Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
In Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part I we covered the short background of SAML. Please read it if you haven't so, as it covered some important aspects and restrictions of implementation in SAP HANA Cockpit.

In this part, we will walk through configuration in AD, including:

  • Add SAP HANA Enterprise Application

  • Configure SAP HANA SAML in Azure Enteprise Application

  • Assign Users to Azure Security Groups and the SSO Assignment

  • Test SAP SAML Single Sign On on Azure

Configure Azure AD


  • An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here

  • SAP HANA single sign-on enabled subscription

Add SAP HANA Enterprise Application

From Home Portal, select Azure Active Directory


Select Create Enterprise Applications


Search "HANA" and select "SAP HANA", give it a name and Add.

Choose "Set up single sign on"


Select SAML



Now, we'll upload the metadata from our Service Provider, which is our SAP HANA.
We cover metadata generation in part III.

Azure will parse the data and automatically filled the required field.

The XSA system needs the SAML Attribute Groups for role mapping. Currently, this is the only attribute allowed. Azure does not provide it by default. We will create it. Click edit.

Choose the attributes which should be returned in the claim (Security groups).
Give the name as "Groups" (capital G), and remove namespace. Save.

Download the certificate and and IdP metadata xml.


Assign Users to Groups and SSO Assignment

In this last part, we will create the AD users, assigning it to Groups and give it access to our SAML application. If you already have AD users, you can skip part A.

We do it in from Azure Active Directory service.

A. Create New User

Choose Manage Users



B. Create Groups

Groups are essential because it controls user authorization.
Without group assignment, your user will be able to login to HANA Cockpit but will not have authorization. Goto Manage Groups.


Select New Group.

Create your groups. Group name could be anything meaningful. We'll map this group to XSA role collections later.


At this point, you should have already defined what your SoD / role position in your organization would look like. For example, mine would look like this:

    Users who will have authority to assign groups, create template, adding database resource, etc

    These users will be able to access particular database group assigned to them and monitor the resource

SAP provides up to five roles you could use.


C. Assign Users to Groups

We can assign groups from User or Group view.
In this example, we assign it from Group view.
Navigate to Manage --> Members

Add users that will part of this Admin group, for example HANA_COCKPIT_ADMIN user we created earlier.


Repeat the step to assign user to other group.


D. Assign Users to SAP HANA Application

Finally, we'll assign our user to the SAP HANA Enterprise Application.

Go to SAP HANA | Single sign-on application directory.
Select Manage --> Users and groups.


Select all users that will be part of SSO.


Test to see if single sign-on is working

Go to your SAP HANA Enterprise Applications, and click Test.

We will test with the user we created.

Provide AD username and password.

If everything is configured correctly, user will be authenticated and able to access the HANA Cockpit page.


You should now be able to configure SAML 2.0 SSO in Azure Active Directory as Identity Provider for SAP HANA Cockpit.

In the next part of our series, we’ll touch configuration from SAP HANA perspective:
Configuring Federated SAML: Azure AD to the SAP HANA Cockpit Part III


Additional Reference

Labels in this area