on 09-12-2018 4:49 PM
I was brought here by SAP Note "1900023 - How to setup SAML SSO to HANA from BI".
Environment:
HANA Version: 1.00.122.08.1490178281
SAP BusinessObjects BI Platform 4.2 Support Pack 3 Patch 5 - Version: 14.2.3.2351
High Availability setup between HANA System Replication Node 1 and Node 2
Question:
How do you make the setup as described in SAP Note 1900023 seamlessly survive an automated fail-over from Node 1 to Node 2?
Additional Detail to consider in answer:
Important to understand that an automated fail-over could happen at any moment and in current scenario this results in a change of the HANA FQDN from the Node 1 hostname to the Node 2 hostname. This of course breaks the SAML setup and like SAP Note 1900023 says:
And so the question. The most appropriate solution currently appears to be the use of SQL scripts to perform mass User Admin steps to change each HANA user's mapping from one IDP to another based on the current node(hostname) that HANA is running on.
This is not the only interesting thing to consider when answering this question. It should also be noted that in the xsengine Admin area under sap.bc.ina.service.v2, you may only select one IDP from the drop-down selection. and so, each time you move between HA nodes you must manually switch this and hope that your other IDP still works and does not require a new certificate generated from CMC HANA Authentication App. In either case, you must manually fix the user mapping. Given a large user base, this could consume enough time to impact production reporting, especially if it takes time to respond to the otherwise seamless HA fail-over event.
Our first idea is to have a VIP and virtual hostname float between nodes and this way, theoretically, we require only one IDP setup which will seamlessly survive any HA fail-over as the hostname does not change anymore as long as we point to the VIP or virtual hostname during setup. This sometimes requires use of 3rd party software. Anyone else doing this already? Any less intrusive options out there?
we are using SQL scripts to do user mapping.I couln't think of any other solution
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Siddhesh,
Same here. We have post refresh steps for fixing the SAML setup and the User Admin is done by SQL. I think this effort takes most by surprise as it is not highlighted anywhere 🙂
SAP did mention Identity management, but I do not believe there is a viable option there either. The more the analytics guys start using HANA the larger and more complex the SQL scripts will become.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.