Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
ext-fsatorra
New Member

SAML SSO from Power BI to HANA on cloud

Hello,

 

In my organization we connected Power BI to a HANA database in cloud (in SAP CP). To achieve this we put in the middle a SAP Cloud Connector (SAP CC). It works perfectly but...

 

We needed to add SSO (using SAML) to propagate the user to the database so we could apply our security privileges on the data for each user.

 

We followed the guide to setup SSO (SAML) from Power BI to HANA but when I we tested a report that uses this configuration it didn't work.

 

Guide: https://docs.microsoft.com/en-us/power-bi/service-gateway-sso-saml

 

In the Power BI Gateway log I see these messages:

 

DM.EnterpriseGateway Error: 0 : 2019-08-27T16:56:40.2205171Z DM.EnterpriseGateway 34362901-f01b-424a-9ae8-0e9510364300 16f95e75-ab83-0fa9-cc75-9f618e20c44e MDSR 16f95e75-ab83-0fa9-cc75-9f618e20c44e b9d649e9-a791-4276-9992-b88d811c90f3 b9d649e9-a791-4276-9992-b88d811c90f3 DDD37E27 [DM.GatewayCore] Error processing request: [0]Microsoft.PowerBI.DataMovement.Pipeline.Diagnostics.SAMLAssertionCertificateCanNotBeFoundException: Can not find SAML assertion certificate.
GatewayPipelineErrorCode=DM_GWPipeline_Gateway_SAMLAuthenticationCertificateCanNotBeFound
GatewayVersion=3000.5.185

 

Additionally, I'm using another product similar to Power BI in the same way (SAP Analytics Cloud) and it works perfectly so I don't think it could be a HANA setup problem.

 

Indeed the error says that the SAML Assertion Certificate couldn't be found, but I don't understand what it means as I did exactly what the mentioned guide indicates.

 

In Power BI Service, when I test a report that uses this data source, the error says:

 

Cannot load model
Couldn't load the model schema associated with this report. Make sure you have a connection to the server, and try again.
Please try again later or contact support. If you contact support, please provide these details.
Activity ID: 1176d00d-b757-4d9a-8b7a-28aae6f73adb
Request ID: 94bb42c3-4d51-f9b7-1c0b-623ff9709006
Correlation ID: b8479191-b6c0-a55a-b690-66e2ee720e87
Time: Tue Aug 27 2019 15:04:41 GMT-0300 (Argentina Standard Time)
Version: 13.0.10537.179
Cluster URI: https://wabi-south-central-us-redirect.analysis.windows.net

 

In Power BI Gateway, when I go after the error to check what happened I see the error:

 

DM.EnterpriseGateway Error: 0 : 2019-08-27T16:56:40.2205171Z DM.EnterpriseGateway 34362901-f01b-424a-9ae8-0e9510364300 16f95e75-ab83-0fa9-cc75-9f618e20c44e MDSR 16f95e75-ab83-0fa9-cc75-9f618e20c44e b9d649e9-a791-4276-9992-b88d811c90f3 b9d649e9-a791-4276-9992-b88d811c90f3 DDD37E27 [DM.GatewayCore] Error processing request: [0]Microsoft.PowerBI.DataMovement.Pipeline.Diagnostics.SAMLAssertionCertificateCanNotBeFoundException: Can not find SAML assertion certificate.
GatewayPipelineErrorCode=DM_GWPipeline_Gateway_SAMLAuthenticationCertificateCanNotBeFound
GatewayVersion=3000.5.185

 

And in Power BI Desktop I don't have any problem to create anything to HANA (but I'm not using this SSO so it's ok).

 

Can you help me to understand what "Can not find SAML assertion certificate" means and how I could solve it?

 

 

Meanwhile I've created a ticket to the Support team. I will complete this post if a find the solution.

9 REPLIES 9
KAATA
Helper I
Helper I

Hi @ext-fsatorra,
I am struggling with the same error you have. Did you manage to find a solution?
Thanks in advance,
KAATA

HI KAATA,

 

I could use SSO but I couldn't propagate the user towards HANA.

 

So I implemented RLS (row level security) in Power BI as a workaround.

 

1. Which error are you getting?
2. Are you trying to propagate the user to HANA?
3. Is your HANA in Neo or in CloudFoundry?

Kind regards,
Fernando

Hi Fernando,
Thanks for your quick reply. I might need to use Kerberos instead, so I will have to change the focus.
Thank you,
KAATA

kathraji
Frequent Visitor

Hi,

 

I'm getting the same error when trying to enable SSO for HANA.Were you able to resolve the issue?

 

Regards,

Anil Kumar 

v-diye-msft
Community Support
Community Support

Hi,

 

Sorry I can't replivate your problem, hopefully there's hint from support team. 

Community Support Team _ Dina Ye
If this post helps, then please consider Accept it as the solution to help the other members find it more
quickly.

Hi Dina,

 

Thank you for trying. 

