SAP Analytics Cloud: Live Data Connection to HANA in SAP Cloud Platform With SSO
In my previous blog, I was able to create a Calculation View in my HANA in SAP Cloud Platform (SAPCP) trial account to be consumed in SAP Analytics Cloud (formerly known as BOC). My goal is to be able to set up Live Data Connection to HANA in SAPCP using Single sign-on (SSO). You can find all the information in the complete documentation of the product.
To simplify the steps to configure SSO, I am breaking the process in few steps. I will use my calculation View in SAP Analytics Cloud just to confirm that everything works fine before configuring SSO.
1. Using the calculation view from HANA in SAP Cloud Platform (username/password)
2. Configuring SSO to HANA in SAP Cloud Platform
2.1 Getting the Service Provider information from HANA
2.2 Creating a Connection using SSO
2.3 Import the metadata.xml from SAP Analytics Cloud to your HANA SAML Identity Provider
2.4 Enable SAML in HANA XS Administration for INA service
2.5 Map your HANA user to trust the SAP Analytics Cloud user when using that connection
2.5.1 Copy the SAML User mapping from SAP Analytics Cloud
2.5.2.In your HANA database add that Identity for your HCPUSER account
1. Using the calculation view from HANA in SAP Cloud Platform using login and password
This seems silly as you probably landed in this blog looking for SSO. However, before we start configuring authentication I would like to confirm that your user in SAP Analytics Cloud is authorized to create connections, models, etc. and your HANA user has the correct privileges and roles to use the Calculation View in SAP Analytics Cloud.
Connect to your SAP Analytics Cloud (SAC) tenant:
https://yourcompany.region.sapanalytics.cloud
Your user must have the following roles:
Modeler
BI_Content_Creator
1. Creating a connection
Go to the menu Connection and select to add + a new connection to Live HANA
You need to select:
Connection Type: SAP Cloud Platform
SAP HANA Cloud Platform Account: PXXXX
Database Name: YourDatabase
Landscape Host: Trial (in my case)
I leave the setting
User Name and Password
User Name: HCPUSER
If everything goes well, you should be able to create the connection. Next step: Creating the model.
You may receive the following message:
For this message, make sure that the BOC user account has the correct roles assigned, as detailed in my previous blog post.
2. Creating a model
We should use the menu Create > Model > User datasource > Live Data Connection
Information required:
System: Connection previously created
Data Source: name of the Calculation View
You should be able to see the measure from your Calculation View along with some details on decimals and aggregation types that you can modify.
Now you can create a Story or explore your data.
2. Configuring SSO to HANA in SAP Cloud Platform (old name HCP)
Now that we know that everything is working using username and password, we can go ahead and configure SSO between SAP Analytics Cloud and HANA in SAPCP.
2.1 Getting the Service Provider information from HANA
We need to access the XS Admin page:
For SAP Cloud Platform Trial you can do it from your cockpit link or directly by typing:
https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/xs/admin
Where <DBName> is the name of your database and <AccountName> is the name of your trial account.
In my case, this URL is:
https://salesjuliantrial.hanatrial.ondemand.com/sap/hana/xs/admin
You should see the typical XS admin login page:
If you get a 403 error Forbidden, it means that you forgot to add the following roles to the account used to log in:
sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::RuntimeConfAdministratorRemember that this can be done easily using the SAP HANA Web-based Development Workbench:
https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/ide/security/
Once you are in the XS Admin Tool, you will need to copy the name in the following menu:
Main Menu > SAML Service Provider > Copy the name that appears in the Provider information page:
We will need this name later on in SAP Analytics Cloud to establish relationship between the two.
2.2 Create a new connection in SAP Analytics Cloud that will use SSO
Connect to your SAP Analytics Cloud tenant and create a new connection using the menu Connections > + (Add Connection) > Live Database Connection > SAP HANA
Complete the information required:
SAP Cloud Platform Account: <your SAPCP account>
Database Name: <Name of your DB>
Landscape Host: Select from the list according to your SAPCP account
Credentials: SAML Single Sign On
SAML Provider Name: <name copied from XS Admin in previous step>
Click on the button Download Metadata and save the XML file: metadata.xml.
2.3 Import the metadata.xml from SAC to your HANA SAML Identity Provider
We now need to indicate in HANA that we will be trusting the connections coming from our BOC tenant. We achieve this by importing the metadata.xml that we just saved during the creation of the connection.
We go back to our HANA in SAPCP XS Admin tool:
https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/xs/admin
We go to the menu:
Menu > SAML Identity Provider > click on + sign and copy the content of the metadata.xml file that you saved from BOC.
