SAP Knowledge Base Article - Preview

3297091 - SAML assertion not sent to HANA when accessing WebI report after BI upgrade

Symptom

Important: The following document describes a scenario where SSL/TLS is not configured for use with the HANA connection maintained from the Information Design Tool (IDT). If you use SSL/TLS for your HANA connection(s), you should ensure that your certificates are valid and that you are not affected by the issue described by 2621455 before proceeding with this document.

---

After an upgrade to the SAP BusinessObjects Business Intelligence platform, accessing a report in Web Intelligence (WebI) that depends on a HANA data source results in a message similar to the following:
The following database error occurred: (CS) "Java Exception : java.lang.RuntimeException:
com.sap.db.jdbc.exceptions.SQLInvalidAuthorizationSpecExceptionSapDB: [10]: authentication failed" . For information about this error,
please refer to SAP Knowledge Base Article 2054721 on the SAP Support Portal. (IES 10901) 

Note: The above message is for the scenario where the JDBC driver is used to connect to the HANA DB, but the same issue may occur using other drivers (e.g. ODBC).

With HANA's authentication tracing enhanced as per 2083682, you can see that no SAML assertion is received from BI:

[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991368 d Authentication   ManagerAcceptor.cpp(00030) : Prepare authentication: adding available methods
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991389 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method SessionCookie
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991398 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method X509
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991405 d Authentication   Manager.cpp(00114) : getMechs: provided mechanism=SPNEGO
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991407 d Authentication   Manager.cpp(00114) : getMechs: provided mechanism=Kerberos 5
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991416 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method GSS
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991420 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method SAML
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991424 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method SAPLogon
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991427 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method JWT
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991428 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method LDAP
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991430 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method SCRAMPBKDF2SHA256
[10379]{-1}[-1/-1] 2023-01-31 12:37:30.991434 d Authentication   ManagerAcceptor.cpp(00037) : Prepare authentication: added method SCRAMSHA256
...
[10561]{-1}[27/-1] 2023-01-31 12:37:31.008214 d Authentication   AuthenticationInfo.cpp(00039) : ENTER getAuthenticationInfo (userName=)
[10561]{-1}[28/-1] 2023-01-31 12:37:31.008325 d Authentication   Authenticate.cc(00075) : [AUTHENTICATION] logon name: , external name:  isldapenabled: 0
[10561]{-1}[28/-1] 2023-01-31 12:37:31.008330 d Authentication   Authenticate.cc(00981) : [PRE AUTHENTICATION] logon name: 
[10561]{-1}[28/-1] 2023-01-31 12:37:31.008496 d Authentication   Authenticate.cc(00148) : exception during authentication: ERROR [SQL-10] authentication failed

---

When HANA receives a SAML assertion, the authentication tracing will provide details regarding HANA's parsing of the assertion (for example traces see 2097367). Since any such details are absent in the above authentication traces, we can conclude that no SAML assertion successfully reached HANA from the BI system.

Yet, when testing SAML SSO enabled connections to HANA using the:

  • Central Management Console (CMC)
    OR
  • The Test Connection option for the HANA connection in the Information Design Tool (IDT)
    • Including the same HANA connection accessed by the WebI report

The SAML SSO is successful and a connection is established to the HANA DB.


Read more...

Environment

  • SAP BusinessObjects Business Intelligence platform
  • SAP HANA, platform edition

Product

SAP BusinessObjects Business Intelligence platform all versions ; SAP HANA 1.0, platform edition ; SAP HANA, platform edition 2.0

Keywords

driver, change driver, universe, repository resources, data source, datasource, JDBC, ODBC , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , HAN-DB-SEC , SAP HANA Security & User Management , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.