Many of my blog readers have tried setting up live connections from SAP Analytics Cloud (SAC) to on-prem HANA systems via a reverse proxy, following my earlier blogs. How was your experience? Was it smooth to setup reverse proxy, especially when it comes to Single Sign-on configurations? Needless to say, it is probably not that smooth if you are not an Apache or Web Dispatcher guru, no matter how detailed my earlier blog posts and how-to guides are:).
Well, why do we need the reverse proxy in the first place? It is to make both SAC and the HANA system appear to the web browser under one single host name in order to bypass the browser’s Same Origin Policy. But do we have to live with this cumbersome architecture with high implementation and maintenance effort? Now we have an answer: in SAC wave 2017.05, a new feature named Direct connection has been introduced, which does not require a reverse proxy anymore.
So what’s the magic? The Direct connection leverages the HTML5 CORS specifification, which makes Cross-Origin Resource Sharing possible. Why didn’t we make use of the standard earlier? The reason is that CORS and SAML don’t quite work together due to a specification flaw in CORS. With SAC release 2017.05, we have engineered a pop-up window for the SAML 2 Identity Provider logon screen to gracefully bypass the flaw in the CORS specification.
See the below diagram illustrating the Direct live connection architecture based on CORS.
This connectivity option does come with certain prerequisites on your web browser. For corporate landscapes, these settings can be automated by your IT policy, e.g. Active Directory group policy.
- Allow pop-up windows from the SAP Analytics Cloud domain: [*.]sapbusinessobjects.cloud.
- Allow 3rd party cookies from the SAP HANA server’s domain.
Additionally, the on-prem HANA system’s XS engine must be accessed via HTTPS protocol, as CORS does not work in the mixed HTTPS/HTTP scenario. The SSL server certificate of the HANA system must be a valid one that is trusted by your users’ web browers and match the HANA system’s fully-qualified domain name.
If for any reason those prerequisites cannot be met in your case, you can always use the reverse proxy option which is still fully supported.
For details on how to setup Direct live HANA connections in SAP Analytics Cloud, follow the below documentation:
- Enabling Direct Connectivity for Live Data Connections with Basic Authentication
- Enabling Direct Connectivity for Live Data Connections with SSO
Regarding how this option would work in Internet scenarios where the web browser does not have direct access to the HANA system, refer to my next blog Direct Live HANA Connections in the Internet Scenario.
I hope you find this blog helpful. Till next time!