SAP HANA On-Premise SAML Single Sign-On (SSO)
SAP HANA is an in-memory data platform that is deployable as an on premise appliance, or in the cloud. It's a real time data platform with SAP HANA database at its core and a layer called Extended Application Services (XS). XS is a small-footprint application server, web server, and basis for an application development platform.
This guide provides configuration steps to integrate applications on-premise developed using SAP HANA XS with CyberArk Identity. If you are looking for configuration information about SAP HANA deployed in the cloud, see the CyberArk application configuration document for SAP HANA Cloud Platform SAML Single Sign-On (SSO).
The following is an overview of the steps required to configure the SAP HANA On-Premise for single sign-on (SSO) via SAML. SAP HANA On-Premise offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the SAP HANA On-Premise web application). You can configure SAP HANA On-Premise for either or both types of SSO.
-
Prepare SAP HANA On-Premise for single sign-on (see SAP HANA On-Premise requirements for SSO).
-
In the Identity Administration portal, add the application and start configuring application settings.
Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configure SAP HANA On-Premise in the Identity Administration portal (Part 1).
-
Configure an identity provider in SAP HANA On-Premise.
For details, Configure a new SAP HANA On-Premise identity provider
-
Configure the local service provider for SAP HANA On-Premise.
For details, see Configure a service provider.
-
Finish configuring application settings in the Identity Administration portal.
Finish configuring the application settings. For details, see Configure SAP HANA On-Premise in the Identity Administration portal (Part 2).
-
Configure single sign-out.
Add code to the HTML page of your SAP HANA XS application to trigger the logout. For details, see Configure single sign-out.
SAP HANA On-Premise requirements for SSO
Before you configure the SAP HANA On-Premise for SSO, you need the following:
-
SAP HANA Platform Edition installed with XS components.
-
An active SAP HANA On-Premise account with administrator rights for your organization.
-
For configuring SAML, SSL, and working with Trust stores, you will need to define the following roles:
sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::TrustStoreAdministrator
sap.hana.xs.wdisp.admin::WebDispatcherAdmin
sap.hana.xs.admin.roles::RuntimeConfAdministrator
-
The instructions for Configure a new SAP HANA On-Premise identity provider and Configure a service provider include links to SAP HANA documentation that explain when and how these roles are used during configuration.
-
Make sure that SAP HANA is configured for HTTPS. SPS11 by default comes configured with SAP Cryptographic Library. If you are using an older version of SAP HANA, you will need to configure SAP HANA to use the SAP Cryptographic Library. For more information, see:
-
http://help.sap.com/saphelp_hanaplatform/helpdata/en/de/15ffb1bb5710148386ffdfd857482a/content.htm
-
SAP recommends using in-database trust stores instead of file-based. SPS11 by default comes with in-database trust stores. If you are using an older version, you will need to follow the SAP Note to migrate your certificates from file-based stores to in-database stores. For more information, see:
-
http://help.sap.com/saphelp_hanaplatform/helpdata/en/de/15ffb1bb5710148386ffdfd857482a/content.htm
-
A signed certificate.
-
You can either download one from the Identity Administration portal or use your organization’s trusted certificate with a private key embedded in
.pfxor.p12format and upload this certificate in the Identity Administration portal. This decision must be made before you download Identity Provider metadata. -
The SAP HANA On-Premise XS application can be configured to only enforce SAML-based SSO for specific parts of your application. Before configuration, you will need to identify which specific packages you want to enforce SAML-based SSO, based on your requirements.
Set up the certificates for SSO
To establish a trusted connection between the web application and CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Identity Administration portal.
If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Identity Administration portal. You also upload the public key certificate in a .cer or .pem file to the web application.
What you need to know about SAP HANA On-Premise
Each SAML application is different. The following table lists features and functionality specific to SAP HANA On-Premise.
|
Capability |
Supported? |
Support details |
|
Web browser client |
Yes |
|
|
Mobile client |
No |
|
|
SAML 2.0 |
Yes |
|
|
SP-initiated SSO |
Yes |
Go directly to your SAP HANA XS Application URL and then use CyberArk Identity SSO to authenticate. |
|
IdP-initiated SSO |
No |
Use SSO to log in to your SAP HANA XS Application through the Identity User Portal. |
|
Force user login via SSO only |
Yes |
SAML is enabled at two places: Your SAP HANA XS Application In the user's profile If SAML is the only authentication mechanism configured for the application, only those users who have SAML enabled for their profile can login. If other authentication mechanisms are configured for the application in addition to SAML, SAML takes precedence. |
|
Separate administrator login |
Yes |
Administrator can log in with local credentials to the SAP HANA XS Administration tool. |
|
User or Administrator lockout risk |
Yes |
The SAP HANA XS app can be configured with more than one authentication mechanism. With SAML enabled, SAML authentication takes the priority. If SAML authentication fails, the user is locked out. The administrator must disable SAML or correct the configuration. Contact SAP HANA support for troubleshooting information. There is no risk for Administrator user lockout because the SAP HANA XS Administration tool is a separate web application. |
|
Automatic user provisioning |
Yes |
SAP HANA XS supports Dynamic User Creation. If this option is enabled, a user is created in the SAP HANA system if the name asserted in the SAML assertion does not exist. Note: For this to work, the NameID value in the SAML assertion cannot be an email address. Only letters and numbers are allowed in the NameID value. |
|
Multiple User Types |
Yes |
Admin user End users |
|
Self-service password |
Yes |
Users can reset their own passwords only if they have access to a SAP HANA application that has the profile change option. For example, if SAP HANA has a self-service tool configured, end users with the |
|
Access restriction using a corporate IP range |
Yes |
You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application. |
|
App Gateway |
Yes |
The App Gateway can be used to enable external to the SAP HANA XS app. |
Configure SAP HANA On-Premise in the Identity Administration portal (Part 1)
-
In the Identity Administration portal, click Apps, then click Add Web Apps.
