Configuring SAP HANA for SAML single sign-on (SSO) with Qlik Sense

When you have many users who have different access rights in SAP HANA, you can create a single sign-on (SSO) ODBC connector to SAP HANA and use SAP HANA security for authentication instead of creating multiple ODBC connectors with credentials passed.

A user of Qlik Sense should be able to be identified and authenticated from Qlik through to SAP HANA. Therefore someone viewing an application through the hub in Qlik Sense, would only be able to see the values and attributes that they are authorized to see in the SAP HANA system. This will not apply to static data that has already been loaded in to a Qlik application. But will apply where a user is making a new connection, reloading data or using Direct Discovery.

This is useful when you have a number of designers or many users of apps. A key component of this is to allow a user to log in to a Qlik app and pass the userid through to the connection string dynamically allowing each user to effectively connect to source with their own database login. This would enable all of the row/table level security to remain at source.

To set up SSO, do the following:

備註: Steps 1-4 are performed in your SAP HANA Studio.
  1. Generate a certificate and private key.
  2. Install the certificate in SAP HANA.
  3. Create an identity provider (IdP) and user mappings in SAP HANA Studio.
  4. Validate your SAP HANA configuration.
  5. Configure Qlik Sense by distributing the PEM files to all nodes in your Qlik Sense installation. Use the same certificate on all nodes.

    • On each computer, copy the certificate and private key files to the certificate folder. By default, this is C:\ProgramData\Qlik\Sense\Engine\Certificates.
    備註: Make sure the certificates are named Qlik.pem and Qlik_key.pem
  6. Create an ODBC connection to SAP HANA.

    • Select Current user.

      Any use of the data connection will now be executed with the end user credentials from SAP HANA.

    • Select data and verify that available data aligns with the privileges of the mapped database user.

Enable settings in Qlik Sense by navigating to C:\ProgramData\Qlik\Sense\Engine and opening Settings.ini. The table below defines the SSO settings possible.

Name Default Description
SSOCertificateFolder Default engine folder Folder where certificates will be created.
SSOCertificate ”qlik.pem” Certificate file name.
SSOPrivateKey ”qlik_key.pem”

Private key name.

SSOCasing 0

0: Case sensitive

>0: Upper case

<0: Lower case

SSOExternalId 0

0: QlikId (domain\username)

1: UPN

(username@domain.com)

2: (username)

See also: