SAP HANA On-Premise SAML Single Sign-On (SSO)

SAP HANA is an in-memory data platform that is deployable as an on premise appliance, or in the cloud. It's a real time data platform with SAP HANA database at its core and a layer called Extended Application Services (XS). XS is a small-footprint application server, web server, and basis for an application development platform.

This guide provides configuration steps to integrate applications on-premise developed using SAP HANA XS with CyberArk Identity. If you are looking for configuration information about SAP HANA deployed in the cloud, see the CyberArk application configuration document for SAP HANA Cloud Platform SAML Single Sign-On (SSO).

The following is an overview of the steps required to configure the SAP HANA On-Premise for single sign-on (SSO) via SAML. SAP HANA On-Premise offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the SAP HANA On-Premise web application). You can configure SAP HANA On-Premise for either or both types of SSO.

The terms SAP HANA and SAP HANA XS are sometimes used instead of SAP HANA On-Premise in this document, but they all mean the same thing.
This document is written using SAP HANA Platform Edit 1.0 with SPS 11. If you are not using this version, your interface may differ from the descriptions in this document.
  1. Prepare SAP HANA On-Premise for single sign-on (see SAP HANA On-Premise requirements for SSO).

  2. In the Identity Administration portal, add the application and start configuring application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configure SAP HANA On-Premise in the Identity Administration portal (Part 1).

  3. Configure an identity provider in SAP HANA On-Premise.

    For details, Configure a new SAP HANA On-Premise identity provider

  4. Configure the local service provider for SAP HANA On-Premise.

    For details, see Configure a service provider.

  5. Finish configuring application settings in the Identity Administration portal.

    Finish configuring the application settings. For details, see Configure SAP HANA On-Premise in the Identity Administration portal (Part 2).

  6. Configure single sign-out.

    Add code to the HTML page of your SAP HANA XS application to trigger the logout. For details, see Configure single sign-out.

SAP HANA On-Premise requirements for SSO

Before you configure the SAP HANA On-Premise for SSO, you need the following:

  • SAP HANA Platform Edition installed with XS components.

  • An active SAP HANA On-Premise account with administrator rights for your organization.

  • For configuring SAML, SSL, and working with Trust stores, you will need to define the following roles:

        sap.hana.xs.admin.roles::SAMLAdministrator
        sap.hana.xs.admin.roles::TrustStoreAdministrator
        sap.hana.xs.wdisp.admin::WebDispatcherAdmin
        sap.hana.xs.admin.roles::RuntimeConfAdministrator
  • The instructions for Configure a new SAP HANA On-Premise identity provider and Configure a service provider include links to SAP HANA documentation that explain when and how these roles are used during configuration.

  • Make sure that SAP HANA is configured for HTTPS. SPS11 by default comes configured with SAP Cryptographic Library. If you are using an older version of SAP HANA, you will need to configure SAP HANA to use the SAP Cryptographic Library. For more information, see:

  •  http://help.sap.com/saphelp_hanaplatform/helpdata/en/de/15ffb1bb5710148386ffdfd857482a/content.htm

  • SAP recommends using in-database trust stores instead of file-based. SPS11 by default comes with in-database trust stores. If you are using an older version, you will need to follow the SAP Note to migrate your certificates from file-based stores to in-database stores. For more information, see:

  • http://help.sap.com/saphelp_hanaplatform/helpdata/en/de/15ffb1bb5710148386ffdfd857482a/content.htm

  • A signed certificate.

  • You can either download one from the Identity Administration portal or use your organization’s trusted certificate with a private key embedded in .pfx or .p12 format and upload this certificate in the Identity Administration portal. This decision must be made before you download Identity Provider metadata.

  • The SAP HANA On-Premise XS application can be configured to only enforce SAML-based SSO for specific parts of your application. Before configuration, you will need to identify which specific packages you want to enforce SAML-based SSO, based on your requirements.

Set up the certificates for SSO

To establish a trusted connection between the web application and CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Identity Administration portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Identity Administration portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about SAP HANA On-Premise

Each SAML application is different. The following table lists features and functionality specific to SAP HANA On-Premise.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

No

 

SAML 2.0

Yes

 

SP-initiated SSO

Yes

Go directly to your SAP HANA XS Application URL and then use CyberArk Identity SSO to authenticate.

IdP-initiated SSO

No

Use SSO to log in to your SAP HANA XS Application through the Identity User Portal.

Force user login via SSO only

Yes

SAML is enabled at two places:

Your SAP HANA XS Application

In the user's profile

If SAML is the only authentication mechanism configured for the application, only those users who have SAML enabled for their profile can login.

If other authentication mechanisms are configured for the application in addition to SAML, SAML takes precedence.

Separate administrator login
after SSO is enabled

Yes

Administrator can log in with local credentials to the SAP HANA XS Administration tool.

User or Administrator lockout risk

Yes

The SAP HANA XS app can be configured with more than one authentication mechanism. With SAML enabled, SAML authentication takes the priority. If SAML authentication fails, the user is locked out.

The administrator must disable SAML or correct the configuration. Contact SAP HANA support for troubleshooting information.

There is no risk for Administrator user lockout because the SAP HANA XS Administration tool is a separate web application.

Automatic user provisioning

Yes

SAP HANA XS supports Dynamic User Creation. If this option is enabled, a user is created in the SAP HANA system if the name asserted in the SAML assertion does not exist.

Note: For this to work, the NameID value in the SAML assertion cannot be an email address. Only letters and numbers are allowed in the NameID value.

Multiple User Types

Yes

Admin user

End users

Self-service password

Yes

Users can reset their own passwords only if they have access to a SAP HANA application that has the profile change option. For example, if SAP HANA has a self-service tool configured, end users with the sap.hana.xs.formLogin.profile::ProfileOwner role can change their passwords.

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application.

App Gateway

Yes

The App Gateway can be used to enable external to the SAP HANA XS app.

Configure SAP HANA On-Premise in the Identity Administration portal (Part 1)

Configure a new SAP HANA On-Premise identity provider

Configure a service provider

This section refers you to the SAP HANA On-Premise documentation for configuring an SAP HANA system as a SAML service provider.

Configure SAP HANA On-Premise in the Identity Administration portal (Part 2)

Configure single sign-out

To configure single sign-out, you need to add some code to the HTML page of your SAP HANA XS application. In the following example, add the code shown in red in the locations indicated by the surrounding code in black.

<head>
      <script id="sap-ui-bootstrap" type="text/javascript" 
              src="/sap/ui5/1/resources/sap-ui-core.js"></script>
      <script type="text/javascript">
            $(function getXsrfToken() {
         $.ajax({
             url: "/sap/hana/xs/formLogin/token.xsjs",
             type: "GET",
             beforeSend: function(request) {  
                   request.setRequestHeader("X-CSRF-Token", "Fetch"); 	                                           },
             success: function(data, textStatus, XMLHttpRequest) {  
                   document.forms[0].elements["X-CSRF-Token"].value =
                           XMLHttpRequest.getResponseHeader("X-CSRF-Token");
                                                                 }
                 });
       });
       </script>
       <title>HANA XS Hello World Application</title>
</head>
<body>
       <h1>Hi</h1>
       <p>This is my XS Hello World Application</p>
    <div id="logoutButton">
        <form action="/sap/hana/xs/formLogin/logout.xscfunc" method="post">
              <input type="hidden" name="X-CSRF-Token" value="">
              <input type="submit" value="Logout">
        </form>  
    </div>
</body>

For more information about SAP HANA On-Premise

Contact SAP for more information about configuring SAP HANA On-Premise for SSO: