SAP HANA

Setting up MIRACL Trust SSO as an Identity Provider within SAP HANA

These instructions are up-to-date at the time of writing, but you should refer back to the SAP HANA page on SAML settings for SSO to check for any changes. We cannot guarantee the accuracy of our SP-specific guidance.

  1. Log in to the SAP HANA Cloud Platform Cockpit and click on your account ID to display your dashboard.

  2. Click on Trust under ‘Security’ in the left navigation:

  3. Click on the Edit button to make the contents of the ‘Local Service Provider’ tab editable.

  4. Choose Custom from the ‘Configuration Type’ drop-down.
    Some additional fields are revealed.

  5. Click on the Generate Key Pair button to generate a new Signing Certificate.
    The ‘Signing Key’ and ‘Signing Certificate’ text boxes are populated with the new information:

  6. Click on the Get Metadata button. An XML file containing the SP metadata is downloaded to your local machine.

  7. Click on the Save button to commit your changes.
    An alert box is displayed.

  8. Click on the OK button.

  9. Click on the Trusted Identity Provider tab followed by the Add Trusted Identity Provider link (in the below example, some of the information has been greyed out for security reasons):

  10. Configure the settings for the new MIRACL Trust IdP:

  • Metadata File - retrieve file from http://<yourssoip>/metadata and point to location on local machine using the ‘browse’ button. Note that, for a production setup, if you manually download your IdP metadata file, the validUntil date at the top of the file will need to be edited to an appropriate date (it defaults to 48hrs from the current date).
  • Name - this is auto-generated by the MIRACL Trust metadata file upload, above
  • Assertion Consumer Service - select Assertion Consumer Service from the drop-down
  • Single Sign-On URL - update the placeholders with your own web address and port: http://<yourssoip>/sso
  • Single Sign-On Binding - select HTTP-Redirect
  • Single Logout Binding - select HTTP-Post
  • Signature Algorithm - select SHA-256
  • Signing Certificate - this is populated automatically during the metadata file upload
  • User ID Source - set to subject

  1. Click on the Save button to commit your changes and display the following page:

Configuring your SAP HANA Service Provider profile with MIRACL Trust SSO

  1. Edit /etc/miracl-sso/service_providers/sap.yaml:
sp:
  sap:
    description: SAP HANA is an in-memory platform for processing high volumes of
      data in real-time
    relay_state: ""
    login_url: https://aacockpitc4pa-p1234567890example.hanatrial.ondemand.com/com.sap.aa.hcp.cockpit
    logout_url: https://aacockpitc4pa-p1234567890example.hanatrial.ondemand.com
    metadata: >-
      <!-- insert downloaded SP metatadata here -->
    sign_response: true
    sign_assertion: true
    encrypt_assertion: false
    authorize:
    - - email: ^[^@]+@example.com$
    profile:
      attribute: empty
  1. Note that sp name is used to create your IdP-initiated login url, i.e. https://<yourssoip>/login/sap

  2. Replace the login URLs with the custom addresses containing your SAP HANA account ID.

  3. The SAP HANA SP metadata is available via the SAP HANA Get Metadata button and should be pasted into the above metadata field.

The downloaded metadata file must be converted to a single line with a command such as:

echo -e "\n"$(cat metadata.xml | tr -d '\n')"\n"

The contents will then be output in the terminal in a format that can be pasted into the metadata field.

Note that, if you are using JSON format for your config file, the downloaded metadata should be saved as an xml file and converted to a single line with the " characters escaped with \ to meet json structure requirements. This can be achieved by running the following command on the downloaded metadata.xml file:

echo -e "\n"$(cat metadata.xml | tr -d '\n' | sed -E 's/"/\\"/g')"\n"

The contents will then be output in the terminal in a format that can be pasted into the metadata field of a JSON file.

  1. In the authorize subsection, you can control what users are allowed to attempt login by following one or both of the below steps:
  • Call up an LDAP setup from an ldap.yaml file stored in /etc/miracl-sso/integrations.
  • Configure a regex list of email addresses/domains. The above config shows an example of how you would use email: ^[^@]+@example.com$ to only allow users from a certain email domain to login.

Note that if this is not set correctly, you will receive ‘unauthorized user’ messages.

For more detailed info on using LDAP and regex to control authorized users, please see the LDAP and authorization menu section

  1. Save and close the file.

  2. In your /etc/miracl-sso/config.yaml file make sure you add sap.yaml to the list of ‘includes’:

includes:
  - core.yaml

# service providers
  - service_providers/sap.yaml
  1. As always after config changes, restart the server with sudo service miracl-sso restart

  2. Now your service is configured, you can visit https://<yourssoip>/login/sap or https://<yourssoip>/services to login to the service using IdP-initiated login, or visit the SAP login page and SP-initiated login will be triggered automatically.

  3. You will be able to login using the in-browser PIN pad or with the MIRACL Trust app. When logging in to your SSO service for the first time you will be asked to register an email address so as to confirm your identity and register you as a user.