Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
p_voelker
Explorer
The SAP Cloud Platform (SAPCP) is a platform-as-a-service offering which supports your digital transformation. It does not only provide an environment for the development of new applications but also allows the extension of existing cloud and on-premise systems. SAPCP has evolved as a central component in many enterprise landscapes for integrating data and business processes and for leveraging innovative technologies. By connecting a HANA database which is included in SAPCP with SAP Analytics Cloud (SAC), you are equipped with advanced analytics and business intelligence features for your enterprise data.

In this blog post, we are going to create a Live Connection from SAC to SAPCP using Single Sign-on (SSO). “Live” data means that whenever a user opens a story in SAC, changes to the data in the source system are immediately reflected in SAC. All the information provided in this blog post have been obtained from this Help Document.

I do not want to miss the opportunity to draw your attention to the great blog post on establishing a Live Connection from SAC to SAPCP using SSO that my colleague julian.jimenez has already published. In contrast to Julian's blog post, we use HANA studio to set up the HANA system instead of the Web-based Development Workbench.

This blog post is structured as follows:

1. System Requirements


2. Setup of the HANA System


2.1. Roles for HANA administrator


2.2. HANA Info Access Service


2.3. Roles for HANA users using the Live Connection


3. Configuration of the Trusted Providers


3.1. Setup of the Trust Relationship


3.2. Enabling SAML


3.3. User Mapping


3.3.1. Automatic


3.3.2. Manual


4. Saving the Live Connection in SAC


[Optional: Download HANA Info Access Toolkit]


 

 

1. System Requirements


You are using one of the following systems:

  • SAP HANA 1.0 SPS10, revision 102.2, or

  • SAPCP running on SAP HANA SPS10, revision 1.02.2, or

  • SAP HANA 2.0 SP01 or newer.


 

 

2. Setup of the HANA system


This section provides information on how to configure your HANA system to be able to establish a Live Connection to this system. It is subdivided into 2.1. Roles for HANA administrator, 2.2. Installation of the HANA Info Access Service and 2.3. Roles for HANA users using the Live Connection.

 

2.1. Roles for HANA administrator


Please make sure that the following roles are assigned to your HANA administrator account:



















sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator
sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdmin


In SAP HANA studio this can be verified under Security -> Users -> AdminName (Please note that AdminName has to be replaced with the name of your HANA administrator.) (a). Under Granted Roles you can see the roles that are assigned to your account (b).


 

To grant a missing role to your HANA user, please click on the +- icon (a), type in the name of the role (b), select the corresponding role (c) and click on OK (d).



 

2.2. HANA Info Access Service


If you are using a SAP HANA version from SPS10 ongoing, please verify that the Info Access Service is installed by default. In SAP HANA studio this can be done in the Systems view (a) under Content (b). You should see the following package (c):










sap\bc\ina\service

 



If you cannot see this package, please follow the steps described in the section Optional: Download Info Access Toolkit. Otherwise, you can directly continue with the next subsection.


 

2.3. Roles for HANA users using the Live Connection


Please assign the Info Access Service role to all users who will use the Live Connection. The name of the Info Access Service role is:










sap.bc.ina.service.v2.userRole::INA_USER


In SAP HANA studio this can done under Security -> Users -> LiveConnectionUser (Please note that LiveConnectionUser has to be replaced with a HANA user that will use the Live Connection.) (a). Under Granted Roles click on the +-icon to add the Info Access Service role (b).



 

 

3. Configuration of the Trusted Providers


In this section we set up the trust relationship (3.1.) between SAP HANA and SAC, enable SAML (3.2.) and either perform an automatic (3.3.1.) or a manual (3.3.2.) user mapping to use SSO.

The configuration of the trust relationship is necessary to link two user account to each other. This linkage allows data access without exchanging user credentials. The identity provider (IdP) authenticates and authorizes users. The default IdP for SAC is the SAP Cloud Platform Identity Authentication Service. This IdP can also be used for user authentication and authorization in our HANA system.

In our context, the Security Assertion Markup Language (SAML) is used for exchanging data between the service providers and the IdP. SAML is an XML framework to describe and exchange security-related information. For further information on SAML authentication in SAC, please kindly refer to SAML authentication in SAP Analytics Cloud.

 

3.1. Setup of the Trust Relationship



  1. Please navigate to the XS Admin Page of your SAP HANA system. The XS Admin Page can be accessed via https://<SAP HANA SYSTEM>/sap/hana/xs/admin. (Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)


 

  1. Please click on the main menu and select SAML Service Provider.


 

  1. Under Service Provider Information (a), copy the name of the SAML Service Provider (b).


 

  1. Log onto SAP Analytics Cloud and click on Connection in the main menu.


 

  1. Thereafter, click on the +-icon to add a new connection (a). Under Live Data Connection choose SAP HANA (b).


 

  1. In the dialog that opens, enter a name for your new connection (Please note that the name cannot be changed later.) (a). Set the connection type to SAP Cloud Platform (b).


