|With this blog series we provide an update with the latest information on getting started with SAP HANA Cloud on the SAP Cloud Platform.
For the latest features blog (Oct 2020), see
For more information about the free trial, see
Questions? Post as comment.
Useful? Give a like and share on social media. Thanks!
Hands-On Video Tutorials
Chief partner engineer, Philip MUGGLESTONE just updated his SAP HANA Cloud playlist on the SAP HANA Academy YouTube channel with three new videos covering schema access from HDI Containers, the HANA Analytics Adapter, and configuring Single Sign-On (SSO) for SAP HANA Cloud, SAP Analytics Cloud, and the SAP Cloud Platform.
In this blog, you will find the videos embedded with some additional information and resources.
Following along you will learn how to we can access database schemas from inside an HDI container, how to create a simple calculation view, and how to display data from this view in SAP Analytics Cloud, effectively connecting SAP Analytics Cloud with SAP HANA Cloud via the SAP Cloud Platform and the HANA Analytics Adapter. Cherry on the pie is a seamless single sign-on experience.
You can watch the three video tutorials in about 45 minutes. What you get back is
- how to create an MTA (multi-target application) containing a calculation view inside an HDI container accessing data from both the SAP HANA Cloud database (table) and SAP HANA Cloud Data Lake (views) through the use of synonyms and roles and a user-defined service
- how to scaffold an application containing the HANA Analytics Adapter (HAA), deploy this to SAP Cloud Platform, and create an SAP Analytics Cloud Live Connection with a model and a story leveraging the HAA
- how to configure a SAML trust relation between SAP Analytics Cloud, our SAP Cloud Platform subaccount, and the Identity Provider, so we only need to logon once to view Live data from SAP HANA Cloud in SAP Analytic Cloud stories using the HAA hosted by SAP Cloud Platform.
We started our construction project in the previous blog with videos 1-7, so make sure to watch these first. To bookmark the playlist on YouTube, go to > SAP HANA Cloud
Because we know your time is precious, we have included code snippets so you can easily and merrily code along. For the GitHub repository with sample code, visit > github.com/saphanaacademy/SAPHANACloud
Ready? Let’s set this up.
Access Schema from HDI Container
In this video tutorial, Philip shows how to configure access from a HDI Container to a regular SAP HANA database schema. This enables visual database modeling (calculation views) on data stored outside the container and is a required for access using SAP Analytics Cloud via the HANA Analytics Adapter.
Calculation views are the building blocks of analytics with SAP HANA, and this is no different for SAP HANA Cloud. We create and model calculation views in a graphical environment as design-time objects for deployment as runtime objects in a production environment either on-premise or in the SAP Cloud Platform.
- Creating a Graphical Calculation View, SAP HANA Cloud Modeling Guide for SAP Web IDE Full-Stack (SAP Help Portal)
To access data outside the container, for example in a regular database schema, we need to create synonyms and define the appropriate security.
For some additional reading on HDI, see
- SAP HANA Cloud Deployment Infrastructure (HDI) Reference (SAP Help Portal)
For this setup, we need to create
- Roles and authorisations to access the schema
- User-provided service in Cloud Foundry
- Access the user-provided service using the roles and create a synonym on each object
Roles and authorisations
As DBADMIN, or any other user with USER | ROLE ADMIN privileges, create a technical user, two roles, and grant the roles to the user.
For the sample code, go to github.com/saphanaacademy/SAPHANACloud.
# create user CREATE USER travel_grantor PASSWORD <password> NO FORCE_FIRST_PASSWORD_CHANGE SET USERGROUP DEFAULT; #create roles CREATE ROLE "travel::external_access_g"; CREATE ROLE "travel::external_access"; # grant roles to user GRANT "travel::external_access_g", "travel::external_access" TO travel_grantor WITH ADMIN OPTION;
As DEVUSER, or any other user with GRANT SELECT object access), we then grant the roles access to the schema.
As documented, user-provided service instances enable developers to use services that are not available in the marketplace with their apps running on Cloud Foundry. This is a pure cloud foundry concept we are leveraging here. For more information about the concepts, visit
- Creating User-Provided Service Instances, SAP Cloud Platform (SAP Help Portal)
- User-Provided Service Instances (Cloud Foundry Docs)
Connect with your global account to the SAP Cloud Platform Cloud Foundry environment where you SAP HANA Cloud instance is running and create a new user-provided service with the credentials as JSON. For the sample code, go to github.com/saphanaacademy/SAPHANACloud.
