Skip to Content

In my previous blog, I was able to create a Calculation View in my HCP trial account to be consumed in SAP BusinessObjects Cloud (BOC). My goal is to be able to set up Live Data Connection to HCP using Single sign-on (SSO). You can find all the information in the complete documentation of the product.

To simplify the steps to configure SSO, I am breaking the process in few steps. I will use my calculation View in BOC just to confirm that everything works fine before configuring SSO.

1. Using the calculation view from HCP (username/password)
2. Configuring SSO to HCP
2.1 Getting the Service Provider information from HCP
2.2 Creating a Connection using SSO
2.3 Import the metadata.xml from BOC to your HCP SAML Identity Provider
2.4 Enable SAML in HANA XS Administration for INA service 
2.5 Map your HCP user to trust the BOC user when using that connection
2.5.1 Copy the SAML User mapping from SAP BusinessObjects Cloud
2.5.2.In your HCP add that Identity for your HCPUSER account

1. Using the calculation view from HCP using login and password

This seems silly as you probably landed in this blog looking for SSO. However, before we start configuring authentication I would like to confirm that your user in SAP BusinessObjects Cloud (BOC) is authorized to create connections, models, etc. and your HCP user has the correct privileges and roles to use the Calculation View in BOC.

Connect to your SAP BusinessObjects Cloud tenant:

https://yourcompany.region.sapbusinessobjects.cloud

Your user must have the following roles:

Modeler
BI_Content_Creator

1. Creating a connection

Go to the menu Connection and select to add + a new connection to Live HANA

You need to select:

Connection Type: SAP HANA Cloud Platform
SAP HANA Cloud Platform Account: PXXXX
Database Name: YourDatabase
Landscape Host: Trial (in my case)

I leave the setting
User Name and Password

User Name: HCPUSER

If everything goes well, you should be able to create the connection. Next step: Creating the model.

You may receive the following message:

For this message, make sure that the BOC user account has the correct roles assigned, as detailed in my previous blog post.

2. Creating a model

We should use the menu Create > Model > User datasource > Live Data Connection

Information required:

System: Connection previously created
Data Source: name of the Calculation View 

You should be able to see the measure from your Calculation View along with some details on decimals and aggregation types that you can modify.

Now you can create a Story or explore your data.

2. Configuring SSO to HCP

Now that we know that everything is working using username and password, we can go ahead and configure SSO between SAP BusinessObjects Cloud and HCP.

2.1 Getting the Service Provider information from HCP

We need to access the XS Admin page:

For HCP Trial you can do it from your cockpit link or directly by typing:

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/xs/admin

Where <DBName> is the name of your database and <AccountName> is the name of your trial account.

In my case, this URL is:

https://salesjuliantrial.hanatrial.ondemand.com/sap/hana/xs/admin

You should see the typical XS admin login page:

If you get a 403 error Forbidden, it means that you forgot to add the following roles to the account used to log in:

sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator

Remember that this can be done easily using the SAP HANA Web-based Development Workbench:

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/ide/security/

Once you are in the XS Admin Tool, you will need to copy the name in the following menu:

Main Menu > SAML Service Provider > Copy the name that appears in the Provider information page:

We will need this name later on in SAP BusinessObjects Cloud to establish relationship between the two.

2.2 Create a new connection in BOC that will use SSO

Connect to your SAP BusinessObjects Cloud tenant and create a new connection using the menu Connections > + (Add Connection) > Live Database Connection > SAP HANA

Complete the information required:

SAP HANA Cloud Platform Account: <your HCP account>
Database Name: <Name of your DB>
Landscape Host: Select from the list according to your HCP account
Credentials: SAML Single Sign On
SAML Provider Name: <name copied from XS Admin in previous step>

Click on the button Download Metadata and save the XML file: metadata.xml.

2.3 Import the metadata.xml from BOC to your HCP SAML Identity Provider

We now need to indicate in HCP that we will be trusting the connections coming from our BOC tenant. We achieve this by importing the metadata.xml that we just saved during the creation of the connection.

We go back to our HCP XS Admin tool:

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/xs/admin

We go to the menu:

Menu > SAML Identity Provider > click on + sign and copy the content of the metadata.xml file that you saved from BOC.

