Consume SAP HANA Cloud HDI containers with HAA and eSAC/SAC
When I was working on the topic of the User Propagation between SAP BTP and third-party Applications. for a reason I picked the HAA-CF as my guinea pig application.
HAA-CF application simply has it all.
It has the app-router, a simple HTML5 front-end page and features a java backend micro-service being called through a destination service.
This brief is to demonstrate how one could consume a single HDI container with SAC/eSAC over a direct HANA live connection implemented with HANA Analytics Adapter (HAA) InA service.
The InA service is a java application and is provided by SAP “as is“.
Good to know:
Putting it all together
1. SAP BTP sub-account and CF space
The main build components of the deployed HAA-CF application are as follows:
The app-router is bound to a single destination service instance and a single OAuth2SAMLBearerAssertion destination is used to authenticate and authorise user access to the java backed service via a route with the IDP-initiated flow.
The XSUAA service is still there and is used as the OAuth2 service provider to grant access to the java backend service (a resource).
For this reason, both the app-router and the java backend service must be bound the the same XSUAA service instance. Please refer to this gist for further details.
Last but not least. The below table summarises the steps required to create and deploy the HAA-CF application with the IDP-initiated SAML SSO authentication:
|Create a Trusted IDP on the BTP sub-account level.||
|Quovadis. Building a destination definition.||
Deploy the HAA-CF application to a BTP CF space.
Before going any further, it is important to test the application and the java backend service are working correctly using the test quovadis destination.
2. SAP Analytics Cloud tenant.
SP-initiated SAML SSO
Both SAC (enterprise) and eSAC (embedded) active user populations are controlled with a single SAML Identity Provider and the users authentication follows the SP-initiated, interactive authentication flow (SAML Web SSO).
So indeed, one might be tempted to hook up the same IDP to the BTP sub-account of the app-router application and then activate SAML SSO authentication option in the SAC’s direct HANA live connection definition.
However, this might also result in an additional authentication pop-up window that would appear furtively in the left hand and upper side of the screen.
IDP-initiated SAML SSO
The IDP-initiated SAML SSO flow is unmanned by definition. The user access will be brokered behind the scenes by the app-router through a call to an OAuth2SAMLBearerAssertion destination. As a result the java backend InA service will be passed a bearer access token along its GetServerInfo or GetResponse InA endpoints calls.
Thus we need to select the None option as the Authentication Method in the live connection definition as depicted below:
Create a HANA live connection in SAC.
Things to know:
The live connection is operational on-the-spot.
It does allow to access any cubes defined in the HDI container.
Last but not least, I hope you enjoyed reading this blog. Please provide your feedback in the comments section below.
Overall, I was able to demonstrate how to get access to a BTP micro-service from anywhere, including SAP Analytics Cloud direct HANA live connection, using an IDP-initiated flow with a BTP sub-account acting as a Service Provider. Literally by-the-book.
2589761 – Connecting to Live Data sources in SAP Analytics Cloud
SAP Analytics Cloud connectivity setup for SAP HANA database | SAP Store
SAP BW InA Provider | External Blog