SAP Web IDE
For the third step, we need to connect to the SAP Web IDE (hosted from the Neo environment) to
- Create a new project using the SAP HANA Database template
- Update the configuration file for this multi target application (MTA) with a reference to the user-provided service
- Create the design-time objects for grants, roles, and synonyms, all defined in JSON
For the documentation, see
See also video 7, Develop Apps, from the the second blog.
If we then build the module and access the HDI container in the SAP HANA Cloud database, we should see the synonym listed inside the container and we be able to access the data outside the container.
As a reminder, the ROOM table data comes from the SAP HANA Cloud database. The two views point to the SAP HANA Cloud Data Lake.
Next step is to create a calculation view as design-time object and run a build on the db module to create the corresponding runtime object in the SAP HANA Cloud database.
To be sure, verify that the data is still accessible and that we can do some basic analysis using the built-in viewer.
Final step is to run a build again, this time on the project, using the new and recommended Cloud Build MTA Tool and deploy the MTA archive (MTAR file) to your Cloud Foundry organisation and space on the SAP Cloud Platform.
The result will be a new HDI container as service instance in your space.
HANA Analytics Adapter
In next video, we learn how to deploy the HANA Analytics Adapter (HAA). This adapter serves as a piece of middleware to enable live access from SAP Analytics Cloud to SAP HANA HDI containers in Cloud Foundry.
In the architecture diagram, we can see the adapter hosted on the SAP Cloud Platform and that SAP Analytics Cloud connect to the adapter to access the HDI containers in the SAP HANA Cloud database. For single-sign on (SSO) using SAML 2.0 authentication, we need to configure the identity providers for both environments, which is the topic of the next video (below).
Prerequisites for this setup are
- HDI container
- Cube type calculation view
- HDB role defining the access privileges
In the previous video, we provided an example of how you can create these three items.
How to configure HAA has also been covered in the blog post Connecting SAC to HANA Cloud the Easy Way – Using Application Studio to Deploy the HAA (Hana Analytics Adapter) by Ian Henry.
Deploy HANA Analytics Adapter
To deploy the HANA Analytics Adapter you can use the new Business Application Studio, hosted from Cloud Foundry.
How to get started with the SAP Business Application Studio is covered in the onboarding video tutorial series,
Create a new space for SAP Cloud Business Applications, start a new terminal, and run the command
npm install -g generator-saphanaacademy-haa
For our project, select Saphanaacademy-haa (or run command yo saphanaacademy-haa) and answer the prompts.
You need to provide the URL of your SAP Analytics Cloud system and the name of the HDI container. We will set up SSO in the next video.
Next, we need to download the Analytics adapter from tools.hana.ondemand.com/#hanatools, extract the file and copy the Java Web archive (WAR) file to the srv/target folder of our project.
Yeoman created a MTA for us with a router (app) and a server containing the HAA Java application. The file xs-security.json specifies a role collection.
Assign Role Collection
The role collection specified in the file xs-security.json has been created and need to be assigned to a (your) user.
Security > Trust Configuration > SAP ID Service > <your email> > assign collection: travelhaa_Viewer
The two applications (micro services) have been created: front-end (router) travelhaa and back-end travelhaa_srv.
HeartBeat and GetServerInfo
When we append the HeartBeat to the URL, we get the HeartBeat service, listing application name sap.bc.ina.service.v2. Anyone who has configured SAP Analytics Cloud connections will be familiar with the SAP HANA Information Access (InA) service.
Append GetServerInfo to the URL and you will get information about the connected SAP HANA instance. Version 4.00 informs us we are connected to SAP HANA Cloud.
SAP Analytics Cloud – HANA Live Connection
In SAP Analytics Cloud we can then create a new HANA Live connection specifying the URL of our HAA application as host.
In SAP Analytics Cloud we can then create a model based on this Live data connection.
The chart is now populated using a Live Connection, connecting to
- the HANA Analytics Adapter running in SAP Cloud Platform
- a calculation view hosted in an HDI container on the SAP Cloud Platform
- SAP HANA Cloud database (table) and SAP HANA Cloud Data Lake (view)
- a calculation view hosted in an HDI container on the SAP Cloud Platform
Small inconvenience: when we open the URL to the story in an incognito window we are prompted to login to SAP Analytics Cloud and to SAP Cloud Platform. For a single sign-on experience we need to configure SSO. Let’s fix this.
