Many of my blog readers have tried setting up live connections from SAP BusinessObjects Cloud (BOC) to on-prem HANA systems via a reverse proxy, following my earlier blogs. How was your experience? Was it smooth to setup reverse proxy, especially when it comes to Single Sign-on configurations? Needless to say, it is probably not that smooth if you are not an Apache or Web Dispatcher guru, no matter how detailed my earlier blog posts and how-to guides are:).

Well, why do we need the reverse proxy in the first place? It is to make both BOC and the HANA system appear to the web browser under one single host name in order to bypass the browser’s Same Origin Policy. But do we have to live with this cumbersome architecture with high implementation and maintenance effort? Now we have an answer: in BOC wave 2017.05, a new feature named Direct connection has been introduced, which does not require a reverse proxy anymore.

So what’s the magic? The Direct connection leverages the HTML5 CORS specifification, which makes Cross-Origin Resource Sharing possible. Why didn’t we make use of the standard earlier? The reason is that CORS and SAML don’t quite work together due to a specification flaw in CORS. With BOC release 2017.05, we have engineered a pop-up window for the SAML 2 Identity Provider logon screen to gracefully bypass the flaw in the CORS specification.

See the below diagram illustrating the Direct live connection architecture based on CORS.


This connectivity option does come with certain prerequisites on your web browser. For corporate landscapes, these settings can be automated by your IT policy, e.g. Active Directory group policy.

  • Allow pop-up windows from the SAP BusinessObjects Cloud domain: [*.]
  • Allow 3rd party cookies from the SAP HANA server’s domain.

Additionally, the on-prem HANA system’s XS engine must be accessed via HTTPS protocol, as CORS does not work in the mixed HTTPS/HTTP scenario. The SSL server certificate of the HANA system must be a valid one that is trusted by your users’ web browers and match the HANA system’s fully-qualified domain name.

If for any reason those prerequisites cannot be met in your case, you can always use the reverse proxy option which is still fully supported.

For details on how to setup Direct live HANA connections in BusinessObjects Cloud, follow the below documentation:

  1. Enabling Direct Connectivity for Live Data Connections with Basic Authentication
  2. Enabling Direct Connectivity for Live Data Connections with SSO

Regarding how this option would work in Internet scenarios where the web browser does not have direct access to the HANA system, refer to my next blog Direct Live HANA Connections in the Internet Scenario.

I hope you find this blog helpful. Till next time!

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Deepu Sasidharan

    This is a great addition!


    Does the connection require SAML to be configured or can we use a System account to connect to the HANA system?

    Also are there plan to provide similar option for the BW online connectivity?


    1. Dong Pan Post author

      Thanks Deepu. You can use any HANA user account to connect to HANA, but keep in mind that the user credentials are not persisted in any live connection, so you cannot configure it as an administrator and share it with multiple users. In most real world use cases, end users would not be happy to type in their HANA user credentials every time they open a HANA-based story, so you need some sort of SSO setup. At the moment, SAML is the only SSO option, but we are also working on other options too. Stay tuned!


Leave a Reply