cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Struggling to setup up SAML2 connection to HANA - looking for debug help

Go to solution
former_member228212
Explorer

on ‎09-06-2022 7:59 PM

0 Kudos

Hi,

I'm trying to setup SAML authentication from a local Tableau server (Windows) to SAP BW4/HANA (Linux) as part of a BW4/HANA Proof of Concept we are running (neither of these systems is in live use). We've been struggling to get it working, compounded by both Tableau and HANA being very new to us in the Basis team.

Here's what we've done so far:

The Tableau administrator has setup SAML on their end and provided us with a certificate, with the Tableau server as identity provider.

This has been added as a SAML identity provider in HANA. For the relevant users, I have activate SAML2, selected the identity provider and entered the external identities as their email addresses.

We have also imported the certificate into the database (we're on latest support pack so PSE no longer on file system), and we now see the relevant entries in sys.pses, sys.certificates, sys.pse_certificates, SAML_PROVIDERS.

It's not working though.

When someone tries to launch a report from Tableau using SAML2 SSO, it fails with pretty much no information. I'm also seeing nothing that looks relevant in HANA logs (I was expecting to see something relevant in indexserver logs).

All I have to go on at the moment is the output of tcpdump tracing at the OS level on the HANA box. This shows that a connection is being made from the Tableau server, and SAML data is coming across (so at least I can rule out connectivity issues). Within the trace data I am seeing "00authentication.failed." a number of times though. There's not much else readable in the tcpdump logs, except I see the service user that the Tableau system runs as, but not the ID or email address of the user testing the connection (but maybe that's part of the encrypted payload).

As mentioned, I can't see anthing in any of the HANA log files. I have set the indexserver to "DEBUG", but nothing's showing up, so I wonder if this is not even getting as far as the database. Can anyone suggest anything we've missed, anywhere else to look for log info, or any extra debugging I can turn on?

Thanks

Richard

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member659467
Discoverer
‎09-12-2022 5:59 PM
0 Kudos

For security reasons you need to set the "authentication" trace to "info" or "debug" to see more information about failing authentications. Then you should see in the indexserver trace, why the user could not be authenticated with this assertion.

Show replies
Show replies

Answers (1)

Answers (1)

mamartins
Active Contributor
‎09-07-2022 10:28 AM

Some usefull links that maybe help:

https://help.sap.com/docs/SAP_HANA_ONE/102d9916bf77407ea3942fef93a47da8/db6db355bb571014b56eb25057da...

The Tableau uses ODBC to query the HANA or HTTP? If it uses HTTP then you need to use XS to configure the identity provider.

Documentation for other product that also connects to HANA that may help: https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/Applications/AppsWeb/SAP...

Show replies
Show replies
former_member228212
Explorer
‎09-08-2022 12:03 PM
0 Kudos

Thank you. Tableau is using ODBC. I beleive I have done everything mentioned in that SAP documentation.

After some experimentation, I have some better tcpdump parameters (tcpdump -KAvvvXStttts 0 -e <hostname>), which are letting me see some more of the SAML traffic. I can now see that the email address of the user running the test is being passed through, along with the assertion tags as shown in your first link:

<saml2:Subject.xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:NameID.Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">email_address_obscured</saml2:NameID>
</saml2:Subject>


I note that it is sending “nameid-format:unspecified” with the email address. I’m wondering if we should be seeing it using the alternative option of “nameid-format:emailAddress” instead? I have asked Tableau support about this.

Ask a Question