In this blog I will try to explain how to establish Application-to-Application SSO authentication, and add a ‘Tunnel connection’ to ‘SAP HANA using SAML SSO’ option in SAP Analytics Cloud.
For tunnel connection with User Name and Password reference this blog: https://blogs.sap.com/2020/11/25/what-is-sap-analytics-cloud-tunnel-connection-configure-sac-hana-to-use-tunnel-connection-with-password-authentication
Application-to-Application SSO is an authentication mechanism available for an HTTP destination to propagate application user from SAP Analytics Cloud to SAP HANA. Application-to-Application SSO has a trust relationship setup in SAP HANA Extended Application Services or (XS) like other SAML-based IdP.
Role of Cloud Connector
For inbound connections into the on-premise network, the Cloud Connector acts as a reverse invoke proxy between SAP BTP and the internal systems. Once installed, none of the internal systems are accessible by default through the Cloud Connector: you must configure explicitly each system and each service and resource on every system to be exposed to SAP Analytics Cloud in the Cloud Connector. You can also specify a virtual host name and port for a configured on-premise system, which is then used in the cloud. Doing this, you can avoid that information on physical hosts is exposed to the cloud.
The TLS (Transport Layer Security) tunnel is established from the Cloud Connector to SAP Analytics Cloud via a so-called reverse invoke approach. This lets an administrator have full control of the tunnel, since it can’t be established from the cloud or from somewhere else outside the company network. The Cloud Connector administrator is the one who decides when the tunnel is established or closed.
SAP Business Technology Platform (BTP) guarantees strict isolation on subaccount level provided by its infrastructure and platform layer. An application of one subaccount is not able to access and use resources of another subaccount.
SAP HANA Data Source
SAP HANA supports encrypted communication for all client-server (external) communication. SAP recommends encrypted communication whenever possible. In order for HANA to share data, its InA endpoints must be available to internet outside corporate firewall. We will use SAP Cloud Connector to establish a secure tunnel between SAP Analytics cloud and on-premise HANA server.
The SAP HANA instance must be properly setup for SAML-based authentication as one of the prerequisites. Most of the configuration steps are covered in my previous blog, here I will cover the additional steps required to configure SAML SSO.
There are currently three ways for the mobile app to support SSO on iOS:
- The mobile app supports SSO using a MDM push-based certificate for logging on to SAP Analytics Cloud. For SSO to live data sources in your stories, individual users can manually import certificates to a device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
- You can also set up SSO using the SAP Cloud Connector to propagate credentials through the system once trust is established between your SAP Analytics Cloud system and your live data source. For more information on this SSO method, see SAP Cloud Connector-based Mobile Single Sign-On.
- Using a customized token for SSO to connected live data sources. Specific endpoints need to be established to configure this SSO method. For more information, see Token-based Single Sign On to Live Data Sources.
The Android app supports SSO by using X509 user certificates for logging on to SAP Analytics Cloud. These certificates need to pushed to the device by either using an MDM profile, or they can be installed manually on the device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
To achieve the best user experience always use responsive pages rather than canvas or grid.
To learn more reference: https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/9946e4a060f9431f956ae82e34f4c112.html
We need to perform the following steps to setup tunnel connection from SAP analytics cloud to SAP HANA using SAML SSO:
- Add your SAP Analytics cloud Subaccount in SAP Cloud Connector
- Add SAP HANA System in ‘System Mapping’, & allow access to your system paths
- Enable SAML and add the SAML mapping to SAP HANA user
- Setup trust relation between SAP Analytics Cloud & HANA
- Finish creating the live SAP HANA Tunnel Connection
Add your SAP Analytics cloud Subaccount in SAP Cloud Connector
Here are detailed steps:
Add SAP HANA System in ‘System Mapping’, & allow access to your system paths
Here are detailed steps:
Enable SAML and add the SAML mapping to SAP HANA user
Setup trust relation between SAP Analytics Cloud & HANA
Finish creating the live SAP HANA Tunnel Connection
In this blog we learned how Application-to-Application SSO works and how to setup a tunnel connection between SAP Analytics Cloud and SAP HANA using SAML SSO.