In this blog I will explain my experience setting up a live data connection from SAC to SAP HANA Cloud with Single-Sign-On. The whole process took around 45 minutes.
Since SAP Analytics Cloud version 2020.20, the HANA Analytics Adapter is not required anymore. A live connection can be established directly from SAC to HANA Cloud as described in the official documentation.
You can find more information about the available connections for each data source on the official SAP Analytics Cloud website.
Go to Main Menu > Connection > + (Add Connection).
In the Select a data source dialog, expand Connect to Live Data, and select SAP HANA.
In the dialog, enter a name and description for your connection.The connection name cannot be changed later.
Set the connection type to SAP HANA Cloud.
Add your SAP HANA Cloud host name.
Under Authentication Method, select SAML Single Sign On.
Copy the SAML Identity Provider (IdP) from the Provider Name field in the connection dialog, and also download the certificate from this dialog.
In the SAP BTP Cockpit, navigate to SAP HANA Cloud and open the SAP HANA Cockpit.
From the SAP HANA Cockpit, go to Certificate Store.
You will now upload the certificate that you previously downloaded. Click the Import button.
Select "Import from file" to upload the certificate. Then select OK.
You will see your certificate added as below.
Now we need to create a SAML identity provider.
Go to SAML Identity Providers, and click the "Add Identity Provider" button.
Provide an Identity Provider Name. Enter the SAML provider name that you copied from the connection dialog into the Entity ID field, and select the newly added certificate.Then select Add.
You will see your SAML identity provider registered as below.
Now we need to create a certificate collection.
From the SAP HANA Cockpit, go to the Certificate Collections, and click the Add Collection button.
Type a collection name, and click OK.
Click Add Certificate. Select the new certificate, and click OK.
Select the Edit Purpose button. In the Purpose field, choose SAML. In the Providers field, select the newly created SAML provider. Click Save.
You will see your certificate collection registered as below.
Grant your user the necessary rights to access the data that you want to expose from your HANA database.
In this case, I grant the access role to an HDI container where I created 1 calculation view of type CUBE. Learn more about the different methods to grant access rights to HDI containers in A live data connection to SAP HANA Cloud in SAP Analytics Cloud
For another user from the same SAP Analytics Cloud tenant to be able to access the same SAP HANA Cloud system, you'd need to create another user in SAP HANA and map the appropriate ID, or use the same SAP HANA user and map the appropriate ID.
Go back to SAP Analytics Cloud, and finish creating the connection by selecting OK in the connection dialog.
Create a new model.
Select "Get data from a data source", then choose "Live data connection".
Select SAP HANA as a system type, and the connection that you just set up.
Within the Data source, you will see all calculation views of type CUBE which your user can access. In my case, I only created 1 calculation view called "calcview".
Edit and save your model.
You can now create a new story based on that model. The data will be automatically pulled from SAP HANA Cloud, and authentication and authorizations are based on your unique user.
Thank you,
Maxime SIMON
Since SAP Analytics Cloud version 2020.20, the HANA Analytics Adapter is not required anymore. A live connection can be established directly from SAC to HANA Cloud as described in the official documentation.
You can find more information about the available connections for each data source on the official SAP Analytics Cloud website.
Prerequisites
- This connection type works only in Cloud Foundry environments (non-SAP data centers). For Neo environments (SAP data centers), see Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO.
- Users need to have read access to SAP HANA Cloud database Calculation views that will be used to create and view models and stories in SAP Analytics Cloud. Learn how to grant access to an HDI Container's Schema.
- SAC can only see Calculation views of type CUBE (which include aggregation).
You cannot use Calculation views of type dimension, nor tables, nor SQL views for analysis in SAC. See this help page to learn more about HDI containers and the way users are set up. - You must use OAuth 2.0 for authentication.
- SAML SSO must be enabled in SAP Analytics Cloud. For more information, see Enabling a Custom SAML Identity Provider.
- The following steps must be carried out by a user who has administrator-level privileges in SAP HANA Cloud and SAP Analytics Cloud, and logs on to SAP Analytics Cloud via the SAML Identity Provider. For the steps in the SAP Analytics Cloud system, the BI Admin role is required. For the steps in the SAP HANA Cloud system, the Administrator role is required.
Create a connection from SAP Analytics Cloud
Go to Main Menu > Connection > + (Add Connection).
In the Select a data source dialog, expand Connect to Live Data, and select SAP HANA.
In the dialog, enter a name and description for your connection.The connection name cannot be changed later.
Set the connection type to SAP HANA Cloud.
Add your SAP HANA Cloud host name.
Under Authentication Method, select SAML Single Sign On.
Copy the SAML Identity Provider (IdP) from the Provider Name field in the connection dialog, and also download the certificate from this dialog.
You'll need these two items to perform the trust configuration to set up SAML SSO.
Set up the trust relationship between SAP HANA Cloud and SAP Analytics Cloud
In the SAP BTP Cockpit, navigate to SAP HANA Cloud and open the SAP HANA Cockpit.
From the SAP HANA Cockpit, go to Certificate Store.
You will now upload the certificate that you previously downloaded. Click the Import button.
Select "Import from file" to upload the certificate. Then select OK.
You will see your certificate added as below.
Now we need to create a SAML identity provider.
Go to SAML Identity Providers, and click the "Add Identity Provider" button.
Provide an Identity Provider Name. Enter the SAML provider name that you copied from the connection dialog into the Entity ID field, and select the newly added certificate.Then select Add.
You will see your SAML identity provider registered as below.
Now we need to create a certificate collection.
From the SAP HANA Cockpit, go to the Certificate Collections, and click the Add Collection button.
Type a collection name, and click OK.
Click Add Certificate. Select the new certificate, and click OK.
Select the Edit Purpose button. In the Purpose field, choose SAML. In the Providers field, select the newly created SAML provider. Click Save.
You will see your certificate collection registered as below.
From the SAP HANA Cockpit, select User Management.
You can create a new user or you can modify an existing user by providing the proper role.
You can create a new user or you can modify an existing user by providing the proper role.
Click on + (
Set Disable ODBC/JDBC Access to No.
On the Authentication tab, select SAML.
Click Add SAML Identity, and select your identity provider.
Set Automatic Mapping by Provider to OFF.
Insert your identifier from SAP Analytics Cloud as the External Identity field on the Authentication tab in User Management. Note: by default, this is the user e-mail. You can set other identifiers from SAC by using other identity providers.
Grant your user the necessary rights to access the data that you want to expose from your HANA database.
In this case, I grant the access role to an HDI container where I created 1 calculation view of type CUBE. Learn more about the different methods to grant access rights to HDI containers in A live data connection to SAP HANA Cloud in SAP Analytics Cloud
For another user from the same SAP Analytics Cloud tenant to be able to access the same SAP HANA Cloud system, you'd need to create another user in SAP HANA and map the appropriate ID, or use the same SAP HANA user and map the appropriate ID.
Test your connection from SAP Analytics Cloud
Go back to SAP Analytics Cloud, and finish creating the connection by selecting OK in the connection dialog.
Create a new model.
Select "Get data from a data source", then choose "Live data connection".
Select SAP HANA as a system type, and the connection that you just set up.
Within the Data source, you will see all calculation views of type CUBE which your user can access. In my case, I only created 1 calculation view called "calcview".
Edit and save your model.
You can now create a new story based on that model. The data will be automatically pulled from SAP HANA Cloud, and authentication and authorizations are based on your unique user.
Thank you,
Maxime SIMON
- SAP Managed Tags:
14 Comments
