Live Data Connection to SAP HANA Cloud Using an "SAP HANA Cloud" Connection and SSO
To access SAP HANA Cloud data without having to set up the SAP HANA
Analytics Adapter, you can create a live data connection using the “SAP HANA Cloud”
connection type, and single sign-on.
Prerequisites
Note
This connection type works only in Cloud Foundry environments (non-SAP data centers). For Neo
environments (SAP data centers), see Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO.
SAP Analytics Cloud can be
hosted either on SAP data centers or on non-SAP data centers (for example,
Amazon Web Services (AWS)). Determine which environmentSAP Analytics Cloud is
hosted on by inspecting yourSAP Analytics Cloud URL:
- A single-digit number, for example us1 or jp1, indicates an SAP data center
(Neo environment).
- A two-digit number, for example eu10 or us30, indicates a non-SAP data
center (Cloud Foundry environment).
Note
To grant access to
SAP HANA Cloud data, you'll need the
access_role and
external_privileges_role for
the HDI container. For more information, see
Assign Roles to a Database User in the SAP
HANA Cockpit documentation.
- To perform these steps, you must use the default DBADMIN user for SAP HANA
Cloud (for details, see this page), or an equivalent SAP HANA
Cloud user.
- You have set up the SAP HANA Info Access Service (InA). See this help page for details.
- Users need to have read access to SAP HANA Cloud database
artifacts that will be used by the InA queries generated, to create and view
models and stories in SAP Analytics Cloud.
- SAML Single Sign-On (SSO) must be enabled in SAP Analytics Cloud. For
more information, see Enabling a Custom SAML Identity Provider.
- The following steps must be carried out by a user who has administrator-level privileges in
SAP HANA Cloud and SAP Analytics Cloud, and
logs on to SAP Analytics Cloud via the
SAML Identity Provider. For the steps in the SAP Analytics Cloud system,
the BI Admin role is required. For the steps in the SAP
HANA Cloud system, the Administrator role is
required.
- To display custom analytical queries you must apply SAP Note 2710858.
Procedure
-
Start creating the connection.
-
Go to .
-
In the Select a data source dialog, expand
Connect to Live Data, and select
SAP HANA.
-
In the dialog, enter a name and description for your connection.
The connection name cannot be changed later.
-
Set the connection type to SAP HANA Cloud.
-
Add your SAP HANA Cloud host name.
-
(Optional) Choose a Default Language from the
list.
This language will always be used for this connection and can't be
changed by users without administrator privileges.
Note
You'll need to know which languages are installed on your
SAP HANA system before adding a language code. If
the language code you enter isn't valid,
SAP Analytics Cloud will default to the language specified by your system
metadata.
-
Under Authentication Method, select
SAML Single Sign On.
-
Copy the SAML Identity Provider (IdP) from the Provider
Name field in the connection dialog, and also download
the certificate from this dialog.
You'll need these two items to perform the trust configuration to set
up SAML SSO.
Continue with Step 2 now, before you select OK
to finish creating this connection.
-
Set up the trust relationship between SAP HANA Cloud and SAP Analytics Cloud.
-
Open the SAP HANA Cockpit.
-
Upload the certificate that you previously downloaded.
- Go to Certificate Store, and click the
Import button.
- Select Import from file to upload the
certificate, or copy and paste the content of the downloaded
certificate file.
- Select OK.
-
Create a SAML identity provider.
- Go to SAML Identity Providers, and click
the Add Identity Provider button.
- Provide an Identity Provider Name.
- Enter the SAML provider name that you copied from the connection
dialog into the Entity ID field, and
select the newly added certificate.
- Select Add.
-
Create a certificate collection.
- Go to the Certificate Collections, and
click the Add Collection button.
- Type a collection name, and click
OK.
- Click Add Certificate.
- Select the new certificate, and click
OK.
- Select the Edit Purpose button.
- In the Purpose field, choose
SAML.
- In the Providers field, select the newly
created SAML provider.
- Click Save.
-
Go back to SAP Analytics Cloud,
and finish creating the connection by selecting
OK in the connection dialog.
-
Map an SAP Analytics Cloud user to
an SAP HANA Cloud user.
You need to create the user, or you can modify an existing user, and provide
the proper role.
-
Go to User Management.
-
Click .
-
Set Disable ODBC/JDBC Access to
No.
-
On the Authentication tab, select
SAML.
-
Click Add SAML Identity, and select your
identity provider.
-
Set Automatic Mapping by Provider to
OFF.
-
In your SAP Analytics Cloud
tenant, go to , and select the Security
tab.
-
In the Authentication Method section, if the default option
SAP Cloud Identity is selected, then the
email ID of the user who logs in to the SAP Analytics Cloud
tenant needs to be mapped with the SAP HANA Cloud
database user (as shown in a later step).
Copy the EMAIL field from the tab in SAP Analytics Cloud.
-
Or, if SAML Single Sign-On is selected, then you'll need to look
at the SAML Single Sign-On (SSO) Configuration
section, Step 3: Choose a user attribute to map to your
identity provider, and note which option is selected in
the User Attribute field.
- If the User Attribute is set to Email,
then the email ID of the user who logs in to the SAP Analytics Cloud tenant needs to be mapped (as shown in a later step). Copy
the EMAIL field from the tab in SAP Analytics Cloud.
- If the User Attribute is set to USER ID,
then instead, copy the USER ID field from
the tab in SAP Analytics Cloud.
- If the User Attribute is set to Custom SAML User
Mapping, there will be a new column
SAML USER MAPPING in the tab in SAP Analytics Cloud, that needs to be mapped with the SAP HANA
Cloud database user.
-
Take the value from the appropriate column for the SAP Analytics Cloud
user, and enter that in the External Identity
field on the Authentication tab in
User Management.
-
Click Save.
-
To add the required roles and privileges, click Assign
Roles or Assign Privileges.
For another user from the same SAP Analytics Cloud
tenant to be able to access the same SAP HANA Cloud system,
you'd need to create another user in SAP HANA and map the appropriate ID, or
use the same SAP HANA user and map the appropriate ID.
You can also add another identity provider in an existing SAP HANA user,
because you can attach multiple SAML identities with one SAP HANA user. In
that way, you can access the SAP HANA Cloud instance from
multiple SAP Analytics Cloud
tenants using a single SAP HANA database user, if desired.