Skip to Content
0
Dec 28, 2020 at 03:53 PM

Sett up SAML authentication for SAP HANA cloud to use via JDBC

102 Views Last edit Dec 28, 2020 at 03:55 PM 2 rev

Dear Community Members,

I try to set up SAML authentication for a test SAP HANA Cloud instance. I'm using OneLogin as Idp provider, and a very simple, custom Java app running in tomcat as the Service Provider. The Service Provider tries to connect to the HANA instance via JDBC using SAML authentication.
In HANA cockpit I uploaded the certificate, created the SAML identity provider entry and created a mapping for the user. However I always

 get com.sap.db.jdbc.exceptions.SQLInvalidAuthorizationSpecExceptionSapDB: [10]: authentication failed at

Error, with error code 28000, which is not really telling what could be the problem. Also I was not able to find anything related on the server logs, what could be the problem.

Based on the help page I use the assertions like the one at the bottom as password for the JDBC connection. However I'm not really sure, whether I should use only the <saml:Assertion> tag or the whole XML response from the IdP (wiith the <samlp:Response> root key). Furthermore, I'm not sure, if this can be sent in plain text, or should be base64 encoded. Also the help page is not clear enough for me to decide, whether the format of assertion is considered correct or not.


Please help me to point in the good direction! What can I check to figure out what is the actual problem?


Thanks in advance!
Bence Tamas

==========================================

Sample assertion:

<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="pfx4aa8a523-bb99-cb70-8b50-e3436613c547" IssueInstant="2020-12-28T15:07:15Z">
    <saml:Issuer>https://app.onelogin.com/saml2</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#pfx4aa8a523-bb99-cb70-8b50-e3436613c547">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>KnPdMf5mDjBQAY6ENebs4kkwQH9M9gCYVaQXs3BHmYQ=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Z1Isl6nUj1Wum08sDW5MiKNH6HQ6jz3s0TIFfchdPXGY33g+4X34ZlU8UgbdjM8wM2jfZPIXDpg15b14UXPAmZt3zpeWvTIAstFnNyyH
            kBEiPsB7aFBRTQ2EvI1BEdpMYOmroRCBY/J5Ifh4tjTNYmtsiZ3P1OC75xP3KrQvEswEHfDWniC1JTqvdUaaw6gNKTRiSErrp86Tj3dLismZDCQe2KayppWgn+NyOCQuFKOgwueY4eVVq8eToUknKaYkOKXhI9siP/WlKa82
            0wohOU70Ya4uC64EoRdfyXCW5kgxyZcFsZH/l5QRQyLGebQcxhREhtQe3qT/C6ldhalmDQ==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIID5TCCAs2gAwIBAgIUbPjeJtgPVnv1QvrFp1B5xB//tiQwDQYJKoZIhvcNAQEFBQAwSDETMBEGA1UECgwKUmFwaWRNaW5lcjEVMBM
                    GA1UECwwMT25lTG9naW4gSWRQMRowGAYDVQQDDBFPbmVMb2dpbiBBY2NvdW50IDAeFw0yMDEyMTUwNTM3NThaFw0yNTEyMTUwNTM3NThaMEgxEzARBgNVBAoMClJhcGlkTWluZXIxFTATBgNVBAsMDE9uZUxvZ2luIElkUDE
                    aMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJk1zN9yoKMhonvdkKL13oPWfyKBFavM+IUW/hVOq+RbLTU6yzTCcgmLQNtavv24K1AZUiAitOoeyYD2dAp/6Gx+K
                    9xNZlWlzlJPLB0YgVBsGpO1SOlCpvfLOLPXAk4xQ9peJzQA9Bb8JqM+7Q/F1hNqs5eZGkviAuctc68K2V6RpscsUX3y7BAtkN7TzP0a8evcqxGzaFCfSltVduh74a+XEcdspm1X8QbeC/vwS2kJtagsIEVMfBB/QS+YNO0ng
                    /KHQfS2bU3EkId92gpvxAzg8YCKpG2ROZ0lEl8asJ+N1tsTHLi4KIVRfWLRnit2ZPR9cYjnkuvfZR9HHuu+ZLAgMBAAGjgcYwgcMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUilg+PlJCoetHGkOxAwR2HCbFGIQwgYMGA1U
                    dIwR8MHqAFIpYPj5SQqHrRxpDsQMEdhwmxRiEoUykSjBIMRMwEQYDVQQKDApSYXBpZE1pbmVyMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgghRs+N4m2A9We/VC+sWnUHnEH/+
                    2JDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBAFKCkovP+BZGENmKNkNh/al7/cMAhz/Q/lhmyTCfFlnf5GIAU8XTRS/mOlTHuXoZp55CYZJ1vD57wpPsS7rLruOiLqVKoD1y6R6yZAHUVuxb3WDbs16A0IH
                    sfeX7TwWR2DLrCkTRxHXPp+nKlu8+v14iNXUaUJuzTnp4G9mpbjLCo+8PTuj6XXroV/FWQfPyWK4Q5WC08nStkJsH9K3KQijK/uc+9IoI7+Z7H8i7Az8bg2H87b+DJJPQ21Tn9UrALAFhzGpxDxG4WcoVmg2vHDusUTOISCk
                    UvkfgyoAInjtG5kPF2JXh+dYop5RR2uyEDz80iqJYnrishzUmWAd3Kug=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test1</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2020-12-28T23:27:15Z" Recipient="https://mysecret-domain.herokuapp.com/acs.jsp"
                                          InResponseTo="ONELOGIN_887ae8cf-f69c-4127-94ec-ae2e605ea481"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2020-12-28T06:47:15Z" NotOnOrAfter="2020-12-28T23:27:15Z">
        <saml:AudienceRestriction>
            <saml:Audience/>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2020-12-28T15:07:14Z" SessionNotOnOrAfter="2020-12-29T15:07:15Z" SessionIndex="_0f394373
-bb0e-47bc-997d-902bae02988e">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
</saml:Assertion>

Attachments

selection-590.png (283.9 kB)