Some information should be populated in the General Data and Destination section. We will only modify the following two entries:
SingleSignOn URL (RedirectBinding): /saml2/sso
SingleSignOn URL (PostBinding): /saml2/sso
When we click on save, we will see the name in the list of Identity Providers. We will use it later.
2.4 Enable SAML in HANA XS Administration for INA service
Without leaving the HANA XS Admin tool we will go to the menu:
Menu > XS Artifact Administration
In the Packages area we select:
sap> bc > ina > service > v2
Warning! Make sure you are in that v2 package or you may affect the authentication to your XS Admin tool
Select the SAML checkbox if the checkbox is not already enabled.
Choose a SAML IdP: the name created in the previous step.
Save the SAML identity provider.
2.5 Map your HANA user to trust the SAP Analytics Cloud user when using that connection
To make it simple and understand what is happening, I will manually map a single user. You can always follow the steps to automatically map your users.
2.5.1 Copy the SAML User mapping from SAP Analytics Cloud
Login to your SAP Analytics Cloud tenant and go to the menu:
Menu > Security > Users
Find your user and copy the value in the column SAML USER MAPPING. For example: P009128
Note that from Wave 24 this column is disabled by default and this PNumber is nod displayed. You can obtained if you export to CSV the list of users.
2.5.2 In your HANA in SAPCP add that Identity for your HCPUSER account
I will execute the SQL command using SAP Cloud Platform Cockpit > SAP HANA Web-based Development Workbench > Catalog
https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/ide/
You need to use an account with enough rights to make the changes: in my example I am using SYSTEM that has these roles assigned
sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdminThe SQL command to execute is:
ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;
Where:
<HANA USER>: HANA user with enough rights to execute the Calculation View. HCPUSER from my previous blog
<SAML MAPPING> : SAML ID copied from BOC. In our case P004320
<IMPORTED IdP NAME>: The name we had in step 2.4 after importing in XS the metadata.xml file. in our case user_businessobjects_cloud
ALTER USER HCPUSER ADD IDENTITY 'P004320' FOR SAML PROVIDER USER_BUSINESSOBJECTS_CLOUD;
ALTER USER HCPUSER ENABLE SAML;I added the second line to make sure we activate SAML for this account.
Using HANA Studio or the Web-based Development Workbench I will verify that SAML is activated for my user HCPUSER and the Identity Provider is correctly listed:
Note that if SAML is not configured, you will receive the following error message when trying to use the connection in BOC:
Firefly Error: Error [Protocol]: (#500) Internal Server Error StatusCode in ResponseMessage != OK; please refer to the database trace for more informationThe last steps is to create a model in SAC to verify that the connection works correctly and that we can retrieve data using SSO.
We login in to our SAC tenant and use the menu > (+) Create > Model to select the connection we created: HCPSSO.
We should be able to create a model and use it in Stories. For more information on Models and Stories, check the Videos created for SAP Analytics Cloud.
Fantastic, thank you Julian!
Hi Julian,
this is fantastic article. I sent you email with some additional detailed questions regarding this topic. I really appreciate if you will find time to take a look on our described issue.
Many thanks!
Ondrej
I really like this article. Very well set-up with clear guidelines. Itried myself and succeeded. Thanks a lot !
Hi Julian,
This is a very good article and very clear and I have been able to follow the steps easily. Great help . Thank you so much.
May I ask a quick question. The CA view that I have created is not visible in the Data Source drop down. Would you be able to know what needs to be done? I am sure is an authorization issue, because I can run and see the Ca view from Eclipse.
Regards, Oli
Hi Oli,
I assume you are using the same HANA user in Eclipse and in your BOC HANA connection. Is this happening while using manual authentication or after configuring SSO?
Cheers,
Julian
Hi Julian,
Just wanna make sure whether the user will get authentication pop up also when using SSO as setup above when user wanna access the HCP Live Connection after they successfully login to BOC site ?
Hi Budi,
I am not sure if I understood your question. If you are referring to a fallback method: if SSO not correctly configured for the account, then manual authentication, the answer is no: you will get an error message: "failed to connect to the system" when trying to create a model.
Regards,
Julian
Dear Julian,
I tried the steps but 1st I get error message Failed to connect and when I checked the Network trace I got a message from getserverinfo that dynamic user creation not possible ( hence I enabled Dynamic User Creation in HANA XS admin ) now this error does not occur but I get unable to retrieve data .
can you please help and as well give example for automatically map your users.