 

Let me share my news... I was diving into the Gateway's log and specially in these lines:

 

DM.EnterpriseGateway Error: 0 : 2019-08-28T21:57:00.7587913Z DM.EnterpriseGateway 92ca4670-94d7-4570-a667-9d83f29a428c 5c0dce7d-c345-ece6-81b8-6e3fb2240276 MGCC 5c0dce7d-c345-ece6-81b8-6e3fb2240276 e79cdf55-fd2b-4e57-8304-8971148a3956 e79cdf55-fd2b-4e57-8304-8971148a3956 50700D05 [DataMovement.PipeLine.GatewayDataAccess] Couldn't find saml cert


DM.EnterpriseGateway Error: 0 : 2019-08-28T21:57:00.7637915Z DM.EnterpriseGateway 92ca4670-94d7-4570-a667-9d83f29a428c 5c0dce7d-c345-ece6-81b8-6e3fb2240276 MGCC 5c0dce7d-c345-ece6-81b8-6e3fb2240276 e79cdf55-fd2b-4e57-8304-8971148a3956 e79cdf55-fd2b-4e57-8304-8971148a3956 2C947EB8 [DM.Pipeline.Diagnostics] Exception object created [IsBenign=True]: Microsoft.PowerBI.DataMovement.Pipeline.Diagnostics.SAMLAssertionCertificateCanNotBeFoundException: Can not find SAML assertion certificate.; ErrorShortName: SAMLAssertionCertificateCanNotBeFoundException


DM.EnterpriseGateway Error: 0 : 2019-08-28T21:57:00.7827929Z DM.EnterpriseGateway 92ca4670-94d7-4570-a667-9d83f29a428c 5c0dce7d-c345-ece6-81b8-6e3fb2240276 MGCC 5c0dce7d-c345-ece6-81b8-6e3fb2240276 e79cdf55-fd2b-4e57-8304-8971148a3956 e79cdf55-fd2b-4e57-8304-8971148a3956 A14C45E8 [DM.Pipeline.Diagnostics] StackTrace: at Microsoft.PowerBI.DataMovement.Pipeline.Diagnostics.SAMLAssertionCertificateCanNotBeFoundException.TraceConstructor()


at Microsoft.PowerBI.DataMovement.Pipeline.Diagnostics.SAMLAssertionCertificateCanNotBeFoundException.ConstructorInternal(Boolean deserializing)


at Microsoft.PowerBI.DataMovement.Pipeline.GatewayDataAccess.SAMLSSOHelper.GetSignedXml(String effectiveUserName, String certThumbprint, Int32 driftTolerance, Int32 assertionLifetime)


at System.Lazy`1.CreateValue()


at System.Lazy`1.LazyInitValue()


at Microsoft.PowerBI.DataMovement.Pipeline.GatewayDataAccess.SAMLSSOHelper.GetSamlAssertion(String effectiveUserName, String certThumbprint, Int32 driftTolerance, Int32 assertionLifetime)


at Microsoft.PowerBI.DataMovement.Pipeline.GatewayDataAccess.MashupConnectionProviderBase.GetSamlMashupCredential(String effectiveUserName, String certThumbprint, Int32 driftTolerance, Int32 assertionLifetime)

 

 

As you can see,

  • first the Gateway gets the SAML Mashup Credential with the effective User Name (my email address) and the Thumbprint (the ID for the certificate we generated following the guide mentioned in my initial post), the method is GetSamlMashupCredential,
  • this method invokes another method called GetSamlAssertion which invokes another method with same parameters called GetSignedXml
  • and this method reaches an exception SAMLAssertionCertificateCanNotBeFoundException
  • so I think that the Thumbprint is could be wrong (I repeated these steps from the guide but I got same error),
  • or maybe some problem when accessing the credential or something else...

 

The Support team didn't answer yet.

 

Best regards,

Fer

Anonymous
Not applicable

Hi,

 

Were you able to find a solution to this at all? This is something we're struggling with at the moment and our Infrastructure team haven't been able to find the issue yet.

 

Cheers,

 

Kieran

Hi Kieran,

 

I found a workaround and right now the situation is.... the final user logs into Power BI using SSO but this user is not propagated to HANA. Every dataset uses a technical user to connecto to HANA using SSL.

 

We could install the certificate and get it validated when using SSL so in the near future we could try again if we can propagate the final user to HANA using SAML.

 

Currently we had to implement extra security in Power BI (row level) because the technical user that I've mentioned bypasses every analytic privilege in HANA.

 

I don't know how is your situation, but feel free to tell me and I will try to help.

 

Regards,

Fernando

Anonymous
Not applicable

Thanks Fernando,

 

That's pretty much what we've done historically with some data sets that have no security requirement, but now the business wants to report on sensitive financial data in PowerBI and ensure people only see their own data. We want to only have to maintain row level security in one place, so we need to get the SSO working

 

Regards,

 

Kieran Magill

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors