Looking to set up SSO from BOE to HANA using SAML and coming up short on what is hopefully just some missing configuration. If anyone has experience getting this running, I'd be grateful for feedback or links to more comprehensive documentation.
We are running BOE 4.1 SP5 and HANA rev 92 (on a multiple node installation). The plan is to 1) enable SSL logins on HANA, 2) set up BOE as the IdP, 3) create the SAML provider in HANA and establish trust between the two systems.
- HANA is accepting Open SSL connections thanks to this very helpful document. Confirmed via HANA Studio login.
- On the BOE side, an IdP Base64 certificate was generated in the CMC via the HANA Authenitcation dialog.
- The IdP cert was appended to the trust.pem file (on the master node) as per this blog post. The SAML provider has been created in HANA with the Subject/Issuer set to match the BOE cert. We also used sapgenpse to add the cert to saplogon.pse and sapsrv.pse in $SECUDIR (again on the master node).
Everything has been restarted after the last configuration change.
A test user has been set up in HANA with the SAML provider enabled, user name matching a BOE enterprise account. When testing from the CMC, we see the following error message: Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password. (FWM 02133)
The HANA tracelog, set to debug, shows some errors in SAMLAuthenticator (ERROR in libxmlsec) before it culminates in this block:
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882796 i Authentication SAMLAuthenticator.cpp(00400) : Unable to verify XML signature
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882934 d Authentication ManagerAcceptor.cpp(00273) : Injecting logon name into method:
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882986 d Authentication SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: saplogon.pse
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883114 w Authentication SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883121 d Authentication SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>saplogon.pse<<<
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883123 d Authentication SAPLogonManager.cpp(00514) : Received Base64 Ticket >>>SAML 2.0 assertion ticket...<<<
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883167 i Authentication MethodSAPLogon.cpp(00275) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!
[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883181 d Authentication ManagerAcceptor.cpp(00273) : Injecting logon name into method:
[22277]{-1}[63/-1] 2015-02-02 20:10:23.884313 d Authentication Connection.cc(03617) : [PRE AUTHENTICATION] logon name:
[22277]{-1}[63/-1] 2015-02-02 20:10:23.884359 d Authentication Connection.cc(03684) : [POST AUTHENTICATION] logon name:
It looks like the ticket is received but not being parsed. It's not clear to me if this is related to the certificate or some other configuration element, or exactly what the missing piece is.