The Add Web Apps screen appears.
-
On the Search tab, enter the partial or full application name in the Search field and click the search icon.
-
Next to the application, click Add.
-
In the Add Web App screen, click Yes to confirm.
Identity Administration portal adds the application.
-
Click Close to exit the Application Catalog.
The application that you just added opens to the Application Settings page.
The description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information. -
Configure the following:
Field
Set it to
What you do
Issuer
Any value that identifies the IdP.
Enter a value you want to use to represent your IdP. For example,
MyIdP.Identity Provider Sign-in URL
Your sign-in URL.
This URL is automatically generated in the Identity Administration portal and is published to SAP HANA.
-
Click Download Identity Provider SAML Meta Data and open the file in a text editor.
You will need to access it when Configure a new SAP HANA On-Premise identity provider.
-
(Optional) On the Application Settings page, click Enable Derived Credentials for this app on enrolled devices (opens in built-in browser) to use derived credentials on enrolled mobile devices to authenticate with this application.
See CyberArk-issued derived credentials for more information.
-
On the Application Settings page, expand the Additional Options section and specify the following settings:
Option
Description
Application ID
Configure this field if you are deploying a mobile application that uses the CyberArk mobile SDK. CyberArk Identity uses the Application ID to provide single sign-on to mobile applications. Note the following:
The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.
There can only be one SAML application deployed with the name used by the mobile application.
The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.
Show in User app list
Select Show in User app list to display this web application in the user portal. (This option is selected by default.)
If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.
Security Certificate
These settings specify the signing certificate used for secure SSO authentication between CyberArk Identity and the web application. Just be sure to use a matching certificate both in the application settings in the Identity Administration portal and in the application itself. Select an option to change the signing certificate.
Use existing certificate
When selected the certificate currently in use is displayed. It’s not necessary to select this option—it’s present to display the current certificate in use.
Use the default tenant signing certificate
Select this option to use CyberArk Identity standard certificate. This is the default setting.
Use a certificate with a private key (pfx file) from your local storage
Select this option to use your organization’s own certificate. To use your own certificate, you must click Browse to upload an archive file (.p12 or .pfx extension) that contains the certificate along with its private key. If the file has a password, you must enter it when prompted.
Upload the certificate from your local storage prior to downloading the IdP metadata or the Signing Certificate from the Applications Settings page. If the IdP metadata is available from a URL, be sure to upload the certificate prior to providing the URL to your service provider.
-
(Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.
-
On the User Access page, select the role(s) that represent the users and groups that have access to the application.
When assigning an application to a role, select either Automatic Install or Optional Install:
-
Select Automatic Install for applications that you want to appear automatically for users.
-
If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.
-
-
(Optional) On the Policy page, specify additional authentication controls for this application.
-
Click Add Rule.
The Authentication Rule window displays.
-
Click Add Filter on the Authentication Rule window.
-
Define the filter and condition using the drop-down boxes.
For example, you can create a rule that requires a specific authentication method when users access CyberArk Identity from an IP address that is outside of your corporate IP range. Supported filters are:Filter
Description
IP Address
The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Secure Zones.
The authentication factor is the cookie that is embedded in the current browser by CyberArk Identity after the user has successfully logged in.
Day of Week
The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.
Date
The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.
Date Range
The authentication factor is a specific date range.
Time Range
The authentication factor is a specific time range in hours and minutes.
Device OS
The authentication factor is the device operating system.
Browser
The authentication factor is the browser used for opening CyberArk Identity user portal.
Country
The authentication factor is the country based on the IP address of the user computer.
Risk Level
The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to CyberArk Identity from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact CyberArk Identity support. The supported risk levels are:
Non Detected -- No unexpected activities are detected.
Low -- Some aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.
Medium -- Many aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.
High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.
Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.
Managed Devices
The authentication factor is the designation of the device as “managed” or not. A device is considered “managed” if it is managed by CyberArk Identity, or if it has a trusted certificate authority (CA has been uploaded to tenant).
For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.
-
Click the Add button associated with the filter and condition.
-
Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.
The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Create authentication profiles.
-
Click OK.
-
-
(Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.
If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.
-
Click Save.
If you have more than one authentication rule, you can prioritize them on the Policy page. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Application access policies with JavaScript.
If you left the Apps section of the Identity Administration portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in the Identity Administration portal. -
On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.
