This blog post is intended to help customers using okta as an IDP to configure SAML SSO between SAP Analytics Cloud and SAP HANA.
The setup of SSO between Sap Analytics Cloud(SAC) and HANA is divided into 2 parts :
- Setup of SSO between the IDP and SAC using SAML
- Setup of Live Connection between SAC and SAP HANA on-premise
Part 1. Setup of SSO between the IDP and SAC.
a. Login to the SAC application as an administrator and navigate to System -> Administration -> Security.
b. Click on Edit connection and choose SAML Single Sign-On
c. Download the service provider metadata.
This process would download a metadata file similar to this –
“
<ns3:EntityDescriptor
xmlns:ns2="
http://www.w3.org/2001/04/xmlenc#"
xmlns="
http://www.w3.org/2000/09/xmldsig#"
xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns3="urn:oasis:names:tc:SAML:2.0:metadata" ID="S9653fde0-4faa-4ab4-bf3b-08cf21cb7715" entityID="XXXX.XXXX.XXXX">
<ns3:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns3:KeyDescriptor use="signing">
<KeyInfo>
<KeyName>XXXX.XXXX.XXXX</KeyName>
<X509Data>
<X509Certificate>MIIC9DCCAdygAwIBAgIIQUUHCtq7+SwwDQYJKoZIhvcNAQELBQAwOjE4MDYGA1UEAxMvaHR0cHM6Ly9hY2NvdW50LnVzMS5oYW5hLm9uZGVtYW5kLmNvbS9iZThhMTM2YWYwHhcNMTYxMDIwMDA0ODE1WhcNMTcxMDIwMDA0ODE1WjA6MTgwNgYDVQQDEy9odHRwczovL2FjY291bnQudXMxLmhhbmEub25kZW1hbmQuY29tL2JlOGExMzZhZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJj8+qGY4Y3ONYUpYOwMWyAG7t80DQnLh92ynfMtj8gZAvTijEdgZ896THWZxNg3P+xxxx.xxxx.xxxx+PECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEALcIqrJ40yhqswKXsCnORSuQqmhwj7PKM0DBxSRq9JWMl31iEjsPc2J7Ywz4opgILQYiFgSb2HON0iyKD1QyZJaA9OR0apjOcc
/XXX.XXPeO0OA/Db4vv+PV4EM3C0D+yFwnlKvTIT39jH2yxHGWKiQKcow==</X509Certificate>
</X509Data>
</KeyInfo>
</ns3:KeyDescriptor>
<ns3:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://xxxx.xxxx.xxxx"/>
<ns3:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https:// xxxx.xxxx.xxxx "/>
<ns3:AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// xxxx.xxxx.xxxx "/>
</ns3:SPSSODescriptor>
</ns3:EntityDescriptor>
”
d. In your okta system, add a new application and enter the values as requested by the okta application.
Ensure that you fill the values based on the metadata.xml output from the SAC application.
e. Create a .der file eg. SAC.der and create a certificate like this –
-----BEGIN CERTIFICATE-----
<Include your certificate from the metadata file that was generated>
-----END CERTIFICATE-----
f. Upload the certificate in the SAML settings of the okta application
g. Click on Next and Finish to create an application in okta.
h. Map the application to either send email-id, user-id or Custom SAML user Mapping. Your okta administrator should be able to take care of this part.
i. You should now be able to download a Metadata file from okta.
j.Upload this metadata file into your SAC application under the SAML SSO configuration.
k. Choose a user attribute to map to your identity provider.
l. Verify your account with the identity provider.
m. Once the account is verified Save the settings.
n. You should now be able to do a SSO to SAC based on your okta credentials.
Part 2. Setup of Live Connection between SAC and SAP HANA on-premise
Follow the official SAP documentation to setup the live connection between SAC and SAP HANA using a direct connection-
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/58c890e1c89d41e69b2cec31b...
You have now configured SSO between your SAC and HANA using Okta IDP.
You can go ahead and create models based on the newly created HANA connection as well as create stories and DiBO with this connection.
Additional helpful articles-
1.
SAML authentication in SAP Analytics Cloud
https://blogs.sap.com/2017/07/13/saml-authentication-in-sap-analytics-cloud/
2.
Multiple IDP’s for HANA XS Artifact – BusinessObjects Enterprise Platform Perspective
https://blogs.sap.com/2017/06/05/multiple-idps-for-hana-xs-artifact-businessobjects-enterprise-platf...
3.
KBA 2487116 for AD FS configuration and
KBA 2487567 with steps on troubleshooting SAML.