Live Data Connection to SAP HANA Cloud Using an "SAP HANA Cloud" Connection and SSO

To access SAP HANA Cloud data without having to set up the SAP HANA Analytics Adapter, you can create a live data connection using the “SAP HANA Cloud” connection type, and single sign-on.

Prerequisites

Note

This connection type works only in Cloud Foundry environments (non-SAP data centers). For Neo environments (SAP data centers), see Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO.

SAP Analytics Cloud can be hosted either on SAP data centers or on non-SAP data centers (for example, Amazon Web Services (AWS)). Determine which environmentSAP Analytics Cloud is hosted on by inspecting yourSAP Analytics Cloud URL:

  • A single-digit number, for example us1 or jp1, indicates an SAP data center (Neo environment).
  • A two-digit number, for example eu10 or us30, indicates a non-SAP data center (Cloud Foundry environment).
Note
To grant access to SAP HANA Cloud data, you'll need the access_role and external_privileges_role for the HDI container. For more information, see Assign Roles to a Database User in the SAP HANA Cockpit documentation.
  • To perform these steps, you must use the default DBADMIN user for SAP HANA Cloud (for details, see this page), or an equivalent SAP HANA Cloud user.
  • You have set up the SAP HANA Info Access Service (InA). See this help page for details.
  • Users need to have read access to SAP HANA Cloud database artifacts that will be used by the InA queries generated, to create and view models and stories in SAP Analytics Cloud.
  • SAML Single Sign-On (SSO) must be enabled in SAP Analytics Cloud. For more information, see Enabling a Custom SAML Identity Provider.
  • The following steps must be carried out by a user who has administrator-level privileges in SAP HANA Cloud and SAP Analytics Cloud, and logs on to SAP Analytics Cloud via the SAML Identity Provider. For the steps in the SAP Analytics Cloud system, the BI Admin role is required. For the steps in the SAP HANA Cloud system, the Administrator role is required.
  • To display custom analytical queries you must apply SAP Note 2710858.

Procedure

  1. Start creating the connection.
    1. Go to Start of the navigation path (Main Menu) Next navigation step  Connection Next navigation step Connections Next navigation step  (Add Connection)End of the navigation path.
    2. In the Select a data source dialog, expand Connect to Live Data, and select SAP HANA.
    3. In the dialog, enter a name and description for your connection.
      The connection name cannot be changed later.
    4. Set the connection type to SAP HANA Cloud.
    5. Add your SAP HANA Cloud host name.
    6. (Optional) Choose a Default Language from the list.

      This language will always be used for this connection and can't be changed by users without administrator privileges.

      Note
      You'll need to know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter isn't valid, SAP Analytics Cloud will default to the language specified by your system metadata.
    7. Under Authentication Method, select SAML Single Sign On.
    8. Copy the SAML Identity Provider (IdP) from the Provider Name field in the connection dialog, and also download the certificate from this dialog.

      You'll need these two items to perform the trust configuration to set up SAML SSO.

      Continue with Step 2 now, before you select OK to finish creating this connection.

  2. Set up the trust relationship between SAP HANA Cloud and SAP Analytics Cloud.
    1. Open the SAP HANA Cockpit.

      For details, see this help topic.

    2. Upload the certificate that you previously downloaded.
      1. Go to Certificate Store, and click the Import button.
      2. Select Import from file to upload the certificate, or copy and paste the content of the downloaded certificate file.
      3. Select OK.
    3. Create a SAML identity provider.
      1. Go to SAML Identity Providers, and click the Add Identity Provider button.
      2. Provide an Identity Provider Name.
      3. Enter the SAML provider name that you copied from the connection dialog into the Entity ID field, and select the newly added certificate.
      4. Select Add.
    4. Create a certificate collection.
      1. Go to the Certificate Collections, and click the Add Collection button.
      2. Type a collection name, and click OK.
      3. Click Add Certificate.
      4. Select the new certificate, and click OK.
      5. Select the Edit Purpose button.
      6. In the Purpose field, choose SAML.
      7. In the Providers field, select the newly created SAML provider.
      8. Click Save.
    5. Go back to SAP Analytics Cloud, and finish creating the connection by selecting OK in the connection dialog.
  3. Map an SAP Analytics Cloud user to an SAP HANA Cloud user.
    You need to create the user, or you can modify an existing user, and provide the proper role.
    1. Go to User Management.
    2. Click Start of the navigation path Next navigation step Create UserEnd of the navigation path.
    3. Set Disable ODBC/JDBC Access to No.
    4. On the Authentication tab, select SAML.
    5. Click Add SAML Identity, and select your identity provider.
    6. Set Automatic Mapping by Provider to OFF.
    7. In your SAP Analytics Cloud tenant, go to Start of the navigation pathSystem Next navigation step AdministrationEnd of the navigation path, and select the Security tab.
    8. In the Authentication Method section, if the default option SAP Cloud Identity is selected, then the email ID of the user who logs in to the SAP Analytics Cloud tenant needs to be mapped with the SAP HANA Cloud database user (as shown in a later step).
      Copy the EMAIL field from the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud.
    9. Or, if SAML Single Sign-On is selected, then you'll need to look at the SAML Single Sign-On (SSO) Configuration section, Step 3: Choose a user attribute to map to your identity provider, and note which option is selected in the User Attribute field.
      • If the User Attribute is set to Email, then the email ID of the user who logs in to the SAP Analytics Cloud tenant needs to be mapped (as shown in a later step). Copy the EMAIL field from the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud.
      • If the User Attribute is set to USER ID, then instead, copy the USER ID field from the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud.
      • If the User Attribute is set to Custom SAML User Mapping, there will be a new column SAML USER MAPPING in the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud, that needs to be mapped with the SAP HANA Cloud database user.
    10. Take the value from the appropriate column for the SAP Analytics Cloud user, and enter that in the External Identity field on the Authentication tab in User Management.
    11. Click Save.
    12. To add the required roles and privileges, click Assign Roles or Assign Privileges.

    For another user from the same SAP Analytics Cloud tenant to be able to access the same SAP HANA Cloud system, you'd need to create another user in SAP HANA and map the appropriate ID, or use the same SAP HANA user and map the appropriate ID.

    You can also add another identity provider in an existing SAP HANA user, because you can attach multiple SAML identities with one SAP HANA user. In that way, you can access the SAP HANA Cloud instance from multiple SAP Analytics Cloud tenants using a single SAP HANA database user, if desired.

Related Information