Skip to Content
Technical Articles

Live Data Connection from SAC to SAP HANA Cloud with Single-Sign-On

In this blog I will explain my experience setting up a live data connection from SAC to SAP HANA Cloud with Single-Sign-On. The whole process took around 45 minutes.

Since SAP Analytics Cloud version 2020.20, the HANA Analytics Adapter is not required anymore. A live connection can be established directly from SAC to HANA Cloud as described in the official documentation.

Prerequisites

This connection type works only in Cloud Foundry environments (non-SAP data centers). For Neo environments (SAP data centers), see Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO.

To perform these steps, you must use the default DBADMIN user for SAP HANA Cloud (for details, see this page), or an equivalent SAP HANA Cloud user.

You have set up the SAP HANA Info Access Service (InA). See this help page for details. It was set up correctly by default in my HANA Cloud environment. Users need to have read access to SAP HANA Cloud database artifacts that will be used by the InA queries generated, to create and view models and stories in SAP Analytics Cloud.

You must use OAuth 2.0 for authentication.

SAML SSO must be enabled in SAP Analytics Cloud. For more information, see Enabling a Custom SAML Identity Provider.

The following steps must be carried out by a user who has administrator-level privileges in SAP HANA Cloud and SAP Analytics Cloud, and logs on to SAP Analytics Cloud via the SAML Identity Provider. For the steps in the SAP Analytics Cloud system, the BI Admin role is required. For the steps in the SAP HANA Cloud system, the Administrator role is required.

Create a connection from SAP Analytics Cloud

Go to Start of the navigation path (Main Menu) Next navigation step  Connection Next navigation step Connections Next navigation step  (Add Connection)End of the navigation path.

In the Select a data source dialog, expand Connect to Live Data, and select SAP HANA.

In the dialog, enter a name and description for your connection.The connection name cannot be changed later.

Set the connection type to SAP HANA Cloud.

Add your SAP HANA Cloud host name.

Under Authentication Method, select SAML Single Sign On.

Copy the SAML Identity Provider (IdP) from the Provider Name field in the connection dialog, and also download the certificate from this dialog.

You’ll need these two items to perform the trust configuration to set up SAML SSO.

Set up the trust relationship between SAP HANA Cloud and SAP Analytics Cloud

Open the SAP HANA Cockpit.

From the SAP HANA Cockpit, go to Certificate Store.

You will now upload the certificate that you previously downloaded. Click the Import button.
Select “Import from file” to upload the certificate. Then select OK

You will see your certificate added as below.

Now we need to create a SAML identity provider.

Go to SAML Identity Providers, and click the “Add Identity Provider” button.
Provide an Identity Provider Name. Enter the SAML provider name that you copied from the connection dialog into the Entity ID field, and select the newly added certificate.Then select Add.

You will see your SAML identity provider registered as below.

Now we need to create a certificate collection.

From the SAP HANA Cockpit, go to the Certificate Collections, and click the Add Collection button.
Type a collection name, and click OK.
Click Add Certificate. Select the new certificate, and click OK.
Select the Edit Purpose button. In the Purpose field, choose SAML. In the Providers field, select the newly created SAML provider. Click Save.

You will see your certificate collection registered as below.

    Map an SAP Analytics Cloud user to an SAP HANA Cloud user.

    From the SAP HANA Cockpit, select User Management. You need to create the user, or you can modify an existing user, and provide the proper role.
    Click Start of the navigation path Next navigation step Create UserEnd of the navigation path.
    Set Disable ODBC/JDBC Access to No.
    On the Authentication tab, select SAML.
    Click Add SAML Identity, and select your identity provider.
    Set Automatic Mapping by Provider to OFF.
    Insert your identifier from SAP Analytics Cloud as the External Identity field on the Authentication tab in User Management. Note: by default, this is the user e-mail. You can set other identifiers from SAC by using other identity providers.

    Grant your user the necessary rights to access the data that you want to expose from your HANA database. In this case, I grant the access role to an HDI container where I created 1 calculation view of type CUBE.

    For another user from the same SAP Analytics Cloud tenant to be able to access the same SAP HANA Cloud system, you’d need to create another user in SAP HANA and map the appropriate ID, or use the same SAP HANA user and map the appropriate ID.

    Test your connection from SAP Analytics Cloud

    Go back to SAP Analytics Cloud, and finish creating the connection by selecting OK in the connection dialog.

    Create a new model.

    Select “Get data from a data source”, then choose “Live data connection”.

    Select SAP HANA as a system type, and the connection that you just set up.

    Within the Data source, you will see all calculation views of type CUBE which your user can access. In my case, I only created 1 calculation view called “calcview”.

    Edit and save your model.

    You can now create a new story based on that model. The data will be automatically pulled from SAP HANA Cloud, and authentication and authorizations are based on your unique user.

    Thank you,

    Maxime SIMON

    Be the first to leave a comment
    You must be Logged on to comment or reply to a post.