Skip to Content

Options to help SAML SSO to HANA from BI survive a HANA hostname change (HA Fail-over)

I was brought here by SAP Note "1900023 - How to setup SAML SSO to HANA from BI".

Environment:

HANA Version: 1.00.122.08.1490178281

SAP BusinessObjects BI Platform 4.2 Support Pack 3 Patch 5 - Version: 14.2.3.2351

High Availability setup between HANA System Replication Node 1 and Node 2

Question:

How do you make the setup as described in SAP Note 1900023 seamlessly survive an automated fail-over from Node 1 to Node 2?

Additional Detail to consider in answer:

Important to understand that an automated fail-over could happen at any moment and in current scenario this results in a change of the HANA FQDN from the Node 1 hostname to the Node 2 hostname. This of course breaks the SAML setup and like SAP Note 1900023 says:

  • Each SAML alias must have a SAML identity provider based on the Unique identifier ID used to create the certificate in the CMC. This cannot be changed easily as changing the provider ID will require each account to change their identity provider manually on HANA

And so the question. The most appropriate solution currently appears to be the use of SQL scripts to perform mass User Admin steps to change each HANA user's mapping from one IDP to another based on the current node(hostname) that HANA is running on.

This is not the only interesting thing to consider when answering this question. It should also be noted that in the xsengine Admin area under sap.bc.ina.service.v2, you may only select one IDP from the drop-down selection. and so, each time you move between HA nodes you must manually switch this and hope that your other IDP still works and does not require a new certificate generated from CMC HANA Authentication App. In either case, you must manually fix the user mapping. Given a large user base, this could consume enough time to impact production reporting, especially if it takes time to respond to the otherwise seamless HA fail-over event.

Our first idea is to have a VIP and virtual hostname float between nodes and this way, theoretically, we require only one IDP setup which will seamlessly survive any HA fail-over as the hostname does not change anymore as long as we point to the VIP or virtual hostname during setup. This sometimes requires use of 3rd party software. Anyone else doing this already? Any less intrusive options out there?

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Sep 17, 2018 at 07:06 AM

    we are using SQL scripts to do user mapping.I couln't think of any other solution

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Siddhesh,

      Same here. We have post refresh steps for fixing the SAML setup and the User Admin is done by SQL. I think this effort takes most by surprise as it is not highlighted anywhere :)

      SAP did mention Identity management, but I do not believe there is a viable option there either. The more the analytics guys start using HANA the larger and more complex the SQL scripts will become.