cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Options to help SAML SSO to HANA from BI survive a HANA hostname change (HA Fail-over)

alex_smith
Explorer

on ‎09-12-2018 4:49 PM

0 Kudos

I was brought here by SAP Note "1900023 - How to setup SAML SSO to HANA from BI".

Environment:

HANA Version: 1.00.122.08.1490178281

SAP BusinessObjects BI Platform 4.2 Support Pack 3 Patch 5 - Version: 14.2.3.2351

High Availability setup between HANA System Replication Node 1 and Node 2

Question:

How do you make the setup as described in SAP Note 1900023 seamlessly survive an automated fail-over from Node 1 to Node 2?

Additional Detail to consider in answer:

Important to understand that an automated fail-over could happen at any moment and in current scenario this results in a change of the HANA FQDN from the Node 1 hostname to the Node 2 hostname. This of course breaks the SAML setup and like SAP Note 1900023 says:

  • Each SAML alias must have a SAML identity provider based on the Unique identifier ID used to create the certificate in the CMC. This cannot be changed easily as changing the provider ID will require each account to change their identity provider manually on HANA

And so the question. The most appropriate solution currently appears to be the use of SQL scripts to perform mass User Admin steps to change each HANA user's mapping from one IDP to another based on the current node(hostname) that HANA is running on.

This is not the only interesting thing to consider when answering this question. It should also be noted that in the xsengine Admin area under sap.bc.ina.service.v2, you may only select one IDP from the drop-down selection. and so, each time you move between HA nodes you must manually switch this and hope that your other IDP still works and does not require a new certificate generated from CMC HANA Authentication App. In either case, you must manually fix the user mapping. Given a large user base, this could consume enough time to impact production reporting, especially if it takes time to respond to the otherwise seamless HA fail-over event.

Our first idea is to have a VIP and virtual hostname float between nodes and this way, theoretically, we require only one IDP setup which will seamlessly survive any HA fail-over as the hostname does not change anymore as long as we point to the VIP or virtual hostname during setup. This sometimes requires use of 3rd party software. Anyone else doing this already? Any less intrusive options out there?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member206085
Explorer
‎09-17-2018 8:06 AM
0 Kudos

we are using SQL scripts to do user mapping.I couln't think of any other solution

Show replies
Show replies
alex_smith
Explorer
‎03-11-2019 9:21 PM
0 Kudos

Hi Siddhesh,

Same here. We have post refresh steps for fixing the SAML setup and the User Admin is done by SQL. I think this effort takes most by surprise as it is not highlighted anywhere 🙂

SAP did mention Identity management, but I do not believe there is a viable option there either. The more the analytics guys start using HANA the larger and more complex the SQL scripts will become.

Ask a Question