SAP HANA

  1. Log in to the SAP HAN Cloud Platform Cockpit.

  2. Configure the Local Service Provider profile:

    a. Under Trust > Trust Management, click on the Local Service Provider tab then Edit. b. Set Configuration Type to 'Custom' and click on the Generate Key Pair button to generate a new Signing Certificate. c. For application-to-application SSO (if required), select Enabled from the Principal Propagation drop-down.

    d. For forced authentication, select Enabled from the Force Authentication drop-down.

    e. Click on the Save button to commit your changes.

  3. Configure M-Pin SSO as a Trusted Identity Provider:

    a. Under Trust > Trust Management, click on the Trusted Identity Provider tab and then Add Trusted Identity Provider button. b. Configure the settings for the new Trusted Identity Provider:

    • Signing certificate – generated in your SAP HANA account
    • Principal Propagation (optional) – when enabled, allows application-to-application SSO
    • Force Authentication (optional) – when enabled, forces authentication for your application so you do not rely on SSO
    • Name – the path to the M-Pin SSO SAML metadata
    • SAML2 Identity Provider metadata file – (found under Global Settings > SAML Metadata in the M-Pin SSO web console)
    • Assertion Consumer Service – Assertion Consumer Service setting
    • Single Sign-on URL – the M-Pin SSO SAML SSO Endpoint: setting (found under Global Settings > SSO information in the M-Pin SSO web console)
    • Single Sign-on Binding – HTTP-Redirect
    • Single Logout URL – the M-Pin SSO SAML SLO Redirect Endpoint: setting (found under Global Settings > SSO information in the M-Pin SSO web console)
    • Single Logout Binding – HTTP-Redirect
    • User ID Source – subject

    c. Click on the Save & Close button to commit your changes.

To download the certificate from your SAP Hana cloud platform Cockpit, visit the 'Trust' section, click on the Local Service Provider tab then click on the Get Metadata button.

To enable SAP Services in your SAP HANA account authenticate with M-Pin SSO:

  1. Enable the service. In the Cockpit of your SAP HANA account, Services section, locate the service you want and select the Enable option.
  2. Add users to the service. Once the service has been enabled, (see step 1), you need to add to the service the users who will be authorized to access it. Each user must be added to their respective user role for the service. To add users:

    a. On the service you enabled in step 1, locate the service you want and then select the Roles configuration option.
    This will take you to the Roles screen. b. Select the role to which you want to assign the user (e.g. GW_Admin as in the above screenshot) and then the Assign... option (marked in the picture above).

    This will open a pop-up prompting you for the User ID of the user. c. For User ID, add the email address with which the user is registered in your M-Pin System (see screenshot above). d. Select the Assign button to commit your entry and close the pop-up. The user is now registered with the service.

  3. Repeat steps 1-2 for every user you want to register with the service (conditional - if adding another user).

  1. Create a SAP HANA SP main profile:

    a. Under Integration, click on the + button next to SAP Main profiles.
    The Add SAPMain profile page is displayed. b. Complete the required fields and save the profile. Settings:

    • Name: (required) – profile name, e.g. Sample SAP HANA Main Profile
    • LDAP Profile: ­– if you have LDAP profiles configured, they will be available in this drop-down
    • Recipient URL: – IAM client application end point to which the M-Pin SSO SAML response is returned.
    • Metadata: (required) – the signing certificate generated in your SAP HANA account.
      After saving, the profile is displayed on the SAPMain profiles page.
  2. Create a SAP HANA SP application profile: a. On the Dashboard page, Integration panel, SAPApp profiles row, select the Add button.
    The Add SAPApp profiles page is displayed. b. Complete the required fields and save the profile. Settings:

    • Name: (required) – profile name, e.g. Sample SAP HANA Application Profile
    • LDAP Profile: ­– if you have LDAP profiles configured, they will be available in this drop-down
    • Application link: – IAM client application end point to which the M-Pin SSO SAML response is returned.
    • Application link: (required) – the SAP HANA application / service URL to log in to.

      After saving, the profile is displayed on the SAPApp profiles page.
    • Repeat steps 1-2 for every application / service profile you want to configure (conditional – if configuring more than one app).