Skip to Content
Technical Articles

SAP Analytics Cloud: Configure SAML SSO Live Data Connection to SAP Universe using SAP Cloud Platform Identity Authentication (SCI) Identity Provider

SAP Analytics Cloud allows us to directly connect to on-premise SAP BusinessObjects BI Platform Universe (UNV and UNX) via Live Data Connection. The queried data stays behind the corporate firewall and does not move into the cloud. Any changes made to the data on the source system are reflected immediately. Live Data Connection enables us to leverage the existing investment of universe modeling and security setup in SAP BI Platform system.

SAP Analytics Cloud now supports a Live Data Connection to SAP Universe using both Password Authentication, and SAML Single Sign-On (SSO) Authentication. It is recommended using SAML Authentication in Production environment.

This blog post will cover how to configure SAML SSO Live Data Connection in SAP Analytics Cloud to SAP Universe. We will use SAP Cloud Platform Identity Authentication (also known as SAP Cloud Identity) as SAML Identity Provider (IdP). The same workflow is applicable to any of your chosen Identity Provider compatible with SAML 2.0 protocol.

The configuration is combined of following main parts:

Part 1. Configure Custom SAML SSO between SAP Analytics Cloud and IdP (SAP Cloud Platform Identity Authentication service)

Part 2. Configure SAML SSO between SAP BOE Live Data Connect and IdP (SAP Cloud Platform Identity Authentication service)

Part 3. Create a Live Direct Connection in SAP Analytics Cloud

 

If the SAP Analytics Cloud system has already been configured to use Custom SAML authentication, jump to Part 2, which is the main focus of the blog.

 

Part 1. Configure Custom SAML SSO between SAP Analytics Cloud and IdP (SAP Cloud Platform Identity Authentication service)

SAP KBA 2518900 provides detailed steps on how to set it up.

Part 2. Configure SAML SSO between SAP Live Data Connect and IdP (SAP Cloud Platform Identity Authentication service)

 

 

2.1. Deploy and setup SAP BOE Live Data Connect component

 

a. Download and deploy the SAP BOE Live Data connect component. Go to SAP Software Downloads site and log in with your SAP credentials ; Search “Live Data Connect” and download the latest version of SAP BOE Live Data Connect.

 

b. Rename cs_ina_agent.war file to sap#boc#ina.warcopy the renamed sap#boc#ina.war file to tomcat > webapps directory; Restart Tomcat to deploy it.

 

c. Create boe.properties file in the conf folder of your Tomcat installation directory

 

d. Edit boe.properties file with following lines ( for example)

# BOE Server info
# Restful Web Service is deployed on Web Application Container Server
# Its default port number is 6405
# replace <BI_Platform_Tomcat_Host_Name> by your BI Platform's Tomcat Host Name
boe.restUrl=http://<BI_Platform_Tomcat_Host_Name>:6405/biprws
boe.authenticationMode=saml
lde.port=58080
boe.trustedauth.method=HTTP_HEADER
boe.trustedauth.user.name.parameter=X-SAP-TRUSTED-USER
boe.httpTimeout=180000
useProxy=false

 

  • Make sure the values of boe.trustedauth.method and boe.trustedauth.user.name.parameter correspond to the CMC > WebApplicationContainerServer (WACS) > Trusted Authentication Configuration

 

e. Activate logs. Create bo_trace.ini file in the conf folder of your Tomcat installation directory. Edit it with following files (for example)

active = true;
size = 494967290;
log_ext = "log";
sap_trace_level = trace_debug;
sap_log_level = log_info;
log_dir = "C:\\PROGRA~2\\SAPBUS~1\\SAPBUS~1.0\\LOGGING\\LUC"; 

 

f. Point Tomcat to boe.properties and bo_trace.ini files that were just created.  This procedure varies depending on the type of Tomcat used.

For Tomcat BI 4 (Windows), coming with the default BI Platform installation,  open Central Configuration Manager, stop Tomcat, then edit its properties by appending the following lines to the command line.  Note:  the paths need include up to the filename instead of just the directory.

