MicroStrategy ONE

Integrating SSO Support with SAP HANA

Starting in MicroStrategy 2021 Update 8, SSO is a supported authentication method for SAP HANA ODBC connections. Such database instances can be only created via the Data Sources area of Workstation, but the consumption is available in Workstation, Web, and Library. This topic provides the requirements and procedure for creating and using SSO SAP HANA data sources with Entra ID (formerly Azure AD).

An Entra ID app registration properly set up for OAuth. See Configure Entra ID (Formerly Azure AD) with SAP Hana OAuth for more information.

An up-and-running SAP HANA instance, with JWT authentication configured. This is the instance that you will connect to. See Setting Up an SAP HANA Instance with OAuth or SSO for more information.

OIDC is configured for MicroStrategy with Entra ID. See Integrating OIDC Support with Entra ID for more information.

Connect to Your Environment Using OIDC

  1. Open the Workstation window.
  2. In the Navigation pane, click Environments.
  3. Click Add New Environment Connection.
  4. Enter your environment name, URL, and select the default OIDC authentication mode.
  5. Click Continue.
  6. Log into Entra ID account.

Add Your Environment’s URIs to Your Existing AD Entra ID App Registration

  1. Add your environment to the redirect URIs in Entra ID. This step is required for every environment that you want to use OAuth. Navigate to your App Registration in the Entra ID portal and click Add a Redirect URI.

  2. Choose Add a platform > Web and enter the URL of your environment in Redirect URIs. Click Configure to confirm. A list of redirect URIs appears that contains your URI.

  3. In Workstation, connect to an environment.
  4. In the Navigation pane, click , next to Enterprise Security.
  5. Choose an Environment, Display Name, and select Azure AD as the Identity Provider.

    The Login Redirect URIs update based on your environment.

  6. Copy the Library Web URI.
  7. In Entra ID, click Add URI under Web > Redirect URIs.
  8. Paste the Library Web URI that you copied.
  9. Repeat steps 6 through 8 for the Authoring Web URI.
  10. In Entra ID, click Add URI under Web > Redirect URI and enter http://localhost.
  11. Click Add URI and enter https://127.0.0.1.

  12. Click Save.

Create a Data Source, Database Connection, and Authentication Service

  1. Open the Workstation window with the Navigation pane in smart mode.
  2. In the Navigation pane, click , next to Datasets.
  3. Select the environment and select SAP HANA under Available Data Source Types.

  4. Enter a name, description, and project.
  5. Click Default Database Connection and choose Add New Database Connection.
  6. Enter a new name and the server and port number of your running SAP HANA instance.
  7. In Authentication Service, choose Add New Authentication.
  8. Enter a new name.
  9. Enter the client and directory ID from your MicroStrategy OIDC app registration. You can find these values on the Overview page of your app registration.
  10. Enter the client secret.
  11. In Scope, enter openid offline_access <your scope>, where <your scope> is the value from the Expose an API page of your app registration.
  12. Click Save in the next three windows.

Verify Your Data Source Connects

  1. Open the Workstation window with the Navigation pane in smart mode.
  2. Choose Help and check that New Data Import Experience is not selected.
  3. In the Navigation pane, click , next to Datasets.
  4. Choose your environment and project.
  5. Select Data Import Cube and click OK.
  6. Choose SAP HANA in the Data Sources window.
  7. Select Build a Query and click Next.
  8. Your new data source appears under Data Sources.
  9. Click your new data source and an Entra ID authentication browser window appears.
  10. Enter your Entra ID credentials.
  11. Once the data loads, drag and drop a table into the specified window.
  12. If data appears, your connection is established successfully.

Troubleshooting

When connecting to the data source, you may see error while parsing protocol. This error may occur in the following scenarios:

When connecting to the data source, you may receive an Invalid client secret error. To ensure you entered the correct secret, see Create a Data Source, Database Connection, and Authentication Service.