Alteryx 2023.1 release brings Okta authentication support, Single Sign-On (SSO), for SAP Hana. This update allows users to authenticate to SAP Hana Cloud with Okta accounts. In this post, we’re going to take a look at required Okta and SAP HANA Cloud configuration needed to enable this authentication mechanism.
To access SAP Hana data with Okta accounts, users need to have the following configuration in place:
Have the latest version of SAP Hana ODBC, SAP Hana Client 2.0, driver installed on users' machines. The latest version can be downloaded from Alteryx Data sources page: Data Sources | Alteryx Help or SAP download page
Have Okta account created within organisation’s Okta tenant;
Have SAP user created within SAP Hana Cloud account with a role assigned and username matching Okta account username;
Obtain authentication details required to setup a new connection between Alteryx Designer and SAP Hana Cloud instance;
Please note, the following example is intended for demonstration purposes only. We recommend engaging your systems team to help you with the configuration.
Configure OKTA
Setup and configure an OAuth2 application with Okta. We call it SAP/Okta for the purpose of this document.
1. Create new application and select OIDC - OpenID Connect option. For application type select Web application
2. In the application configuration - in “Grant type” section “Refresh token” must be checked. Specify redirect URI which must be http://localhost:<port>/ where you fill-in chosen port number. You can choose any port you wish to use. Please note the full redirect uri, you will need it later.
When creating application, you can also configure Assignments control - to control this, scroll down to assignments and select the assignment type you need.
3. Create a new Okta authorization server and assign application created in previous step to it.
b. Configure “Audience” to the SAP HANA CLOUD. In this example, we use SAP instance uri as audience value.
!Note, the scope claims can be validated by your SAP Hana Cloud instance if needed. Please reach out to SAP Hana support team for details.
d. Create Access Policy by going to Access policies tab;
f. In the Policy configuration click “Add rule”
g. Do not change any rule parameters, just click “Create rule”
4. Create users in Okta directory and assign them to SAP/Okta application.
Note, Okta SSWS token is required to access this endpoint. Your JWK shall adhere to this standard
{
"kty": "RSA",
"alg": "RS256",
"kid": "zV1iZXSKXOlWpucuO-2ngVK_qn_LimXxuwr8omLasa9bw",
"use": "sig",
"e": "AQAB",
"n": "r0H-ak1gXEkxuELsYMhPufKmmOBhr3YAmb3Z6zQ7jrEpSjQq3BbJEZ1W3IVWmrHiRC7FoGtTXogMBTCiPsZVBd7YpfhWwl17N5ttT9Lx00gic2mBxEnxQTj2rl0BHjSw3t4A8R-1vK52HMjokRsmc0CUqy7eoDV-0w9pg48Kb2k4lpDb7f5bjjdOax9YocGtYiG7zvQhUvmjPpKxT4X2GwIZQn9DGyB9RTSg_2P4lD1O76rrN8OuMoJ5qKxZLkv9m8zfoIc-wydPfBe3oNBFJW4cRPRMqQR37_ViqpFk5k8ZebcwWnYFPJ4az4enr3ddtzzX7yy1ysJJxKjzQ"
}
2. Convert the JWK obtained above to PEM. The output shall have the following format:
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAr0HAfU+FP7k1gXEkxuELsYMhPufKmmOBhr3YAmb3Z6zQ7jrEpSjQ
q3BbJEZ1W3IVWmrHiRC7FoGtTXogMBTCiPsZVBd7YpfhWwl17N5ttT9Lx00gic2m
BxEnxQTj2rl0BHjSw3asdazzz+1vK52HMjokRsmc0CUqy7eoDV+0w9pg48Kb2k4lpD
b7f5bjjdOax9YocGtYiG7zvQhUvmjPpKxT4X2GwIZQn9DGyB9RTSg/2P4lD1O76r
rN8OuMoJ5qKxZLkv9m8zfoIc+wydPfBe3oNBFJW4cRPRMqQR37/ViqpFk5k8Zebc
wWnYFPJ4az4enr3ddtzzX7yy1ysJJxKjzQIDAQAB
-----END RSA PUBLIC KEY-----
1. To add a new IdP provider, go to JWT Identity Providers menu in SAP HANA Cloud Cockpit and a new provider.
2. You will be required to specify JWT provider name, issuer url and default external identity claim to map SAP users with Okta identities.
3. Add a new public key, by navigation to public key store of your SAP HANA Cloud instance.
5. Now we are required to link the JWT provider with it’s public key by creating a new certificate collection. Navigate to certificate collections.
6. Add collection → Provide a name at your will → select the public key we added in previous step → set purpose to JWT and select the Okta provider we created in step 1 of this section. Next, add the public key we created in step 4 to this collection.
Finally, create a new user with JWT authentication enabled
To create a user, go to User Management menu → create a new user and enable JWT authentication mechanism for the user. Next, click Add JWT Identity and select the Okta JWT provider we created earlier.Connect to SAP Hana Cloud with your Okta account
Now that you have established trust between your SAP Hana Cloud instance and Okta, you can access SAP Hana data from Alteryx Designer using your Okta account. Add input or output tool, check “Use Data Connection Manager (DCM)” box and select SAP Hana from the list of available data sources in Alteryx Designer.Next, select Quick Connect option, provide your SAP Hana instance details.
Create new credential and select Okta authentication method. Provide the following parameters:
Create new credential and select Okta. Provide descriptive name to the application and set the scope to the scope value you defined when configuring authorization server.
After filling out above details and clicking connect, you will be redirected to Okta login page. You will be prompted to login with your Okta account, grant this application required permissions, and read your SAP Hana data.