In my previous blog, I was able to create a Calculation View in my HCP trial account to be consumed in SAP BusinessObjects Cloud (BOC). My goal is to be able to set up Live Data Connection to HCP using Single sign-on (SSO). You can find all the information in the complete documentation of the product.

To simplify the steps to configure SSO, I am breaking the process in few steps. I will use my calculation View in BOC just to confirm that everything works fine before configuring SSO.

1. Using the calculation view from HCP (username/password)
2. Configuring SSO to HCP
2.1 Getting the Service Provider information from HCP
2.2 Creating a Connection using SSO
2.3 Import the metadata.xml from BOC to your HCP SAML Identity Provider
2.4 Enable SAML in HANA XS Administration for INA service 
2.5 Map your HCP user to trust the BOC user when using that connection
2.5.1 Copy the SAML User mapping from SAP BusinessObjects Cloud
2.5.2.In your HCP add that Identity for your HCPUSER account

1. Using the calculation view from HCP using login and password

This seems silly as you probably landed in this blog looking for SSO. However, before we start configuring authentication I would like to confirm that your user in SAP BusinessObjects Cloud (BOC) is authorized to create connections, models, etc. and your HCP user has the correct privileges and roles to use the Calculation View in BOC.

Connect to your SAP BusinessObjects Cloud tenant:

https://yourcompany.region.sapbusinessobjects.cloud

Your user must have the following roles:

Modeler
BI_Content_Creator

1. Creating a connection

Go to the menu Connection and select to add + a new connection to Live HANA

You need to select:

Connection Type: SAP HANA Cloud Platform
SAP HANA Cloud Platform Account: PXXXX
Database Name: YourDatabase
Landscape Host: Trial (in my case)

I leave the setting
User Name and Password

User Name: HCPUSER

If everything goes well, you should be able to create the connection. Next step: Creating the model.

You may receive the following message:

For this message, make sure that the BOC user account has the correct roles assigned, as detailed in my previous blog post.

2. Creating a model

We should use the menu Create > Model > User datasource > Live Data Connection

Information required:

System: Connection previously created
Data Source: name of the Calculation View 

You should be able to see the measure from your Calculation View along with some details on decimals and aggregation types that you can modify.

Now you can create a Story or explore your data.

2. Configuring SSO to HCP

Now that we know that everything is working using username and password, we can go ahead and configure SSO between SAP BusinessObjects Cloud and HCP.

2.1 Getting the Service Provider information from HCP

We need to access the XS Admin page:

For HCP Trial you can do it from your cockpit link or directly by typing:

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/xs/admin

Where <DBName> is the name of your database and <AccountName> is the name of your trial account.

In my case, this URL is:

https://salesjuliantrial.hanatrial.ondemand.com/sap/hana/xs/admin

You should see the typical XS admin login page:

If you get a 403 error Forbidden, it means that you forgot to add the following roles to the account used to log in:

sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator

Remember that this can be done easily using the SAP HANA Web-based Development Workbench:

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/ide/security/

Once you are in the XS Admin Tool, you will need to copy the name in the following menu:

Main Menu > SAML Service Provider > Copy the name that appears in the Provider information page:

We will need this name later on in SAP BusinessObjects Cloud to establish relationship between the two.

2.2 Create a new connection in BOC that will use SSO

Connect to your SAP BusinessObjects Cloud tenant and create a new connection using the menu Connections > + (Add Connection) > Live Database Connection > SAP HANA

Complete the information required:

SAP HANA Cloud Platform Account: <your HCP account>
Database Name: <Name of your DB>
Landscape Host: Select from the list according to your HCP account
Credentials: SAML Single Sign On
SAML Provider Name: <name copied from XS Admin in previous step>

Click on the button Download Metadata and save the XML file: metadata.xml.

2.3 Import the metadata.xml from BOC to your HCP SAML Identity Provider

We now need to indicate in HCP that we will be trusting the connections coming from our BOC tenant. We achieve this by importing the metadata.xml that we just saved during the creation of the connection.

We go back to our HCP XS Admin tool:

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/xs/admin

We go to the menu:

Menu > SAML Identity Provider > click on + sign and copy the content of the metadata.xml file that you saved from BOC.

Some information should be populated in the General Data and Destination section. We will only modify the following two entries:

SingleSignOn URL (RedirectBinding): /saml2/sso
SingleSignOn URL (PostBinding): /saml2/sso

When we click on save, we will see the name in the list of Identity Providers. We will use it later.

2.4 Enable SAML in HANA XS Administration for INA service 

Without leaving the HANA XS Admin tool we will go to the menu:

Menu > XS Artifact Administration

In the Packages area we select:

sap> bc > ina > service > v2

Warning! Make sure you are in that v2 package or you may affect the authentication to your XS Admin tool

Select the SAML checkbox if the checkbox is not already enabled.