HANA Analytics Adapter – Single Sign-On
To enable SSO, we need to update the identity providers configuration of SAP Analytics Cloud and SAP Cloud Platform.
We will configure SAP Analytics Cloud and SAP Cloud Platform to use SAML 2.0 authentication from a shared Identity Provider (IdP).
For the documentation, see
- SAP HANA Authentication and Single Sign-On, SAP HANA Cloud Security Guide
- User Authentication and Single Sign-On, SAP HANA Cloud Administration Guide
Update HAA for SSO
First, we need to update our project for named users. This configuration is set in the MTA project configuration file (mta.yaml) and we can use Yeoman to update this property for us with command
Update the version number and build and deploy the new version of the application.
Verify that the HeartBeat now returns an authorisation failed message.
Configure Certificates and JWT Providers
We need to setup the trust and a named user in SAP HANA Cloud.
First, verify if a trust has already been established. If not, no rows should be returned.
SELECT * FROM PSES WHERE PURPOSE = 'JWT'; SELECT * FROM CERTIFICATES; SELECT * FROM PSE_CERTIFICATES; SELECT * FROM JWT_PROVIDERS;
Next, we need to obtain the URL from the service bindings of the user authentication service travelhaa-uaa of the server module travelhaa-srv
Append to the path:
This returns the certificate and issuer of the JWT token being used.
Copy and paste the certificate and the issuer and execute both statements to create a certificate and JWT Provider.
CREATE certificate FROM '<certificate>'; CALL SYSTEM.CREATE_JWT_PROVIDER('JWTPROVIDER1', '<issuer>', 'user_name', true);
Next, copy the ID and create and update the Personal Security Environment (PSE).
CREATE pse PSE1; ALTER pse PSE1 ADD certificate <certificate_id>; CALL SYSTEM.SET_PSE_PURPOSE('PSE1', 'JWT', ARRAY('JWTPROVIDER1'));
When executing the select statement from above rows are returned for each table.
Create Named User
Next, we need to create our named user, one for each user we wish to grant the delight of SSO.
From the service binding travel-hdi for the travelhaa-srv app we can obtain the HDI schema.
Which we can use to grant the roles previously created.
Again, for the sample code, go to github.com/saphanaacademy/SAPHANACloud.
The HAA HeartBeat returns this information.
Identity Provider Trust Configuration – SAP Analytics Cloud
The last step is to configure the trust between SAP Cloud Platform and SAP Analytics Cloud via an Identity provider. In our example, we use SAP Identity Authentication Service.
For the documentation, see
- User Management With a SAML Identity Provider (IdP)
- SAP Cloud Platform Identity Authentication Service
- Trust and Federation with Identity Providers or SAP ID Service, SAP Cloud Platform
For this you need to be the system owner of the SAP Analytics Cloud tenant, menu System > Administration. By default, SAP Cloud Identity is used as the default authentication method. Change this to SAML Single Sign-On (SSO). and download the metadata.
Upload the metadata to your IdP as SAML 2.0 configuration and this configures the Assertion Consumer Service Endpoint, Single Logout Endpoint and other related parameters.
Configure the Subject Name Identifier to use e-mail and download the SAML metadata.
Now, we need to repeat the steps in the other direction. On the Security tab of SAP Analytics Cloud
- Upload the IdP SAML metadata (Step 2).
- Configure the mapping to use email as user attribute (Step 3)
- Confirm that the mapping is working (Step 4).
Identity Provider Trust Configuration – SAP Cloud Platform Subaccount
Next, download the SAML metadata for the SAP Cloud Platform subaccount and repeat the steps on the IdP side: upload metadata and configure Subject Name Identifier.
Create a New Trust Configuration for this subaccount adding the SAML metadata from the IdP and deactivate the default identify provider, here SAP ID Service.
As before, we need to assign the viewer role collection to our users.
When we now connect to SAP Analytics Cloud, the logon screen comes from the new identity provider.
And when opening the Story, the connection to the SAP Cloud Platform is automatically established for us using a named user in the SAP HANA Cloud database.
Share and Connect
Post a comment, share on social media, and/or give a like. Thanks!
If you would like to receive updates, connect with me on
Denys van Kempen