Configure SAP HANA SSO
You can configure Tableau Server to use SAML delegation to provide a single sign-on (SSO) experience for SAP HANA. This scenario is not dependent on SAML authentication to Tableau Server. You do not need to use SAML sign on with Tableau Server in order to use HANA SAML delegation. You can sign in to Tableau Server using whatever method you choose.
With SAML delegation for SAP HANA, Tableau Server functions as an identity provider (IdP).
Before you begin
Configuring SAML delegation with SAP HANA requires configuration on both Tableau Server and on SAP HANA. This topic provides configuration information about configuring Tableau Server. Before you configure Tableau Server, you must complete the following:
- Acquire a SAML certificate and key file for Tableau Server.
The certificate file must be a PEM-encoded x509 certificate with the file extension .crt or .cert. This file is used by Tableau Server and must also be installed on HANA.
The private key must be a DER-encoded private key file, in PKCS#8 format, that is not password protected and has the file extension .der. This file is only used by Tableau Server.
Install the certificate in HANA. To avoid
libxmlsec
errors in HANA, we recommend configuring in-memory certificate store on SAP HANA. For more information, see this SAP support topic(Link opens in a new window).Install the latest version of SAP HANA driver (minimum version is 1.00.9) on Tableau Server.
Configure network encryption from Tableau Server to SAP HANA (recommended).
For more information about generating the certificate/key pair, encrypting the SAML connection and configuring SAP HANA, see How to Configure SAP HANA for SAML SSO with Tableau Server(Link opens in a new window) in the Tableau Community.
Configure Tableau Server SAML for SAP HANA
The following procedure describes how to configure SAML for SAP HANA on Tableau Server using tsm data-access
. You can also configure SAML for SAP HANA using the sapHanaSettings Entity.
If you are running Tableau Server in a distributed deployment, run the following procedure on the initial node.
Place certificate files in a folder named
saml
. For example:/var/opt/saml
Run the following commands to specify the location of the certificate and key files:
tsm data-access set-saml-delegation configure --cert-key <cert-key> --cert-file <cert-file>
Where
<cert-key>
and<cert-file>
are file paths to the private key and certificate file, respectively.For example,
tsm data-access set-saml-delegation configure --cert-key /var/opt/saml/hana_pkey_pkcs8.der --cert-file /var/opt/saml/hana_cert.pem
You can specify other options. For example, you can specify user name format and how credentials are normalised. See tsm data-access.
Run the following commands to enable delegation:
tsm data-access set-saml-delegation enable
tsm configuration set -k wgserver.sap_hana_sso.enabled -v true
tsm configuration set -k wgserver.delegation.enabled -v true
When you have finished, run
tsm pending-changes apply
.If the pending changes require a server restart, the
pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the--ignore-prompt
option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.