 

  1. Add your SAP Cloud Platform account name (a), database name (b) and landscape name (c). You can optionally choose a default language from the list. Please note that the language can only be changed by the administrator later on. In case the language you have chosen is not installed on your system, SAC will choose the default language.


 

  1. IMPORTANT: You can find your account name, database name and landscape name in your SAP Cloud Platform Cockpit. For detailed information, please see the following screenshots.


 

  1. After having clicked on the Global Account, please click again on Global Account to see your subaccounts.


 

  1. Under Subaccount Information you can find your account name.


 

  1. Please click on Databases & Schemas (a) to see the name of your database (b).


 

  1. In SAC, please select SAML Single Sign-On (a) under Credentials. Thereafter, click on Download Metadata (b) and save the metadata file. Under SAML Provider Name, enter the name of the service provider (c) you copied in step 3.


 

  1. IMPORTANT: Please do not click on OK, as you are not yet authorized to access the HANA system. We will complete the definition of your Live Connection in section 4. Saving the Live Connection in SAC.


 

  1. In the XS Admin Page of your SAP HANA system, select Main Menu -> SAML Identity Provider.


 

  1. Click on the +-icon in the bottom left corner to begin importing metadata.


 

  1. Open the XML file that you have downloaded in step 7 b). Copy the content of the file and paste it to the Metadata input area in the XS Admin Page of your HANA system.


 

  1. Please note down the name (b) of the SAML IdP under General Data (a).


 

  1. Under Destination (a), input the following path into SingleSignOn URL (Redirect Binding) and SingleSignOn URL (PostBinding): /saml2/sso (b).


 

  1. Please click on Save. Your HANA system is now configured to trust connections established from SAC.


 

3.2. Enabling SAML



  1. In the XS Admin Page of your SAP HANA system, select Main Menu -> XS Artifact Administration.


 

  1. In the Packages area (a), please navigate to sap -> bc -> ina -> service -> v2 by clicking on the ->-icon (b).


 

  1. Please make sure to have navigated to the correct directory (a). Click on v2 (b) to see the SAP Security Admin page (c).


 

  1. Please click on Edit in the bottom right corner. 


 

  1. Select the SAML checkbox, if it is not already enabled (a).


 

  1. Choose a SAML IdP in case it is not already selected (b). The name of the IdP should be the name, you noted down in step 11 of  3.1. Setup of  the Trust Relationship. Please click on Save (c).


 

3.3. User Mapping


You must either perform an automatic (3.3.1.) or a manual (3.3.2) user mapping to access your HANA database from SAC without re-authentication (i.e. to use SSO). If you are using the same IdP for SAP HANA and SAC, you can automatically map all existing users to SAC. If you are using different IdPs for SAP HANA and SAC, you must perform a manual user mapping.




3.3.1. Automatic



  1. Please navigate to the SAP HANA Web-based Development Workbench -> Catalog of your HANA system. (https://<SAP HANA SYSTEM>/sap/hana/ide/catalog/; Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)


 

  1. In the main menu, click on New -> Schema.


 

  1. Enter a name for the new schema (a) and click on OK (b).


 

  1. Please open the SQL console (a) and add the following procedure (b):
    CREATE PROCEDURE  "<MYSCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp" (IN FROM_IdP VARCHAR(2048), TO_IdP VARCHAR(2048))
    LANGUAGE SQLSCRIPT
    SQL SECURITY INVOKER AS
    BEGIN
    DECLARE CURSOR vExistingMappings FOR
    SELECT USER_NAME FROM "SYS"."SAML_USER_MAPPINGS" WHERE SAML_PROVIDER_NAME = TO_IdP;
    DECLARE CURSOR vUserSamlMappings FOR
    SELECT USER_NAME, SAML_PROVIDER_NAME, EXTERNAL_IDENTITY FROM "SYS"."SAML_USER_MAPPINGS";
    FOR cur_row AS vExistingMappings DO
    EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' DROP IDENTITY FOR SAML PROVIDER '||:TO_IdP||'';
    END FOR;
    FOR cur_row AS vUserSamlMappings DO
    IF cur_row.SAML_PROVIDER_NAME = FROM_IdP THEN
    EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' ADD IDENTITY '''||:cur_row.EXTERNAL_IDENTITY||''' FOR SAML PROVIDER '||:TO_IdP||'';
    END IF;
    END FOR;
    END;​



 

  1. IMPORTANT: Replace <MYSCHEMA> with the name of the schema you have created (here: UserMappingSAC).




 

  1. Execute the procedure.


 

  1. Please enter the following command in your SQL console:
    CALL "<SCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp"('<LOGIN IdP>', '<IMPORTED IdP NAME>');​



 

  1. Replace <SCHEMA> with the selected schema name (here: UserMappingSAC), <LOGIN IdP> with the name of the SAP HANA IdP and <IMPORTED IdP NAME> with the name of the SAC IdP you noted down in step 11 of the subsection 3.1. Setup of the Trust Relationship.