Some information should be populated in the General Data and Destination section. We will only modify the following two entries:

SingleSignOn URL (RedirectBinding): /saml2/sso
SingleSignOn URL (PostBinding): /saml2/sso

When we click on save, we will see the name in the list of Identity Providers. We will use it later.

2.4 Enable SAML in HANA XS Administration for INA service 

Without leaving the HANA XS Admin tool we will go to the menu:

Menu > XS Artifact Administration

In the Packages area we select:

sap> bc > ina > service > v2

Warning! Make sure you are in that v2 package or you may affect the authentication to your XS Admin tool

Select the SAML checkbox if the checkbox is not already enabled.

Choose a SAML IdP: the name created in the previous step.

Save the SAML identity provider.

2.5 Map your HCP user to trust the BOC user when using that connection

To make it simple and understand what is happening, I will manually map a single user. You can always follow the steps to automatically map your users.

2.5.1 Copy the SAML User mapping from SAP BusinessObjects Cloud

Login to your BOC tenant and go to the menu:

Menu > Security > Users

Find your user and copy the value in the column SAML USER MAPPING. For example: P009128


Note that from Wave 24 this column is disabled by default and this PNumber is nod displayed. You can obtained if you export to CSV the list of users.

2.5.2 In your HCP add that Identity for your HCPUSER account

I will execute the SQL command using SAP HANA Cloud Platform Cockpit > SAP HANA Web-based Development Workbench > Catalog

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/ide/

You need to use an account with enough rights to make the changes: in my example I am using SYSTEM that has these roles assigned

sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdmin

The SQL command to execute is:

ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;

Where:

<HANA USER>: HCP user with enough rights to execute the Calculation View. HCPUSER from my previous blog
<SAML MAPPING> : SAML ID copied from BOC. In our case P004320
<IMPORTED IdP NAME>: The name we had in step 2.4 after importing in XS the metadata.xml file. in our case user_businessobjects_cloud

ALTER USER HCPUSER ADD IDENTITY 'P004320' FOR SAML PROVIDER USER_BUSINESSOBJECTS_CLOUD;
ALTER USER HCPUSER ENABLE SAML;

I added the second line to make sure we activate SAML for this account.

Using HANA Studio or the Web-based Development Workbench I will verify that SAML is activated for my user HCPUSER and the Identity Provider is correctly listed:

Note that if SAML is not configured, you will receive the following error message when trying to use the connection in BOC:

Firefly Error: Error [Protocol]: (#500) Internal Server Error StatusCode in ResponseMessage != OK; please refer to the database trace for more information

The last steps is to create a model in BOC to verify that the connection works correctly and that we can retrieve data using SSO.

We login in to our BOC tenant and use the menu > (+) Create > Model to select  the connection we created: HCPSSO.

We should be able to create a model and use it in Stories. For more information on Models and Stories, check the Videos created for SAP BusinessObjects Cloud.

If you get the following error instead:

Firefly Error: Error [Protocol]:(#500) Internal Server Error

This is possibly due to an incorrect BOC user selected while using the connection. To make sure you are using the correct user we were mapping, try the following: open a new incognito window in your browser: Control + Shift + N (in Windows) or Shift + Command + N (in MacOS).

To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

  1. Milan Voleman

    Hi Julian,

    this is fantastic article. I sent you email with some additional detailed questions regarding this topic. I really appreciate if you will find time to take a look on our described issue.

    Many thanks!

    Ondrej

    (1) 
  2. Oli Bumci

    Hi Julian,

    This is a very good article and very clear and I have been able to follow the steps easily. Great help . Thank you so much.

    May I ask a quick question. The CA view that I have created is not visible in the Data Source drop down. Would you be able to know what needs to be done? I am sure is an authorization issue, because I can run and see the Ca view from Eclipse.

    Regards, Oli 

    (1) 
    1. Julian Jimenez Post author

      Hi Oli,

      I assume you are using the same HANA user in Eclipse and in your BOC HANA connection. Is this happening while using manual authentication or after configuring SSO?

      Cheers,

      Julian

      (0) 
  3. Budi Setiawan

    Hi Julian,

    Just wanna make sure whether the user will get authentication pop up also when using SSO as setup above when user wanna access the HCP Live Connection after they successfully login to BOC site ?

