User Experience Insights
SAP Analytics Cloud and On-Premise SAP HANA SSO Setup With External Identity Provider
This article describes about the end-to-end SSO setup from SAP Analytics Cloud to SAP HANA On-Premises with external non-sap identity provider.
In SAP Analytics Cloud(SAC), Based on your business requirement you may create models from data sources available in on-premise or cloud SAP HANA databases, and you may create story based on those models to perform real time analysis without data replication and duplication. This feature allows SAP Analytics Cloud to be used in scenarios where data cannot be moved into the cloud for security or privacy reasons, or your data already exists on a different cloud system.
The connection established between SAC and SAP HANA uses Live Data Connection with CORS setup. However, every time when end user executes the report for real time analysis, live data connection needs to be manually authenticated with target SAP HANA user credentials.
This article talks about the SSO setup between SAC and SAP HANA database with which the live data connection will not ask for the credentials again while executing the story or reports in SAC rather it will use the same credentials that was used to authenticate the SAC application.
High Level Overview of the complete setup
Limitation of this setup is that the external identity provider should be same for SAP Analytics cloud and SAP HANA. This setup doesn’t work if the IDP is different for both the participants.
The complete end to end configuration can be segregated in below 3 different sections to reduce the complexity of the configuration
| Step | Details |
| 1.Setup SAP HANA XS with HTTPS | https://blogs.sap.com/2022/05/04/setup-sap-hana-xs-with-https/ |
| 2.Setup SAML in SAP HANA with external Identity Provider | https://blogs.sap.com/2022/05/06/setup-saml-in-sap-hana-with-external-identity-provider/ |
| 3.Setup SSO in SAC with external Identity Provider | https://blogs.sap.com/2022/05/10/sso-setup-for-sap-analytics-cloud-using-external-an-identity-provider/ |
Provide details about your SAP HANA and select SAML single sign on
Once you click ok, new browser window will appear for the first time that will authenticate SAP HANA SAML connection and will disappear automatically.
Once this is done, you may try and validate the end to end setup by running some story based on this live connection which should be able to fetch the data without asking for the credentials.
Please note that the live Direct connection with CORS setup is not maintained in this article, if you need details about this setup you may follow below link for the details
Thanks for reading this article and please do share your valuable feedback in a comment section or ask questions if you have any!!!
Thank you Ankit for the detailed blogs,
I am in the process of setup SSO between SAP SAC to HANA DB live data connection via AZ IDP.
Mapped metadata between AZ to Hana (vice-versa) and AZ to SAC (AZ to SAC working fine).
While using the authentication method as SAML SSO it redirects to MS authentication then HANA URL with "StatusCode in ResponseMessage != OK; please refer to the database trace for more information" after some time giving the below error.
[10548]{-1}[-1/-1] 2023-02-07 10:55:24.173172 i Savepoint SavepointImpl.cpp(03056) : Savepoint current savepoint version: 620958, restart redo log position: 0x481fd783, next savepoint version: 620959, last snapshot SP version: 0
Hi Anikesh,
did you checked 2380176 (FAQ: SAP HANA Database Trace) by searching for " Assertion authentication for user <email> failed with reason: Internal processing error"?
Br.,
Dirk
Thank you Dirk,
It was solved some time back.