Choose a SAML IdP: the name created in the previous step.

Save the SAML identity provider.

2.5 Map your HCP user to trust the BOC user when using that connection

To make it simple and understand what is happening, I will manually map a single user. You can always follow the steps to automatically map your users.

2.5.1 Copy the SAML User mapping from SAP BusinessObjects Cloud

Login to your BOC tenant and go to the menu:

Menu > Security > Users

Find your user and copy the value in the column SAML USER MAPPING. For example: P009128


Note that from Wave 24 this column is disabled by default and this PNumber is nod displayed. You can obtained if you export to CSV the list of users.

2.5.2 In your HCP add that Identity for your HCPUSER account

I will execute the SQL command using SAP HANA Cloud Platform Cockpit > SAP HANA Web-based Development Workbench > Catalog

https://DBName+AccountName.hanatrial.ondemand.com/sap/hana/ide/

You need to use an account with enough rights to make the changes: in my example I am using SYSTEM that has these roles assigned

sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdmin

The SQL command to execute is:

ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;

Where:

<HANA USER>: HCP user with enough rights to execute the Calculation View. HCPUSER from my previous blog
<SAML MAPPING> : SAML ID copied from BOC. In our case P004320
<IMPORTED IdP NAME>: The name we had in step 2.4 after importing in XS the metadata.xml file. in our case user_businessobjects_cloud

ALTER USER HCPUSER ADD IDENTITY 'P004320' FOR SAML PROVIDER USER_BUSINESSOBJECTS_CLOUD;
ALTER USER HCPUSER ENABLE SAML;

I added the second line to make sure we activate SAML for this account.

Using HANA Studio or the Web-based Development Workbench I will verify that SAML is activated for my user HCPUSER and the Identity Provider is correctly listed:

Note that if SAML is not configured, you will receive the following error message when trying to use the connection in BOC:

Firefly Error: Error [Protocol]: (#500) Internal Server Error StatusCode in ResponseMessage != OK; please refer to the database trace for more information

The last steps is to create a model in BOC to verify that the connection works correctly and that we can retrieve data using SSO.

We login in to our BOC tenant and use the menu > (+) Create > Model to select  the connection we created: HCPSSO.

We should be able to create a model and use it in Stories. For more information on Models and Stories, check the Videos created for SAP BusinessObjects Cloud.

If you get the following error instead:

Firefly Error: Error [Protocol]:(#500) Internal Server Error

This is possibly due to an incorrect BOC user selected while using the connection. To make sure you are using the correct user we were mapping, try the following: open a new incognito window in your browser: Control + Shift + N (in Windows) or Shift + Command + N (in MacOS).

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Ondrej Kloucek

    Hi Julian,

    this is fantastic article. I sent you email with some additional detailed questions regarding this topic. I really appreciate if you will find time to take a look on our described issue.

    Many thanks!

    Ondrej

    (1) 
  2. Oli Bumci

    Hi Julian,

    This is a very good article and very clear and I have been able to follow the steps easily. Great help . Thank you so much.

    May I ask a quick question. The CA view that I have created is not visible in the Data Source drop down. Would you be able to know what needs to be done? I am sure is an authorization issue, because I can run and see the Ca view from Eclipse.

    Regards, Oli 

    (1) 
    1. Julian Jimenez Post author

      Hi Oli,

      I assume you are using the same HANA user in Eclipse and in your BOC HANA connection. Is this happening while using manual authentication or after configuring SSO?

      Cheers,

      Julian

      (0) 
  3. Budi Setiawan

    Hi Julian,

    Just wanna make sure whether the user will get authentication pop up also when using SSO as setup above when user wanna access the HCP Live Connection after they successfully login to BOC site ?

    (0) 
    1. Julian Jimenez Post author

      Hi Budi,

      I am not sure if I understood your question. If you are referring to a fallback method: if SSO not correctly configured for the account, then manual authentication, the answer is no: you will get an error message: “failed to connect to the system” when trying to create a model.

      Regards,

      Julian

      (0) 
  4. Arun Rajamani

    Dear Julian,

    I tried the steps but 1st  I get error message Failed to connect and when I checked the Network trace I got a message from getserverinfo that dynamic user creation not possible ( hence I enabled Dynamic User Creation in HANA XS admin ) now this error does not occur but I get unable to retrieve data .

    can you please help and as well give example for automatically map your users.

    (0) 
    1. Julian Jimenez Post author

      Hi Arun,

      When exactly do you get error to connect? What step of the process? I assume you can connect using username/password without problems.

      Regards,

      Julian

      (0) 

Leave a Reply