++JvmOptions=-DBocInaAgentConfigurationFile=<BOE_PROP_PATH>
++JvmOptions=-Dtracelog.configfile=<BOE_TRACE_PATH>

 

For standalone Tomcat staring in batch or service mode, or Tomcat on Linux, please refer to the Product Guide for more details.

 

 

2.2. Configure Cross-Origin Resource Sharing (CORS)

When deploying the component, you can configure CORS requests so that the browser accepts requests coming from the SAP Analytics Cloud server. It’s a way to secure the component by making sure that you control what servers are accessing your BI system via the component.

a. Go to tomcat > webapps > sap#boc#ina > WEB-INF directory and open the web.xml file using Notepad

 

b. Locate <param-name>cors.allowed.origins</param-name> line

 

c. Edit the <param-value>*</param-value> line underneath it as follows

<param-value><Your_SAP_ANALYTICS_CLOUD_TENANT_URL></param-value>

 

 

2.3. Configuration related to SAML Authentication

 

a. Make sure that SAML related properties (boe.authenticationMode, boe.trustedauth.method, boe.trustedauth.user.name.parameter…etc) have already been configured in boe.properties file as detailed in step 2.1 d of Part 2 above

 

b. Go to the tomcat > webapps > sap#boc#ina > WEB-INF directory and open the web.xml file using Notepad, and uncomment two sections related to SAML.

 

Prior to the change:

    <!--SAML -->
	<!--Uncomment the following section to activate SAML authentication -->
	<!--
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
	           /WEB-INF/securityContext.xml
	    </param-value>
	</context-param>
	-->
	<!--SAML -->
	<!--SAML -->
	<!--
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
	    <filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
     	<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  	</listener>
  	-->
	<!--SAML -->

 

After the change :

    <!--SAML -->
	<!--Uncomment the following section to activate SAML authentication -->
	
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
	           /WEB-INF/securityContext.xml
	    </param-value>
	</context-param>
	
	<!--SAML -->
	<!--SAML -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
	    <filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
     	<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  	</listener>
  	<!--SAML -->

 

 

c. Log in Central Management Console (CMC) of BI Platform system, click Authentication > Enterprise. Select the checkbox Trusted Authentication is enabled, click New Shared Secret button then click Download Shared Secret button. Click Update button.

 

d. Copy the downloaded shared secret file ( TrustedPrincipal.conf ) from the temporary downloads directory to the location corresponding to this WACS java properties: -Dbobj.trustedauth.home

It is configurable in the Central Management Console (command line of the WebApplicationContainerServer) and its default value is C:/Program Files (x86)/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/java/pjs/container/bin.

 

 

 

2.4 Download the SAML metadata of the Identity Provider (SAP Cloud Platform Identity Authentication service), and upload it to the Service Provider (SAP BOE Live Data Connect )

 

a. Log on Administration Console of your SAP Cloud Platform Identity Authentication Identity Provider tenant

b. Under Applications & Resources, choose Tenant Settings, and then choose SAML 2.0 Configuration

 

c. Click Download Metadata File to download the metadata file (metadata.xml ) of Identity Provider

 

d. Copy the IdP’s metadata file from the previous step , and save it in tomcat > webapps > sap#boc#ina > WEB-INF > classes >metadata directory as idp_metadata.xml

 

e. Restart Tomcat

 

 

 

2.5 Download the SAML metadata of the Service Provider (SAP BOE Live Data Connect ), and upload it to the Identity Provider (SAP Cloud Platform Identity Authentication service)

 

a. Go to https://<HOST>:<PORT>/sap/boc/ina/saml/metadata and save the metadata file (spring_saml_metadata.xml) of Service Provider.

<HOST> is the host name of Tomcat where SAP BOE Live Data Connect is deployed

 

b. Connect to Administration Console of your SAP Cloud Platform Identity Authentication Identity Provider tenant

c. Under Applications & Resources, choose Applications, then click + Add to add a new application for SAP BOE Live Data Connect. Provide a name and Save. Select the newly created application, then click SAML 2.0 Configuration.

