Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP BusinessObjects Cloud – Enabling SAML SSO for live connections to SAP HANA in SCP

Former Member
‎03-14-2017 8:00 PM

Description


One compelling feature of SAP BusinessObjects Cloud (BOC) is the ability to establish live connections with external data sources such as SAP HANA, SAP BW, and S/4 HANA.

This blog post is meant to summarize the steps necessary for BOC to connect to and consume a SAP HANA database hosted on the SAP Cloud Platform.

The scope of this post is to provide read access to one or more existing BOC users.  For cases where users are also required to manipulate the contents of the external data source directly, such as adding views, further permissions/roles would be required.

For further details, please see the existing in-app documentation.

Prerequisites



  • BusinessObjects Cloud

    • One or more existing BOC users that require access to the external data source

    • BOC is configured to use a SAML identity provider (IdP)



  • Identity Provider

    • SAP Cloud Identity (SCI) will be used in this example

    • Administrative access to the IdP will be required to retrieve user IDs



  • SAP HANA database hosted by SAP Cloud Platform

    • An administrative account is required with the following roles:

      • hana.xs.admin.roles::SAMLAdministrator

      • hana.xs.admin.roles::RuntimeConfAdministrator

      • hana.ide.roles::CatalogDeveloper

      • hana.ide.roles::SecurityAdmin



    • At least one view (i.e. calculation view) exists

      • To be consumed by BOC users






Process


Setup SAML trust relationship between the BOC tenant and the HANA database



  • Retrieve the SAML metadata from the BOC tenant

    • From the “Connections” page, add a new Live Connection to SAP HANA

    • In the Add Connection dialog:

      • Select Connection Type: “SAP HANA Cloud Platform”

      • Select Authentication Method: “SAML Single Sign On”

      • Click “Download Metadata”








  • Upload the BOC tenant metadata to the HANA database through XS Admin

    • Connect to XS Admin for the HANA database and select “SAML Identity Provider”

    • Add a new identity provider to the list

    • Copy and paste the (previously downloaded) BOC tenant metadata

    • Click outside of the field to populate the other tabs

    • Enter dummy values into the two SingleSignOn URL fields (i.e. “/saml2/sso”)

    • Click “Save”

    • Take note of the “Name” value for this newly created (BOC tenant) identity provider, to be used later on

    • Also, click on the SAML Service Provider and note of the name of the XS service provider, to be used later on




Create users in the HANA database



  • Using HANA Studio or the Web IDE, login to the HANA database as an administrative user

  • For each BOC user that requires access, create a new HANA database user

    • Suggested user naming convention:

      • <BOC_PROVIDER_NAME> __<IDP_USER_ID>



    • Uncheck the “Password” checkbox, as this user should not be required to login to the database

    • Check the “SAML” checkbox and click “Configure” to open the SAML dialog

      • Add a row and enter the BOC tenant identity provider (noted earlier) as the “Identity Provider”

      • Enter the user ID as the “External Identity” and click OK



    • Add a Granted Role:

      • sap.bc.ina.service.v2.userRole::INA_USER



    • Add an Object Privilege:

      • _SYS_BIC with SELECT privileges

        • Use the “_SYS_BIC” catalog object for all views, or select one or more particular views (i.e. with _SYS_BIC in the name) if more precision is desired





    • Save the user




Ensure HCO_INA_SERVICE delivery unit is imported, SAML-enabled



  • In HANA Studio, check which delivery units are installed by using the SAP HANA Modeler perspective

    • Click “Delivery Units” and ensure HCO_INA_SERVICE appears in the list




    • If it doesn’t, choose “Import” to upload this required delivery unit



  • Add SAML authentication to the HCO_INA_SERVICE delivery unit

    • Return to the XS Admin for the HANA database

    • Select “XS Artifact Administrator”

    • Expand “sap” -> “bc” -> “ina” -> “service”

    • Click “v2”

      • Note: Please ensure you perform this operation only on the “v2” package, and not on another level of the Application Objects hierarchy



    • If “SAML Authentication” is not already enabled, edit the delivery unit and enable it

      • Select the BOC tenant provider name - however, if another provider name is already selected, this is not an issue and it does not need to be changed







Add a Live Connection to the HANA database in BOC



  • Login to BOC with one of the users that now has a database user mapped

  • Open the “Add Connection” dialog

  • From the Connections page, add a new Live Connection to SAP HANA

  • Fill in all required details in the New Live Connection dialog:

    • Select Connection Type:

      • SAP HANA Cloud Platform



    • SAP Cloud Platform Account:

      • Enter the “Account Name” of the HANA database account (as seen in SCP)



    • Database Name:

      • Name of the HANA database instance (as seen in SCP)



    • Select Authentication Method

      • SAML Single Sign On



    • SAML Provider Name:

      • Enter the SAML Provider Name (the SAML Service Provider name, noted earlier)

        • Example: something.us1.hana.ondemand.com








Now, you should be able to add models from this new connection, and immediately begin creating stories based on said models.

 

Further Reading


https://uacp2.hana.ondemand.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/a30b5127419a4fd0a...
1 Comment
Labels in this area
Popular Blog Posts