Hi Experts,

We have landscape consisting of BOBJ 4.1 SP00, Analysis office 1.4 & HANA SP08 Rev 82. We have setup SSO-SAML between BOBJ & HANA via openssl-SAML. The AO users login to BOBJ platform to retrieve the OLAP connection to HANA and then they provide user credentials of HANA to access HANA DB.Now we have read that AO 2.x supports SAML. So we did an upgrade of BOBJ from 4.1 SP00 to 4.1 SP05 P5, HANA to Rev 96 and AO to 2.0 SP03. We have dismantled the BOBJ-HANA SSO SAML via openssl and have recreated it with SAP Commoncrypto.That is working fine. But we are not able to figure out on how to create a SSO-SAML from AO to HANA. We have created an OLAP HANA http connection with logon option as SSO. We also have a HANA http olap connection with prompt as authentication option and it is working fine. We created HANA as a Identity service provider in XS engine and have added the service provider to the user (i.e activated SAML authentication). Still we are facing error. The error originates from Analysis excel were we get the following error

2015-07-10 09:42:49,355|DEBUG|Trace.AoPlugin|?.?|VSTA_Main|General .NET Exception:

getSAMLSSOAssertionTicket exception (Error: WSE 99999)

   at BusinessObjects.DSWS.Session.Session.getSAMLSSOAssertionTicket(String host, Int32 port)

   at com.sap.ip.bi.pioneer.core.boe.CrBoePlatformService4_1.GetSAMLAssertionTicket(String iHost, Int32 iPort)

#

2015-07-10 09:42:49,355|WARN|Trace.AoPlugin|?.?|VSTA_Main|Problem while trying to get SAMLAssertionTicket for lnx-cbd-d000.nike.com:8000

General .NET Exception:

Failed to generate the SAML assertion due to: while trying to read the field 'idpConfig' of a null object loaded from local variable 'configInfo'. (FWM 02128)

   at com.sap.ip.bi.pioneer.core.boe.CrBoeUtil.RaiseException(Exception e)

   at com.sap.ip.bi.pioneer.core.boe.CrBoePlatformService4_1.GetSAMLAssertionTicket(String iHost, Int32 iPort)

   at com.sap.ip.bi.pioneer.core.boe.CrBoeHandler.GetSAMLAssertionTicket(String iHost, Int32 iPort)

>> General .NET Exception:

getSAMLSSOAssertionTicket exception (Error: WSE 99999)

   at BusinessObjects.DSWS.Session.Session.getSAMLSSOAssertionTicket(String host, Int32 port)

   at com.sap.ip.bi.pioneer.core.boe.CrBoePlatformService4_1.GetSAMLAssertionTicket(String iHost, Int32 iPort)

Then we added a HANA authentication connection in CMC as http://hanahost:8000 and added the IDP base certificate in HANA webdispatcher and XS engine PSE. After that we get the following

Main|Exception happened: The remote server returned an error: (401) Unauthorized.#

2015-07-10 09:48:48,558|ERROR|Log.AoPlugin|com.sap.ip.bi.pioneer.core.connections.CrHttpConnection.Connect|VSTA_Main|<html>

401 - Not authorized</h1>

You're not allowed to access the specified resource.<br/>

Credentials are missing or incorrect.

Please enter valid credentials when being prompted.<br/>

In case you forgot your credentials please contact your system administrator.

src="data:image/gif;base64,R0lGODlhHwAQAOeKABxivBtlwBpmwBtmvxlqwBlqwRlrwhhuwxhvxBZ1yBN8zBR9zCB6yh

CCzhGCzxODzw6I1A >> XSEngine

Didn`t find any blog or proper documentation on how to do setup. Any ideas on what is missing?

1. How does we ensure that the AO is sending the user credentials in the SAMLAssertion ticket?

2. Do we need to create a IDP in HANA also? (Hana identity provider and not HANA service provider)

3. What changes/Config settings we need to do in BOBJ? or in AO?

Thanks,

Jyotish