Wednesday, February 3, 2016

2127658 - SAP HANA SP09: Overview of SAML Enhancements

Symptom
You use SAML 2.0 for Single Sign-On (SSO) with SAP HANA.


Other Terms
SAML, Single Sign On, SSO, Crypto, CommonCrypto, CommonCryptoLib, SAP HANA, Authorization, SAML2.0, XSEngine, Indexserver, HDB, HANA, Security


Reason and Prerequisites
You have upgraded your SAP HANA installation to SP09 (Revision 90) or higher.


Solution
The SAML 2.0 implementation in SAP HANA was enhanced. The changes are documented in the official SAP HANA Security Guide, see
http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
However this SAP Note provides a rough overview, which is divided into the following parts: core database (indexserver), and extended services (xsengine). The SAML validation is performed in the indexserver; the SAML message creation is done in the xsengine.
Note: The signature enhancements require to install a CommonCryptoLib; this library is part of HANA SP09 installation/upgrade and should be the default crypto provider, see also SAP Note 2093286.
The following SQL statement shows you the version information about your crypto provider:
SELECT * FROM  "SYS"."M_HOST_INFORMATION" WHERE KEY LIKE 'crypt%';
Authentication errors can be analyzed in the traces; for more details, see SAP Note 2083682.
SAP HANA DB
  1. entityID has been added as a new field in the SAML identity-provider configuration. The SQL statements CREATE SAML PROVIDER and ALTER SAML PROVIDER enable you to specify the entityID field of the ID provider with "ENTITY ID <string literal>". If the configuration contains this information, the SAML assertion may omit the XML node <KeyInfo> and the corresponding information defined in <X509Certificate>.
  2. The SAML assertion signature provides hash algorithm SHA256 as additional hash and signature algorithm for the verification.
  3. The NameID mapping provides a federation with format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". This is possible if the SAP HANA user has an e-mail address. Details of the e-mail addresses can be set in SAP HANA studio using the "Security" section in the "User Parameters" tab.
SAP HANA XS
  1. SAML bearer assertion creation has been added to the XS HTTP Destination service. This allows the outbound calls from XS the propagation of its own identity to external systems.
  2. Support of IDP initiated SSO. If an IDP authenticates a user and redirects the request to the SAP HANA XS system, the application path is not known to the IDP. The application path can be defined in the INI configuration parameter "default_application_path".
  3. Authentication with an SAML bearer assertion in the Authorization header, see SAP Note 2043039.
  4. Standard support of the Single-Logoff (SLO) protocol. The logoff of SAP HANA XS applications (which used SAML for authentication) now triggers an SLO request to the corresponding ID provider.
  5. Signature support for the AuthnRequest, Single-Logoff Request. For the AuthnRequest there is a new INI configuration parameter. The SLO request MUST be signed, therefore this is signed always.
  6. Default name for parameter indexserver -> authentication -> saml_service_provider_name. The name is set with syntax <SYSTEMNAME><SYSNO>, for example, HAN00. Note: For BI you have to implement the SAP Note 2127582.
  7. New INI configuration parameters in indexserver.ini -> saml
    1. sign_authn_request : Specifies whether or not to use signature create in the AuthnRequest. Allowed values are true, false. Default is true.
    2. hash : Specifies the HASH algorithm for the SAML signatures. Allowed values are SHA1, SHA256. Default is SHA1.
    3. add_key_info : Specifies if the SAML messages are created with in additional KeyInfo/X509Certificate node. Allowed values are true/false. Default is true.
    4. default_application_path : Specifies the redirect path after a successful IDP-initiated SSO. Allowed value is a relative path in the XS web tree. Default is /.
    5. add_assertionconsumer_url : Enables the extension of AssertionConsumerServiceURL into AuthnRequest. This parameter is available with Rev.97.01, see seciont 11 below. Allowed values are true, false. Default is false.
  8. Re-worked the configuration tab "SAML Service Provider" in XS Admin. The metadata of SAP HANA XS is created with the signer's keys. The XML data are new formatted with pretty printer. The SAML metadata can be retrieved with the URL endpoint: /sap/hana/xs/saml/info.xscfunc
  9. Re-worked the configuration tab "SAML Identity Provider" in XS Admin. The metadata parser for IDP creation was improved, e.g. key parser was changed to a XSJS parser in the HANA itself to ensure the same string for subject and issuer. Field "Entity ID" was added in the UI.
  10. Enhanced the configuration tab "Trust Manager" in XS Admin. There is a default entry for SAML. This entry allows the maintenance of the trust store (PSE) of the current SAML provider. Default PSE is sapsrv.pse.
  11. Add AssertionConsumerServiceURL in the AuthnRequest. This enhancement was created for SP 09, Rev 97.01 and higher. If the IDP receives AssertionConsumerServiceURL and a digitally signed AuthnRequest the SAML assertion is send back to the URL in AssertionConsumerServiceURL instead of the URL from the metadata. This allows SSO with virtual host names because the AssertionConsumerServiceURL is the recent host name from the web request. You can enable this feature with INI configuration parameter add_assertionconsumer_url. 



Header Data

Released On 22.12.2015 15:39:27
Release Status Released for Customer
Component HAN-DB-SEC SAP HANA Security & User Management
Other Components
HAN-AS-XS SAP HANA Extended Application Services
Priority Recommendations / Additional Info
Category Installation information
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)