 

  1. IMPORTANT: To find the name of your SAP HANA IdP, go to the XS Admin Page of your HANA system and select Main Menu -> SAML Identity Provider. Under Destination, copy the Base URL.


 

  1. Execute the SQL statement.


 

3.3.2. Manual



  1. Please navigate to Profile Management in SAC and copy the Cloud Identity. Please note that you may have to login first.


 

  1. Please navigate to the SAP HANA Web-based Development Workbench -> Catalog of your HANA system. (https://<SAP HANA SYSTEM>/sap/hana/ide/catalog/Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)


 

  1. Open the SQL console (a). Type in (b) and execute (c) the following query:
    ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;
    ALTER USER <HANA USER> ENABLE SAML;​



 

  1. Important: Please make sure that you are logged in to your HANA system with a user that is different from the user who appears in the SQL statement (i.e., <HANA USER>) as a user is not able to alter the second statement for herself. Replace <HANA USER> with the user ID of the HANA user that is using the Live Connection, <SAML MAPPING> with the Cloud Identity you copied in step 1 and <IMPORTED IdP NAME> with the name of the SAC IdP you noted down in step 11 of 3.1. Setup of the Trust Relationship.


 

 

4. Saving the Live Connection in SAC


As pointed out in step 7 of 3.1. Setup of the Trust Relationship, we do now complete the definition of our Live Connection in SAC. In case the browser tab you opened in subsection 3.1. Setup of the Trust Relationship (steps 1-7) is still available, the only thing that has to be done is to click on OK. Otherwise, steps 1-7 of 3.1. Setup of the Trust Relationship have to be re-executed.



You have now defined a Live Connection and can start creating models using this Live Connection. On top of those models you can build stories and thus consume live data from your HANA system in SAC.

 



In the screenshot above, you can find a sample story which consumes live data and shows the pipeline of the S/4HANA product for all regions.

 

 

 

[Optional: Download HANA Info Access Toolkit]


This section is only relevant in case the Info Access Service is not installed on your HANA system by default, i.e. you have not been able to complete subsection 2.2. HANA Info Access Service successfully. 

In the following, we set up and activate the SAP HANA Info Access Service on your HANA system. (cf. Help Document) Therefore, we are going to import the Info Access Toolkit and the SINA API first (steps 1-11) and thereafter we import the Info Access Service (steps 12-16).

Henceforth, we assume that you can access the SAP Software Download Center. Please note that your view may differ from the screenshots provided as it depends on your user rights.

 

  1. Navigate to the Software Download Center.


 

  1. Under Support Packages and Patches (a), click on By Category (b) and select SAP In-Memory (SAP HANA) (c).


 

  1. Please click on HANA Platform Edition.


 

  1. Please click on SAP HANA Platform Edition.


 

  1. Please click on SAP HANA Platform EDIT 1.0.


 

  1. Please click on HANA INA TOOLKIT HTML CONTENT.


 

  1. Please click on HANA INA TOOLKIT HTML 1.0 (b). (a) shows the directory, you should see having followed the steps described above.


 

  1. Please download and unpack the file HCOINAUITOOLKIT<Version>. You can also select a .SAR archive instead. .SAR files can be unpacked using SAPCAR (a GUI tool for Windows can be found here). Each of the archive files contains the SAP HANA Delivery Unit HCOINAUITOOLKIT.tgz.


 

  1. In SAP HANA studio click on File -> Import (a), select SAP HANA Content -> Delivery Unit (b) and click on Next (c).


 

  1. Under Target System select your database instance (a) and click on Next (b).


 

  1. Please select Client (a) and choose the tgz Delivery Unit on your local disk (b) which you have extracted in step 2. Select both actions (c) and click on Finish (d).


 

  1. If the import of the Delivery Unit has been successful, in the Systems view (a) under Content (b), you should see the following packages (c):














    sap\bc\ina\api
    sap\bc\ina\demos
    sap\bc\ina\uitoolkit






 

  1. Now that the Info Access Toolkit and the SINA API have been imported, we can import the Info Access Service.


 

  1. In SAP HANA Studio, select File -> Import.


 

  1. Please click on SAP HANA Content -> Delivery Unit and choose Next.


 

  1. Under Target System choose your database instance.


 

  1. Select Server (a) and from the dropdown list select the SYS/global/hdb/content/HCO_INA_SERVICE.tgz Delivery Unit (b). Please select both actions (c) and click on Finish (d).


 

  1. If the import of the Delivery Unit has been successful, in the Systems view (a) under Content (b), you should see the following package (c):







    sap\bc\ina\service




 

  1. The HANA Info Access Service is now set up and activated on your system.

3 Comments