This document is work in progress!
System Setup
Prerequisites
Required roles
- sap.hana.security.base.roles::HANACertificateAdmin
- sap.hana.security.base.roles::HANACertificateView
- sap.hana.security.cockpit.roles::DisplayCertificateStore
- sap.hana.xs.lm.roles::Developer
- sap.hana.ide.roles::Developer
- sap.hana.xs.admin.roles::SAMLAdministrator
- sap.hana.xs.admin.roles::RuntimeConfAdministrator
- sap.hana.xs.admin.roles::TrustStoreViewer
Creating sample application
In order to demonstrate the scenario, we would need HANA XS application protected with SAML authentication. Building such simple demo application can easily be done using the SAP HANA Web-based Development Workbench.
It is accessible through SAP HANA cloud cockpit database overview page:
Image may be NSFW.
Clik here to view.
To open web based application development tool, click the Editor tab from the SAP HANA Web-based Development Workbench window.
Inside the editor create new empty application (with XSAccess and XSApp).
Image may be NSFW.
Clik here to view.
Choose application package "com.sample.test".
Image may be NSFW.
Clik here to view.
In "com.sap.test" package create new file (right click - New > File) and name it loggedInUser.xsjs.
Image may be NSFW.
Clik here to view.
After the file is created insert the following code in the loggedInUser.xsjs.
function isSAMLSSO() { return (!!$.session.samlAttribute);
}
function getDatabaseUsername(){ return $.session.getUsername();
}
function getUsername(){ return $.session.samlAttribute.loggedinuserid[0].value;
}
function getCompanyID(){ return $.session.samlAttribute.companyid[0].value;
}
function getUserLocale(){ return $.session.samlAttribute.locale[0].value;
}
function getCompanyUUID(){ return $.session.samlAttribute.companyuuid[0].value;
}
var loggedInUser = {};
loggedInUser.databaseUser = getDatabaseUsername();
if (isSAMLSSO()) { loggedInUser.saml = true; loggedInUser.user = getUsername(); loggedInUser.locale = getUserLocale(); loggedInUser.companyID = getCompanyID(); loggedInUser.companyUUID = getCompanyUUID();
} else { loggedInUser.saml = false;
}
$.response.setBody(JSON.stringify(loggedInUser));This XS service would return the logged in user and all user attributes provided by SuccessFactors IDP. Since in the beginning it will not be using SAML, additional logic is added that shows the logged in user, but skips SAML attributes.
Image may be NSFW.
Clik here to view.
Run the service (F8), and in the new window opened it should show the logged in database user and flag indicating that SAML authentication is not used.
Image may be NSFW.
Clik here to view.
Next step is to configure the SuccessFactors as trusted IDP in SAP HANA.
Configure SAP HANA trust to SuccessFactors IDP
As first step, we need to obtain the SAML metadata from the SuccessFactors IDP. This can easily be fetched in a browser.
In order to construct the proper url we need the SuccessFactors landscape host and company id.
The format is
- https://<landscapeHost>/idp/samlmetadata?company=<companyID>
For example:
- landscape host (salesdemo4.successfactors.com)
- company id (I0024)
Would produce SAML metadata URL:
Opening the URL in the browser, would result in immediate download of file called "samlmetadata".
It is advisable to save it (or rename it) as samlmetadata.xml.
Image may be NSFW.
Clik here to view.
Open it with text editor, and it should look like in the screenshot.This is important step since we would have to be able to copy it from there in order to complete the next step.
Now are we need to open XS Admin Tool and import the SuccessFactors IDP settings.
- Go to the XS Admin Tool in your tenant database (appending “/sap/hana/xs/admin/” to the URL of your HANA instance)
- Go to SAML Identity Provider and click on +
- Open the metadata.xml file you downloaded from the IDP in a text editor and copy and paste it to the Metadata input area
- Click away from the text editor in order to trigger processing
- Name the IDP something proper like "saml2_company_<companyId>"
- Set "Dynamic User Creation" flag to true. This is important in order to be able to login with IDP users that are not defined as database users.
- There will be one empty field, that prevents you from saving, SingleLogout URL (RedirectBinding). Copy the value of SingleLogout URL (PostBinding) "/sf/idp/SAML2/slo/POST" in that field:
- Click Save.
Image may be NSFW.
Clik here to view.
Important ! The IDP Metadata Import might fail with "Certificate Import Error" when import is done for the first time. In order to correct that, please remove the IDP and re-do the operation.
Image may be NSFW.
Clik here to view.
After the import check that the SuccessFactors company certificate is imported in SAML Trust Store.
Configure SuccessFactors IDP to trust SAP HANA SP
As a next step, we need to configure the SuccessFactors IDP to trust the SAP HANA Service Provider.
Image may be NSFW.
Clik here to view.
- In XS Admin Tool go to SAML Service Provider tab and click Edit
- Under Service Provider Information tab, set the "Name", "Organisation Name", "Organisation Display Name" and "Organisation URL" to the URL of the SAP HANA host. Save the settings. By default the values are not configured.
- From Service Provider "Metadata" tab we need to extract three values from the corresponding XML. It does not matter which binding (HTTP-Redirect or HTTP-POST) you chose - the URLs are the same.
- "Location" property of AssertionConsumerService tag (https://<hana host>:443/sap/hana/xs/saml/login.xscfunc)
- "Location" property of SingleLogoutService tag (https://<hana host>:443/sap/hana/xs/saml/logout.xscfunc)
- "entityID" property (https://<hana host>/)
- Contact SuccessFactors to request enabling the Single Sign-On Functionality for your company instance giving the properties from above
- Assertion Consumer Service URL
- Single Logout Service URL
- Audience URL - this is the "entityID"
- In case you have Provisioning Access to your SuccessFactors Company, you can do it yourself
- Go to Company Settings -> Service Provider Settings -> Authorized SP Assertion Consumer Service Settings
Image may be NSFW.
Clik here to view.
- Select "Add another Service Provider ACS", add the values described above