Hi Arun,
When exactly do you get error to connect? What step of the process? I assume you can connect using username/password without problems.
Regards,
Julian
Hello Julian,
Thank you for this article, I tried to configure SSO to connect to HCP , I configured the SAML before I connect FROM bo cloud using the provider name( the step 2.2 Create a new connection in BOC that will use SSO I did it after 2.5.2 ) I loose connection to the Database and can't access see the attached photo, I am using the trial version does the order of this 3 steps counts ? and please if I am using my productive account is it risky to connect with sso ? Thank you
Best Regards,
Hi Aimas,
Where do you get this error message?
Thanks,
Julian
Hello Julian.
I try to define a live connection from BO Cloud to Hana Trial, beginning with a user/password method before trying SAML.
The username/password that we must use in this kind of connection is the user defined in BO Cloud ?, the user defined in the Hana DB ? ... or some other user ?
I try all these users that always receive an error message 'connection failed' ...
Is ther somewhere a log where I can find more information about this message ?
Thanks for your support ...
Hi Alain,
The username that you need to use is the HANA account with INA role assigned.
Regards,
Julian
Hi Julian,
I've follow SAP url and your blog combined. but when I try to access STORIES from SAP Cloud Analytics, it gives an error "Failed to connect to system". I'm manually mapping user here.
Could you please help me on this.
Regards
Ehtesham Hussain
Hi Ehtesham,
Are you able to connect using Username and Password?
If you test the connection, do you get any error? You can copy errors that may appear in System > Monitor > Traces.
Regards,
Julian
Hi Julian,
Yes, we're able to connect using username & password.
and also please be informed that we've edited our existing connection and changed it to SAML Single Sign-On. it is fine.
We've tried a create a new connection with SAML Single Sign-On and we're getting the same error "Failed to connect to system".
There are no traces found.
Regards
Ehtesham Hussain
Hi Ehtesham,
The easiest way to test what is happening is using a tool to capture SAML assertions, such as the one detailed in this KBA 2487567
Steps to verify:
https://<DB><ACCOUNT>.REGION.sap.hana.ondemand.com/sap/bc/ina/service/v2/GetServerInfo
You should not be prompted for username and password as it should take your SAML credentials. If it does, it means that your configuration of SAP Cloud Platform is missing something.
Regards,
Julian
Hi Julian,
Is it mandatory to user Pid(PXXXXXX) as external identity in for SAML (HANA) ?
Can't we use userID of BOC as external identity?
Regards
Ehtesham Hussain
Hi Ehtesham,
The P-use is the Custom SAML attribute used to send back who you are.
I will try to explain here how this works:
If you are using your own SAML Identity Provider for both HANA and SAP Analytics Cloud, you don't need these extra steps, as the User ID will be the same in both systems.
Regards,
Julian
Hi Julian,
thank you for the clear article.
We have activated the SSO with HANA Cloud and the HANA Analytic Privileges work correctly according to the SAC user in use.
Is it possible to activate a similar SSO even with HANA on-premise?
We have try the SAC guide, but in that way we have a SSO without control on the user used in HANA (and therefore on the functioning of the Analytic Privilege).
I found a blog that explains the Direct Authentication with X.509 Client Certificate or Kerberos, but in this case identities on SAC and HANA are not centrally managed and the HANA user is not strictly related to the SAC user.
Would not it be possible, for example, to use the SAP Cloud Identity also for HANA on-premise?
Regards,
Andrea
Hi Andrea,
You can have a similar SSO with HANA on-premise but you need your SAML Identity Provider: ADFS, SAP IAS, etc. Both systems must use the same SAML Identity Provider: SAC and HANA on-premise.
When we exchange the metadata between HANA in Cloud Platform and SAC is in the connection. That is not available for HANA on-premise as it is not SAC establishing the connection to HANA but your browser directly.
You can map Kerberos or certificates in HANA and select authentication as "None" in SAC. Your browser will authenticate independently to each:
Two different sessions but valid to achieve an SSO end-to-end experience.
Regards,
Julian
Hi Julian,
thanks for the quick response.
The second option(Kerberos or certificates), if I understood correctly, does not allow a direct connection between SAC user and HANA user, but links the HANA user to the browser (so if in the same client switching SAC user, the HANA user stays the same).
This does not allow me to use HANA's Analityc Privileges to restrict the data displayed by the SAC user.
If so, the only option in my case is to use an external Identity Provider.
Thanks again
Andrea
Hi Julian,
Thank you for this excellent article, do you have any SSO from SAC to Hana OnPremise?
Thanks for your help!!
Regards,
John A.