Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
Active Participant
0 Kudos
Configure Single Sign-On (SAML2) with HANA using SAML2 and SAP Business Objects Analysis Office.

Business requirements.

The objective of this blog is to provide step-by-step instructions on how to configure Single Sign-On (SSO) using Security Assertion Markup Language (SAML) between SAP Business Objects Analysis for Office (AO) and SAP HANA Database 2.0 SP05.


We can the access the Web intelligence /AO reports through Single Sign On. No need to enter backend HANA  (Reports which are developed in HANA ) logins every time while accessing the reports from BOBJ.


Before proceeding the configuration, we have a basic knowledge of Business Objects & HANA administration like below points.

SAP HANA Configuration Files such as indexserver.ini and global.ini


SAP BusinessObjects BI Platform Central Management Console

SAP BusinessObjects Analysis for Office


There are some initial configuration steps:


Step No  Description  
1 Enable HANA http connections for the MDAS server  
2 Generate a certificate from BI Platform  
3 Import the certificate into the HANA Trust Store  
4 Import the certificate into the HANA Security  
5 Configure a SAML user with an external identity user  
6 Test the connection  



Step # 1.

Enable HANA http connection for the Multi-Dimensional Analysis Service (MDAS).


Edit the file in Notepad and then change to true

Restart SAP BusinessObjects BI Platform for these changes to take effect

This section is now complete.

Step # 2 Generate a Certificate from BI Platform.


Generating a HANA certificate is performed through the BI Platform Central Management Console (CMC). This certificate will be specific to the HANA HTTP connection.

  1. Open a browser and go to http://<; Web Application Server >:< Web Application Server Port >/BOE/CMC


Go to CMC Home > Applications > HANA Authentication.


Select the add icon to create a new connection

Input the HANA details:


Select Generate and then copy the entire certificate into the clipboard.

Select OK to save the connection

Create a new certificate file by pasting the certificate into a text editor.

Save the file as a .cer extension.



Step # 3.

Import the Certificate into the HANA Trust Store.

To find out which trust store is used by HANA, check the configuration setting global.ini > [communication] > ssltruststore.


By default, the value is sapsrv.pse. This means the sapsrv.pse is located in the $SECUDIR/sapsrv.pse

There are two methods of importing the certificate into the trust store:

Using the internal Web Dispatcher Administration console.

The following steps will be performed using the Web Dispatcher Adminstration console

Access the Web Dispatcher Administration page by going to this location: http://<HANA System>:<WDisp Port>/sap/hana/xs/wdisp/admin/public/default.html


Select PSE Management on the left-hand side

From the Manage PSE drop down menu, select sapsrv.pse In the example screenshot, the sapsrv.pse already contains an existing certificate for the BI Platform system.


Select Import Certificate from the Trusted Certificates

Copy the certificate text from the certificate generated from the BI Platform CMC. Make sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----


Select Import


The certificate should appear in the Trusted Certificates section

Restart the HANA system for these changes to take effect

This section is now complete.


Step # 4 .


Import Certificate into HANA Security


The next step is to import the same certificate into HANA Security. This step is needed to create the SAML Identity Provider (IdP).

  1. Open HANA Studio and Login to the HANA System using the SYSTEM user (or an equivalent user)

  2. Expand Security Folder and then double click on Security

3 Select SAML Identity Providers tab and then select the Import button

  1. Locate the certificate file that was created earlier

  2. Fill in the Identity Provider Name. This can be any name and does not have to match the CN name. The Entity ID is optional as well.


Assign the saml2 string into all the HANA users.

Step # 5

Go to OLAP test connection and change the authentication type from Predefined to SSO.

And then run the HANA based reports in the BOBJ for the validations .

Labels in this area