Configure Single Sign-On (SAML2) with HANA using SAML2 and SAP Business Objects Analysis Office.
Business requirements.
The objective of this blog is to provide step-by-step instructions on how to configure Single Sign-On (SSO) using Security Assertion Markup Language (SAML) between SAP Business Objects Analysis for Office (AO) and SAP HANA Database 2.0 SP05.
Advantage.
We can the access the Web intelligence /AO reports through Single Sign On. No need to enter backend HANA (Reports which are developed in HANA ) logins every time while accessing the reports from BOBJ.
PREREQUISITES
Before proceeding the configuration, we have a basic knowledge of Business Objects & HANA administration like below points.
SAP HANA Configuration Files such as indexserver.ini and global.ini
SAP HANA Studio
SAP BusinessObjects BI Platform Central Management Console
SAP BusinessObjects Analysis for Office
STEP-BY-STEP CONFIGURATION
There are some initial configuration steps:
Step No |
Description |
|
1 |
Enable HANA http connections for the MDAS server |
|
2 |
Generate a certificate from BI Platform |
|
3 |
Import the certificate into the HANA Trust Store |
|
4 |
Import the certificate into the HANA Security |
|
5 |
Configure a SAML user with an external identity user |
|
6 |
Test the connection |
|
Step # 1.
Enable HANA http connection for the Multi-Dimensional Analysis Service (MDAS).
Edit the mdas.properties file in Notepad and then change multidimensional.services.enable.hana.http.connections=false to true
Restart SAP BusinessObjects BI Platform for these changes to take effect
This section is now complete.
Step # 2 Generate a Certificate from BI Platform.
Generating a HANA certificate is performed through the BI Platform Central Management Console (CMC). This certificate will be specific to the HANA HTTP connection.
- Open a browser and go to http://<; Web Application Server >:< Web Application Server Port >/BOE/CMC
Go to CMC Home > Applications > HANA Authentication.
Select the add icon to create a new connection
Input the HANA details:
Select Generate and then copy the entire certificate into the clipboard.
Select OK to save the connection
Create a new certificate file by pasting the certificate into a text editor.
Save the file as a .cer extension.
Step # 3.
Import the Certificate into the HANA Trust Store.
To find out which trust store is used by HANA, check the configuration setting global.ini > [communication] > ssltruststore.
By default, the value is sapsrv.pse. This means the sapsrv.pse is located in the $SECUDIR/sapsrv.pse
There are two methods of importing the certificate into the trust store:
Using the internal Web Dispatcher Administration console.
The following steps will be performed using the Web Dispatcher Adminstration console
Access the Web Dispatcher Administration page by going to this location:
http://<HANA System>:<WDisp Port>/sap/hana/xs/wdisp/admin/public/default.html
Select PSE Management on the left-hand side
From the Manage PSE drop down menu, select sapsrv.pse In the example screenshot, the sapsrv.pse already contains an existing certificate for the BI Platform system.
Select Import Certificate from the Trusted Certificates
Copy the certificate text from the certificate generated from the BI Platform CMC. Make sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Select Import
The certificate should appear in the Trusted Certificates section
Restart the HANA system for these changes to take effect
This section is now complete.
Step # 4 .
Import Certificate into HANA Security
The next step is to import the same certificate into HANA Security. This step is needed to create the SAML Identity Provider (IdP).
- Open HANA Studio and Login to the HANA System using the SYSTEM user (or an equivalent user)
- Expand Security Folder and then double click on Security
3 Select SAML Identity Providers tab and then select the Import button
- Locate the certificate file that was created earlier
- Fill in the Identity Provider Name. This can be any name and does not have to match the CN name. The Entity ID is optional as well.
Assign the saml2 string into all the HANA users.
Step # 5
Go to OLAP test connection and change the authentication type from Predefined to SSO.
And then run the HANA based reports in the BOBJ for the validations .