Okta and SAP HANA XS App SAML 2.0 Configuration.
HANA SPS82
SUSE LINUX Enterprise SERVER 11 sp3
SAP CRYPTO Library: SAPCRYPTOLIBP_8435-20011697.SAR
OKTA:
Activate: Template SAML 2.0 App
App Settings(Settings not listed are kept to default)
Post Back URL: https://<HANA HOST>:4300/sap/hana/xs/saml/login.xscfunc
Name ID Format: Unspecified
Recipient: https//<HANA HOST>:4300/sap/xs/saml/login.xscfunc
Audience Restriction: https://<HANA HOST>:4300
authnContextClassRef: Unspecified
Destination: https://<HANA HOST>:4300/<Path To SAML Configured Package>
Select User and Application Assignment& App Username
ADMIN>Application>Template SAML 2.0 App>People>
Click on User
Select the Edit Actions
Type User name to be referenced in HANA DB user SAML configuration External Identity
HANA
Follow this blog: http://scn.sap.com/docs/DOC-50418 for HTTPS and Trust Store Configuration(adding OKTA certificate to sapsrv.pse file)
Create Identity Provider Configuration in HANA DB through HANA STUDIO SQL command line as USER with Required Priviliges (https://hcp.sap.com/content/dam/website/saphana/en_us/Technology%20Documents/SAP_HANA_Administration_Guide_en.pdf)
see section in above URL "Configure SSO with SAML" page 547
create SAML provider OKTA WITH SUBJECT 'EMAIL=info@okta.com, CN=dev-<okat account>, OU=SSOProvider, O=Okta, L=San Francisco, SP=California, C=US'
ISSUER 'EMAIL=info@okta.com, CN=dev-<okta account>, OU=SSOProvider, O=Okta, L=San Francisco, SP=California, C=US'
ENABLE USER CREATION;
MAKE SURE: ISSUER and SUBJECT match your sapsrv.pse file check by running the list command of sapgenpse:
./sapgenpse maintain_pk -p sapsrv.pse -l
Continue in SQL interpreter:
insert into _SYS_XS.HTTP_DESTINATIONS values('sap.hana.xs.samlProviders', 'OKTA', 'description', '<OKTA account Base URL without (https://)>',443,'',0,'',0,0,1,-1,'','');
insert into _SYS_XS.SAML_PROVIDER_CONFIG values('OKTA', 0, 0, 'sap.hana.xs.samlProviders', 'OKTA', '/app/template_saml_2_0/<OKTA Generate ID KEY>/sso/saml');
insert into _SYS_XS.SAML_PROVIDER_CONFIG values('OKTA', 0, 1, 'sap.hana.xs.samlProviders', 'OKTA', '/app/template_saml_2_0/<OKTA Generate ID KEY>/sso/saml');
insert into _SYS_XS.SAML_PROVIDER_CONFIG values('OKTA', 1, 0, 'sap.hana.xs.samlProviders', 'OKTA', '/app/template_saml_2_0/<OKTA Generate ID KEY>/sso/saml');
insert into _SYS_XS.SAML_PROVIDER_CONFIG values('OKTA', 1, 1, 'sap.hana.xs.samlProviders', 'OKTA', '/app/template_saml_2_0/<OKTA Generate ID KEY>/sso/saml');
CONFIGURE HANA USER:
Open User Profile in HANA Studio
Check SAML radio button, then select configure.
Press Add and select OKTA
Update External Identity a value of your choice, Must match Okta User Connected to SAML App.
As of HANA 82 I believe IDP initiated requests DO NOT WORK.
Goto SAML configure XS page
login through OKTA
Should be redirected to XS app page..
Good LUCK!
Zachary.