 

d. Under Define from Metadata, click Browser button to select and upload the metadata file of Service Provider (from step 2.5 a ). Click Save.

 

e. Click Name ID Attribute

 

f. Choose the attribute (e.g. Login Name or User ID) that will be used to map and match the Account Name property value of users in BI Platform system.  Click Save.

Note: The value of selected Name ID attribute in Identity Provider must be identical to the Account Name of corresponding user in BI Platform system to allow seamless Single Sign onto BI Platform system from SAP Analytics Cloud.

 

Attribute Mapping

Let me illustrate a little bit how the attribute mapping works using this following sample.

A user logs in SAP Analytics Cloud using his or her Identity Provider credentials.

User ID = P000019

Login Name = TestUser

 

There are two BI users (P000019 and TestUser) in BI Platform as shown below.

 

 

When Name ID Attribute of SAP BOE Live Data Connect application in IdP is set to Login Name (from step 2.5 f ),  its value (TestUser) is used to search and compare against Account Name attribute in BI Platform. As of now,  only Account Name attribute can be used for mapping purpose from BI Platform side, and it is not configurable and can not be set to other attribute.  There is a match with the BI user TestUser (second user shown in above screenshot). This BI user (TestUser) will be automatically log in BI system behind the scene when SAML SSO Live Data Connection to Universe is established, or its story is refreshed in SAC.

Now we switch Name ID Attribute of SAP BOE Live Data Connect application in IdP to User ID (from step 2.5 f ), its value (P000019) is used to search and compare against Account Name attribute in BI Platform. There is a match with the BI user P000019 (first user shown in above screenshot). This BI user will be automatically log in BI system behind the scene when SAML SSO Live Data Connection to Universe is established, or its story is refreshed in SAC.

If the Name ID Attribute value is not matched with any BI user, it throws the error “Unable to authenticate. Please ensure your credentials are valid.” when setting up a SAML SSO Live Data Connection to Universe.

 

 

Part 3. Create a Live Direct Connection in SAP Analytics Cloud

 

1. Log on SAP Analytics Cloud tenant

2. Go to Main Menu > Connection > Connections > +(Add Connection) > Connect to Live Data > SAP Universe

3. In the dialog, enter the connection name of your choice. NOTE: The connection name cannot be changed later

4 Specify Tomcat Server’s Host (where BOE Live Data Connect is deployed) and HTTPS port number

5. Under Authentication Method select SAML Single Sign On

6. Click OK

 

 

If the configuration is successful, you will notice a small popup Window appears and immediately closes. Once the connection has been successfully saved, you can create a model to consume the SAP Universe already built in on-premise BI Platform via the Live Data Connection. On top of the model, you can then build stories in SAP Analytics Cloud.

 

 

Troubleshoot

 

1. Error : “Unable to authenticate. Please ensure your credentials are valid.” when saving the SAML SSO Live Data Connection.

It is most likely there is issue with the mapping between Name ID Attribute of IdP and Account Name property of user object in BI Platform.  No matching user is found in BI Platform system.

BOE Live Data Connect trace shows the error: Failed login attempt for user: <user> from IP: <IP address>It contains the User in Identity Provider and client machine’s IP address.

 

When the SAML SSO Live Data Connection is successfully established, you should see this from the trace : Successful login attempt for user: <user> from IP:  <ID address>

 

 

SAML tracer (addon for Firefox) is a good tool to capture the complete SAML trace including the popup window invoked in the SSO workflow.

SAP KBA  2411608 – SAP Analytics Cloud SAML authentication

SAP KBA  2487567 – Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud

 

2. If New Shared Secret button (CMC > Authentications > Enterprise) is clicked for any reason, the TrustedPrincipal.conf gets updated, and it is required to copy the updated TrustedPrincipal.conf file to the location corresponding to this WACS java properties: -Dbobj.trustedauth.home  (refer to step 2.3 d). Otherwise, the existing SAML SSO Live Data Connection will be broken.

 

1 Comment
You must be Logged on to comment or reply to a post.