Multiple Identity Providers for END2END SSO with SAP Analytics Cloud and SAP HANA Database - Part 1
https://blogs.sap.com/2022/09/30/multiple-identity-providers-for-end2end-sso-with-sap-analytics-clou...
Live Data Connection with SAML SSO using Multiple IdPs
In this scenario, we have two options to configure SAP HANA with SAML SSO
- Using IdP proxy to Multiple IdP
- Directly using IdP
1. Using ldP proxy to Multiple ldP
Similar to what we have configured for SAP Analytics Cloud, you can still make use of IdP proxy which is already configured with your Multiple IdP. The only configuration is to establish the trust between SAP HANA and IdP proxy and define the rule for employees to be authenticated via IdP.
1.1 SAP HANA to IdP proxy
a. Note the following roles needed for SAP HANA user to access XS Admin Page, for SAML configuration and for ide

b. Navigate to the XS Admin Page of your SAP HANA system using
https://<SAP HANA SYSTEM>: <Port>/sap/hana/xs/admin
Replace <SAP HANA SYSTEM> with the name of your SAP HANA System
c. Click on the main menu and select SAML Service Provider

d. Under Service Provider Information, enter the details of the SAML Service Provider
Ex – Name – H000
Organisation Name – SAP
Organisation Display Name – SAP Labs
Organisation URL –
https://www.sap.com

e. Under metadata copy the xml content from textbox and save it as
HANAMetadata.xml (note – we will be using this file, while configuring IdP proxy)

f. Click Save
g. In the XS Admin Page of your SAP HANA System, select Main Menu --> SAML Identity Provider

h. Click on the + icon in the bottom left corner to begin importing IdP proxy metadata
i. Open the downloaded metadata of IdP proxy, copy the content of the file and paste it to the Metadata input area in the XS Admin Page of your HANA system

j. Verify the details like the name of the SAML IdP under General Tab etc and click on Save

Enabling SAML
- In the XS Admin Page of your SAP HANA System, select Main Menu --> XS Artifact Administration

- In the Packages, navigate to sap -> bc -> ina -> service -> v2
- Make sure to have navigated to correct directory sap -> bc -> ina -> service -> v2 to see the SAP Security Admin page

- Click on Edit in the bottom right corner
- Select the SAML checkbox, if it is not already enabled
Choose a SAML IdP in case it is not already selected, the name of the IdP should be the name, you noted down in step 20 and click on Save
- Select sap -> bc -> ina -> service -> v2 and select CORS panel, and use the following instructions to edit your CORS configuration
i . Select Enable Cross Origin Resource Sharing, if not already selected
ii. Add the IdP host to Allowed Origins
Deploy the custom web content to your SAP HANA Server
To enable SSO when using a direct connection, you must some custom web content to your SAP HANA server. This web content is what will appear briefly to users once per session when they first create a live data connection to your SAP HANA system, or when they refresh charts or tables against that live data connection.
- Log on to your SAP HANA server’s Web IDE athttps://<xs-host:port>/sap/hana/ide/editor with the system user credentials
- Navigate to sap.bc.ina.service.v2
- Right click the v2 package, and select New -> Package
- In Package Name enter cors and click Create
- Right-click the cors package and select New -> File
- Enter auth.html and click Create
- Open auth.html, and add the following code
<html>
<script type="text/javascript">
open(location, '_self').close();
</script>
</html>
- Save auth.html
- Create another file under the cors package, and name it .xsaccess
- Open .xsaccess, and add the following code
{"cache_control" : "no-cache, no-store"}
- Save .xsaccess
- Right-click the cors package, and click Activate All
- In a new browser tab, go to the following URL
https://<xs-host:port>/sap/bc/ina/service/v2/cors/auth.htmlif the html page is configured correctly, the page will load and close automatically.
User Mapping
Map the HANA user to the IdP user


Add SAP HANA host system in Trusted Sites
Internet Options -> Security -> Trusted Sites, add your domain name, the select Enable Protected Mode
1.2 ldP proxy to SAP HANA
Switch to IdP proxy administration console and create an application user Applications and Resources menu.

Under Trust, set the below values
Type – SAML 2.0
SAML 2.0 Configuration – Upload the metadata from SAP HANA
User logon using Conditional Authentication
Similarly, like SAP Analytics Cloud, different users can logon SAP HANA via different identity providers, we need to use Conditional Authentication in IAS.
SAP HANA Database application – Conditional Authentication and set the following rules, based the user logged into SAP Analytics Cloud, a request to the respective IdP will be redirected

Create a Live connection to SAP HANA using Single Sign On, the SSO connection should be created to the HANA system using the TESTUSER
2. Directly using ldP
You can also configure SAP HANA as a Service Provider directly in your Corporate IdP. In this case, the employee will not go through IdP proxy, and the trust relationship will be established between SAP HANA and Corporate IdP.
For configuring directly using IdP, follow the Section – 3 from below blog, the configuration is mentioned with SAP HANA and Microsoft ADFS.
https://blogs.sap.com/2020/07/06/setting-up-end2end-saml-integration-between-sap-analytics-cloud-and...
Learn More:
https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-c...
https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation...
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-in...