    (0) 
    1. Julian Jimenez Post author

      Hi Budi,

      I am not sure if I understood your question. If you are referring to a fallback method: if SSO not correctly configured for the account, then manual authentication, the answer is no: you will get an error message: “failed to connect to the system” when trying to create a model.

      Regards,

      Julian

      (0) 
  4. Arun Rajamani

    Dear Julian,

    I tried the steps but 1st  I get error message Failed to connect and when I checked the Network trace I got a message from getserverinfo that dynamic user creation not possible ( hence I enabled Dynamic User Creation in HANA XS admin ) now this error does not occur but I get unable to retrieve data .

    can you please help and as well give example for automatically map your users.

    (0) 
    1. Julian Jimenez Post author

      Hi Arun,

      When exactly do you get error to connect? What step of the process? I assume you can connect using username/password without problems.

      Regards,

      Julian

      (0) 
  5. Aimas HB

    Hello Julian,

    Thank you for this article, I tried to configure SSO to connect to HCP , I configured the SAML before I connect FROM bo cloud using the provider name( the step 2.2 Create a new connection in BOC that will use SSO I did it after 2.5.2  ) I loose connection to the Database and can’t access see the attached photo, I am using the trial version does the order of this 3 steps counts ? and please if I am using my productive account is it risky to connect with sso ? Thank you

    Best Regards,

    (0) 
  6. Alain PERSOONS

    Hello Julian.

    I try to define a live connection from BO Cloud to Hana Trial,  beginning with a user/password method before trying SAML.

    The username/password that we must use in this kind of connection is the user defined in BO Cloud ?, the user defined in the Hana DB ? … or some other user ?

    I try all these users that always receive an error message ‘connection failed’ …

    Is ther somewhere a log where I can find more information about this message ?

    Thanks for your support …

     

    (0) 
  7. Basis SAP

     

    Hi Julian,

    I’ve follow SAP url and your blog combined. but when I try to access STORIES from SAP Cloud Analytics, it gives an error “Failed to connect to system”. I’m manually mapping user here.

    Could you please help me on this.

     

    Regards

    Ehtesham Hussain

    (0) 
    1. Julian Jimenez Post author

      Hi Ehtesham,

      Are you able to connect using Username and Password?

      If you test the connection, do you get any error? You can copy errors that may appear in System > Monitor > Traces.

       

      Regards,

      Julian

      (0) 
  8. Basis SAP

    Hi Julian,

    Yes, we’re able to connect using username & password.

    and also please be informed that we’ve edited our existing connection and changed it to SAML Single Sign-On. it is fine.

    We’ve tried a create a new connection with SAML Single Sign-On and we’re getting the same error “Failed to connect to system”.

    There are no traces found.

     

    Regards

    Ehtesham Hussain

     

    (0) 
    1. Julian Jimenez Post author

      Hi Ehtesham,

      The easiest way to test what is happening is using a tool to capture SAML assertions, such as the one detailed in this KBA 2487567

      Steps to verify:

      1. Login to your SAP Analytics Cloud tenant.This will establish your NameID SAML attribute
      2. Try to login in another tab directly in your HANA in SAP Cloud Platform:

      https://<DB><ACCOUNT&gt;.REGION.sap.hana.ondemand.com/sap/bc/ina/service/v2/GetServerInfo

      You should not be prompted for username and password as it should take your SAML credentials. If it does, it means that your configuration of SAP Cloud Platform is missing something.

      Regards,
      Julian

      (0) 
  9. Basis SAP

    Hi Julian,

    Is it mandatory to user Pid(PXXXXXX) as external identity in for SAML (HANA) ?

    Can’t we use userID of BOC as external identity?

     

    Regards

    Ehtesham Hussain

    (0) 
    1. Julian Jimenez Post author

      Hi Ehtesham,

      The P-use is the Custom SAML attribute used to send back who you are.

      I will try to explain here how this works:

      1. You login to SAP Cloud Identity (SCI) using your email
      2. When SCI authenticates you, it sends back the SAML assertion using that P-user as the NameID (who you are)
      3. SAP Analytics Cloud search who has that Custom SAML ID to let you in.

      If you are using your own SAML Identity Provider for both HANA and SAP Analytics Cloud, you don’t need these extra steps, as the User ID will be the same in both systems.

      Regards,

      Julian

      (0) 

Leave a Reply