The options are as follows:
-
Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the CyberArk Cloud Directory.
-
Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.
-
Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';The above script instructs CyberArk Identity to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is Adele.Darwin@acme.com then CyberArk Identity uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.
SAP HANA supports SAML assertion based on the email address value or the username. The default template for the SAP HANA XS app is configured to use the email address. The attribute used for this purpose ismail.
-
-
(Optional) Click App Gateway to allow users to securely access this application outside of your corporate network. For detailed configuration instructions, see Configure an application to use App Gateway.
-
(Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting.
-
(Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.
-
(Optional) Click Workflow to set up a request and approval work flow for this application.
See Manage application access requests for more information.
-
Click Save.
Configure a new SAP HANA On-Premise identity provider
-
The prerequisites for adding a new Identity Provider to SAP HANA are described in the SAP HANA doc, Add An SAML Identity Provider: https://help.sap.com/saphelp_hanaplatform/helpdata/en/fb/c7c94aef314fd5847d921b8e040ed7/content.htm?
-
Follow the procedure steps in the Add An SAML Identity Provider document linked above, using the contents of the metadata file you downloaded in Configure SAP HANA On-Premise in the Identity Administration portal (Part 1) to copy/paste in the Metadata field under Add Identity Provider Info.
After the SAML configuration on the SAP HANA side is complete, the token signing certificate from the IdP’s metadata will be automatically added to the in-database trust store and in the SAML certificate collections. -
Verify that token signing certificate is imported by cross checking it in the SAP HANA cockpit, using the Certificate Store and Manage Certificate Collections applications. You will need specific roles to access these applications.
For more information about SAP HANA certificate management, see: https://help.sap.com/saphelp_hanaplatform/helpdata/en/ca/92a658cc16437d98598dd6745c1162/content.htm
For more information about the SAP HANA cockpit, see: https://help.sap.com/saphelp_hanaplatform/helpdata/en/73/c37822444344f3973e0e976b77958e/content.htm
-
If the token signing certificate is not present in the Certificate Store, then you can use the SAP HANA cockpit to import it manually and add it in the certificate collection called SAML.
Configure a service provider
This section refers you to the SAP HANA On-Premise documentation for configuring an SAP HANA system as a SAML service provider.
-
SAML Service Provider Details:
https://help.sap.com/saphelp_hanaplatform/helpdata/en/81/a513e063a84025a88cf5c81cf15ce8/content.htm
-
Follow the procedure steps in Configure an SAP HANA System as a SAML Service Provider to provide a name and other details for the service provider so that it generates SAML Service Provider Metadata:
https://help.sap.com/saphelp_hanaplatform/helpdata/en/2d/806eca19be40d99f3e56f356870bcc/content.htm?frameset=/en/03/bb2671ea4f40a7bddf48697d857a07/frameset.htm¤t_toc=/en/00/0ca1e3486640ef8b884cdf1a050fbb/plain.htm&node_id=672&show_children=true#jump424For more information, see SAML Service Provider Details:
https://help.sap.com/saphelp_hanaplatform/helpdata/en/81/a513e063a84025a88cf5c81cf15ce8/content.htm -
Save the service provider Metadata file you just created on your computer. This service provider Metadata will be uploaded in the SAP HANA app in the Identity Administration portal in the next step.
Configure SAP HANA On-Premise in the Identity Administration portal (Part 2)
-
Return to the browser tab you were using to work in the Identity Administration portal in Configure SAP HANA On-Premise in the Identity Administration portal (Part 1) and navigate to the Application Settings screen of your SAP HANA On-Premise app.
-
Click Upload SP Metadata and choose the Metadata file you created and saved in Configure a service provider.
The Assertion Consumer Service URL and the Advanced Script will be automatically updated when you upload the metadata file. -
Verify configuration by accessing your SAP HANA On-Premise app in the Identity User Portal.
Configure single sign-out
To configure single sign-out, you need to add some code to the HTML page of your SAP HANA XS application. In the following example, add the code shown in red in the locations indicated by the surrounding code in black.
<head>
<script id="sap-ui-bootstrap" type="text/javascript"
src="/sap/ui5/1/resources/sap-ui-core.js"></script>
<script type="text/javascript">
$(function getXsrfToken() { $.ajax({url: "/sap/hana/xs/formLogin/token.xsjs",
type: "GET",
beforeSend: function(request) { request.setRequestHeader("X-CSRF-Token", "Fetch"); }, success: function(data, textStatus, XMLHttpRequest) { document.forms[0].elements["X-CSRF-Token"].value =
XMLHttpRequest.getResponseHeader("X-CSRF-Token");}
});
});
</script>
<title>HANA XS Hello World Application</title>
</head>
<body>
<h1>Hi</h1>
<p>This is my XS Hello World Application</p>
<div id="logoutButton">
<form action="/sap/hana/xs/formLogin/logout.xscfunc" method="post">
<input type="hidden" name="X-CSRF-Token" value="">
<input type="submit" value="Logout">
</form>
</div>
</body>
For more information about SAP HANA On-Premise
Contact SAP for more information about configuring SAP HANA On-Premise for SSO: