You can configure Tableau Server to use SAML delegation to provide a single sign-on (SSO) experience for SAP HANA. This scenario is not dependent on SAML authentication to Tableau Server. You do not need to use SAML sign on with Tableau Server in order to use HANA SAML delegation. You can sign in to Tableau Server using whatever method you choose.
With SAML delegation for SAP HANA, Tableau Server functions as an identity provider (IdP).
Before you begin
Configuring SAML delegation with SAP HANA requires configuration on both Tableau Server and on SAP HANA. This topic provides configuration information about configuring Tableau Server. Before you configure Tableau Server, you must complete the following:
- Acquire a SAML certificate and key file for Tableau Server. The certificate file must be a PEM-encoded x509 certificate with the file extension .crt or .cert. This file is used by Tableau Server, and must also be installed on HANA. The private key must be a DER-encoded private key file that is not password protected, and that has the file extension .der. This file is only used by Tableau Server.
- Install the certificate in HANA. To avoid
libxmlsecerrors in HANA, we recommend configuring in-memory certificate store on SAP HANA. For more information, see this SAP support topic(Link opens in a new window).
- Install the latest version of SAP HANA driver (minimum version is 1.00.9) on Tableau Server.
- Configure network encryption from Tableau Server to SAP HANA (recommended).
For more information about generating the certificate/key pair, encrypting the SAML connection, and configuring SAP HANA, see How to Configure SAP HANA for SAML SSO with Tableau Server(Link opens in a new window) in the Tableau Community.
Configure Tableau Server SAML for SAP HANA
If you are running Tableau Server in a distributed deployment, run the following procedure on the initial node.
Place certificate files in a folder named
saml. For example:
C:\Program Files\Tableau\Tableau Server\SAML
Run the following commands to specify the location of the certificate and key files:
tsm data-access set-saml-delegation configure --cert-key <cert-key> --cert-file <cert-file>
<cert-file>are file paths to the private key and certificate file, respectively.
tsm data-access set-saml-delegation configure --cert-key "c:\Program Files\Tableau\Tableau Server\SAML\saml_key.der" --cert-file "c:\Program Files\Tableau\Tableau Server\SAML\saml_cert.crt"
You can specify other options. For example, you can specify user name format and how credentials are normalized. See tsm data-access.
Run the following commands to enable delegation:
tsm data-access set-saml-delegation enable
tsm configuration set -k wgserver.sap_hana_sso.enabled -v true
tsm configuration set -k wgserver.delegation.enabled -v true
When you have finished, run
tsm pending-changes apply.
If the pending changes require a server restart, the
pending-changes applycommand will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-promptoption, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.