL command:
CREATE USER saml_test_user PASSWORD ToughPassword1 WITH IDENTITY 'Administrator' FOR SAML PROVIDER SAMLPROVIDER;
At this point, please switch back to the CMC window we used previously. At the bottom of the screen with the connection details you will see a text box populated with "Administrator" and a button to "Test Connection". Press the button "Test Connection" and you should see "Connection Successful". If any error occurs, you will get the error "The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password" - this is a generic error message and so you should not assume there is an issue with the username and password.
Troubleshooting
If the "invalid username and password" error occurs, please perform the following steps:
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set ('trace', 'crypto') = 'info' with reconfigure;
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set ('trace', 'Authentication') = 'info' with reconfigure;
Press "Test Connection" again
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'crypto') with reconfigure;
Execute:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'Authentication') with reconfigure;
Your indexserver will now have a detailed error message as to why the connection failed.
Other Attributes
|
Header Data
| Released On | 12.11.2014 19:07:04 |
| Release Status | Released for Customer |
| Component | HAN-DB-SEC SAP HANA Security & User Management |
| Priority | Recommendations / Additional Info |
| Category | Consulting |
No comments:
Post a Comment