Technical Articles
SAP Analytics Cloud Tunnel Connection to SAP HANA
Introduction
In this blog I will try to explain how to establish Application-to-Application SSO authentication, and add a ‘Tunnel connection’ to ‘SAP HANA’ option in SAP Analytics Cloud.
For tunnel connection with User Name and Password reference this blog: https://blogs.sap.com/2020/11/25/what-is-sap-analytics-cloud-tunnel-connection-configure-sac-hana-to-use-tunnel-connection-with-password-authentication
Application-to-Application SSO
Application-to-Application SSO is an authentication mechanism available for an HTTP destination to propagate application user from SAP Analytics Cloud to SAP HANA. Application-to-Application SSO has a trust relationship setup in SAP HANA Extended Application Services or (XS) like other SAML-based IdP.
Role of Cloud Connector
For inbound connections into the on-premise network, the Cloud Connector acts as a reverse invoke proxy between SAP BTP and the internal systems. Once installed, none of the internal systems are accessible by default through the Cloud Connector: you must configure explicitly each system and each service and resource on every system to be exposed to SAP Analytics Cloud in the Cloud Connector. You can also specify a virtual host name and port for a configured on-premise system, which is then used in the cloud. Doing this, you can avoid that information on physical hosts is exposed to the cloud.
The TLS (Transport Layer Security) tunnel is established from the Cloud Connector to SAP Analytics Cloud via a so-called reverse invoke approach. This lets an administrator have full control of the tunnel, since it can’t be established from the cloud or from somewhere else outside the company network. The Cloud Connector administrator is the one who decides when the tunnel is established or closed.
SAP Business Technology Platform (BTP) guarantees strict isolation on subaccount level provided by its infrastructure and platform layer. An application of one subaccount is not able to access and use resources of another subaccount.
SAP HANA Data Source
SAP HANA supports encrypted communication for all client-server (external) communication. SAP recommends encrypted communication whenever possible. In order for HANA to share data, its InA endpoints must be available to internet outside corporate firewall. We will use SAP Cloud Connector to establish a secure tunnel between SAP Analytics cloud and on-premise HANA server.
The SAP HANA instance must be properly setup for SAML-based authentication as one of the prerequisites. Most of the configuration steps are covered in my previous blog, here I will cover the additional steps required to configure SAML SSO.
There are currently three ways for the mobile app to support SSO on iOS:
- The mobile app supports SSO using a MDM push-based certificate for logging on to SAP Analytics Cloud. For SSO to live data sources in your stories, individual users can manually import certificates to a device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
- You can also set up SSO using the SAP Cloud Connector to propagate credentials through the system once trust is established between your SAP Analytics Cloud system and your live data source. For more information on this SSO method, see SAP Cloud Connector-based Mobile Single Sign-On.
- Using a customized token for SSO to connected live data sources. Specific endpoints need to be established to configure this SSO method. For more information, see Token-based Single Sign On to Live Data Sources.
Android SSO
The Android app supports SSO by using X509 user certificates for logging on to SAP Analytics Cloud. These certificates need to pushed to the device by either using an MDM profile, or they can be installed manually on the device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
To achieve the best user experience always use responsive pages rather than canvas or grid.
To learn more reference: https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/9946e4a060f9431f956ae82e34f4c112.html
We need to perform the following steps to setup tunnel connection from SAP analytics cloud to SAP HANA:
- Add your SAP Analytics cloud Subaccount in SAP Cloud Connector
- Add SAP HANA System in ‘System Mapping’, & allow access to your system paths
- Enable SAML and add the SAML mapping to SAP HANA user
- Setup trust relation between SAP Analytics Cloud & HANA
- Finish creating the live SAP HANA Tunnel Connection
Add your SAP Analytics cloud Subaccount in SAP Cloud Connector
Here are detailed steps:
https://apps.support.sap.com/sap/support/knowledge/en/2397165
Add SAP HANA System in ‘System Mapping’, & allow access to your system paths
Here are detailed steps:
https://apps.support.sap.com/sap/support/knowledge/E/2358097
Enable SAML and add the SAML mapping to SAP HANA user
Here are detailed steps:
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/a30b5127419a4fd0aeef7be91fdf9836.html
Setup trust relation between SAP Analytics Cloud & HANA
Here are detailed steps:
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/ae88672a05b84ca18487cfcf411faea3.html
Finish creating the live SAP HANA Tunnel Connection
Here are detailed steps:
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/4fc3644439d5458184e224ca4cf4153e.html?q=Tunnel%20connection
Conclusion
In this blog we learned how Application-to-Application SSO works and how to setup a tunnel connection between SAP Analytics Cloud and SAP HANA.
Hi Prarit,
thanks for the great blog with this walk through.
With increasing demand, i think it is worth mentioning, that for mobile devices, using the SAC Analytics Mobile app, the tunnel connection is not supportet at the moment.
Kind regards
Eric
Hi Eric,
Tunnel connection on IOS SAC Mobile app is in roadmap for QRC2 release.
For Android, its supported from QRC1 release already:https://saphanajourney.com/sap-analytics-cloud/product-updates/q1-2021/
Thanks,
Shailu.
Hi Shailu
When you mention Tunnel connection on IOS SAC Mobile app are you refering to both HANA on BW ? What about LUC ?
Just asking because according to SAP Help:
"Tunnel Connection is supported for the Android mobile app but not available for the iOS app. "
Cheers
Hello Sehgal,
We are trying to establish the same kind of setup.. but we are getting below SSL error.
we are able to access the direct HANA xs engine url with SSL errors in the browsers
One more question while creating the HANA live connection with SAML2 SSO.. do we need to give provider name same as we the SAML2 Identity provide from HANA XS admin?
appreciate your help on this..
ERROR:
We couldn't connect to your HANA system. Possible causes: The SSL certificate is not trusted, or a network error occurred. For more information, see our troubleshooting page.TroubleshootCorrelation ID: 26496182-2933-4456-8929-138054006773