Skip to Content
Technical Articles

SAP Analytics Cloud Tunnel Connection to SAP HANA using SAML 2.0 SSO

Introduction

In this blog I will try to explain how to establish Application-to-Application SSO authentication, and add a ‘Tunnel connection’ to ‘SAP HANA using SAML SSO’ option in SAP Analytics Cloud.

For tunnel connection with User Name and Password reference this blog: https://blogs.sap.com/2020/11/25/what-is-sap-analytics-cloud-tunnel-connection-configure-sac-hana-to-use-tunnel-connection-with-password-authentication

Application-to-Application SSO

Application-to-Application SSO is an authentication mechanism available for an HTTP destination to propagate application user from SAP Analytics Cloud to SAP HANA.  Application-to-Application SSO has a trust relationship setup in SAP HANA Extended Application Services or (XS) like other SAML-based IdP.

Role of Cloud Connector

For inbound connections into the on-premise network, the Cloud Connector acts as a reverse invoke proxy between SAP BTP and the internal systems. Once installed, none of the internal systems are accessible by default through the Cloud Connector: you must configure explicitly each system and each service and resource on every system to be exposed to SAP Analytics Cloud in the Cloud Connector. You can also specify a virtual host name and port for a configured on-premise system, which is then used in the cloud. Doing this, you can avoid that information on physical hosts is exposed to the cloud.

The TLS (Transport Layer Security) tunnel is established from the Cloud Connector to SAP Analytics Cloud via a so-called reverse invoke approach. This lets an administrator have full control of the tunnel, since it can’t be established from the cloud or from somewhere else outside the company network. The Cloud Connector administrator is the one who decides when the tunnel is established or closed.

SAP Business Technology Platform (BTP) guarantees strict isolation on subaccount level provided by its infrastructure and platform layer. An application of one subaccount is not able to access and use resources of another subaccount.

Reference: https://help.sap.com/viewer/b865ed651e414196b39f8922db2122c7/Cloud/en-US/90932cf45c924956a5106472286f74a2.html

SAP HANA Data Source

SAP HANA supports encrypted communication for all client-server (external) communication. SAP recommends encrypted communication whenever possible. In order for HANA to share data, its InA endpoints must be available to internet outside corporate firewall. We will use SAP Cloud Connector to establish a secure tunnel between SAP Analytics cloud and on-premise HANA server.

The SAP HANA instance must be properly setup for SAML-based authentication as one of the prerequisites. Most of the configuration steps are covered in my previous blog, here I will cover the additional steps required to configure SAML SSO.

Access through Mobile Devices/App and SSO experience… 
To achieve SSO experience on mobile devices, we have following options: iOS SSO
There are currently three ways for the mobile app to support SSO on iOS:

  • The mobile app supports SSO using a MDM push-based certificate for logging on to SAP Analytics Cloud. For SSO to live data sources in your stories, individual users can manually import certificates to a device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
  • You can also set up SSO using the SAP Cloud Connector to propagate credentials through the system once trust is established between your SAP Analytics Cloud system and your live data source. For more information on this SSO method, see SAP Cloud Connector-based Mobile Single Sign-On.
  • Using a customized token for SSO to connected live data sources. Specific endpoints need to be established to configure this SSO method. For more information, see Token-based Single Sign On to Live Data Sources.

Android SSO

The Android app supports SSO by using X509 user certificates for logging on to SAP Analytics Cloud. These certificates need to pushed to the device by either using an MDM profile, or they can be installed manually on the device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.

To achieve the best user experience always use responsive pages rather than canvas or grid.

To learn more reference: https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/9946e4a060f9431f956ae82e34f4c112.html

We need to perform the following steps to setup tunnel connection from SAP analytics cloud to SAP HANA using SAML SSO:

  • Add your SAP Analytics cloud Subaccount in SAP Cloud Connector
  • Add SAP HANA System in ‘System Mapping’, & allow access to your system paths
  • Enable SAML and add the SAML mapping to SAP HANA user
  • Setup trust relation between SAP Analytics Cloud & HANA
  • Finish creating the live SAP HANA Tunnel Connection

Add your SAP Analytics cloud Subaccount in SAP Cloud Connector

Here are detailed steps:
https://apps.support.sap.com/sap/support/knowledge/en/2397165

Add SAP HANA System in ‘System Mapping’, & allow access to your system paths

Here are detailed steps:
https://apps.support.sap.com/sap/support/knowledge/E/2358097

https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/ae88672a05b84ca18487cfcf411faea3.html

Enable SAML and add the SAML mapping to SAP HANA user

Here are detailed steps:
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/a30b5127419a4fd0aeef7be91fdf9836.html

Setup trust relation between SAP Analytics Cloud & HANA

Here are detailed steps:
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/ae88672a05b84ca18487cfcf411faea3.html

Finish creating the live SAP HANA Tunnel Connection

Here are detailed steps:
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/4fc3644439d5458184e224ca4cf4153e.html?q=Tunnel%20connection

Conclusion

In this blog we learned how Application-to-Application SSO works and how to setup a tunnel connection between SAP Analytics Cloud and SAP HANA using SAML SSO.

3 Comments
You must be Logged on to comment or reply to a post.
  • Hi Prarit,

    thanks for the great blog with this walk through.

    With increasing demand, i think it is worth mentioning, that for mobile devices, using the SAC Analytics Mobile app, the tunnel connection is not supportet at the moment.

    Kind regards

    Eric

  • Hi Eric,

    Tunnel connection on IOS SAC Mobile app is in roadmap for QRC2 release.

    For Android, its supported from QRC1 release already:https://saphanajourney.com/sap-analytics-cloud/product-updates/q1-2021/

     

    Thanks,

    Shailu.

    • Hi Shailu

       

      When you mention Tunnel connection on IOS SAC Mobile app are you refering to both HANA on BW ? What about LUC ?

      Just asking because according to SAP Help:

      "Tunnel Connection is supported for the Android mobile app but not available for the iOS app. "

      Cheers