Live Data Connection to SAP HANA Using a Direct Connection and SSO
You must configure your on-premise SAP HANA system in order to support
SSO for live data connections that use the direct connection type.
Prerequisites
Caution
As of Google Chrome version 80, Chrome restricts cookies to first-party
access by default, and requires you to explicitly mark cookies for access in
third-party, or cross-site, contexts.
To ensure that Chrome and other browsers allow cross-site access to your
SAP on-premise data source cookies from SAP Analytics Cloud, you
must configure your SAP on-premise data source to issue cookies with specific
attributes. Without these settings, user authentication to your live data
connections will fail, and Story visualizations based on these connections will
not render.
For details, see SameSite Cookie Configuration for Live Data Connections.
- You must use the same Identity Provider (IdP) for SAP Analytics Cloud and
SAP HANA. For more information on setting up your identity
provider in SAP Analytics Cloud, see
Enabling a Custom SAML Identity Provider.
- If end users will access the live data connection from outside of your corporate network, ensure that the SAP Information Access (InA) service
(/sap/bc/ina/service/v2) on your SAP HANA server is exposed to browser users directly.
- Ensure that the InA package (/sap/bc/ina/service/v2) or a higher-level
package is configured for SAML authentication using the same identity provider
URL as your SAP Analytics Cloud tenant.
For details, see the SAP HANA XS Classic Configuration Parameters.
- Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is
assigned to all users who will use the live connection and ensure those users
are SAML configured. This role is required in addition to the usual roles and
authorizations that are granted to users for data access purposes.
- Ensure that your SAP HANA XS server is configured for HTTPS (SSL)
with a signed certificate, and that you know which port it is using for HTTPS
requests. For details, see Maintaining HTTP Access to SAP HANA
and SAP Knowledge Base Article 2502174.
Note
For
SAP HANA version 1.00.112.04 and above, users require both the
INA_USER role, and additional object rights. The
SAP
HANA administrator must grant users SELECT privileges on all view items
in the
_SYS_BIC schema that users should have access to. For more
information, see SAP Knowledge Base Article 2353833.
Procedure
-
Configure Cross-Origin Resource Sharing (CORS) support on your SAP
HANA system.
You must ensure that the HTTP responses from the InA service to users' web browsers include CORS headers.
-
Log on to your SAP HANA XS Admin page
(/sap/hana/xs/admin) as the System user or a
user assigned to the following roles:
sap.hana.xs.admin.roles::RuntimeConfAdministrator
and sap.hana.xs.admin.roles::SAMLViewer.
-
Go to the XS Artifact Administration panel and
navigate to sap.bc.ina.service.v2.
-
Select the sap.bc.ina.service.v2 package, switch
to the CORS panel, and use the following
instructions to edit your CORS configuration:
- Select Enable Cross Origin Resource
Sharing.
- Add your SAP Analytics Cloud host to Allowed Origins. For
example,
https://<Customer-Prefix>.<Data-Center>.sapbusinessobjects.cloud.
- If single sign-on (SSO) is used, add the IdP host to
Allowed Origins.
- Add the following to Allowed
Headers:
- accept
- authorization
- content-type
- x-csrf-token
- x-request-with
- x-sap-cid
- accept-language
- Add the following to Exposed Headers:
x-csrf-token.
- Select the following Allowed Methods:
GET, HEAD,
POST,
OPTIONS.
-
Save your changes.
-
Enable logout using your SSO credentials.
- Repeat step 1c and 1d for the
sap.hana.xs.formLogin
package.
-
Deploy the custom web content to your SAP HANA server.
To enable SSO when using a direct connection, you must deploy some custom web content to
your SAP HANA server. This web content is what will appear
briefly to users once per session when they first create a live data connection
to your SAP HANA system, or when they refresh charts or tables
against that live data connection.
-
Log on to your SAP HANA server's Web IDE at
https://<xs-host:port>/sap/hana/ide/editor/
with the system user credentials.
Replace <xs-host:port> with your SAP HANA XS server host
and port.
-
Navigate to sap.bc.ina.service.v2.
-
Right-click the v2 package, and select .
-
In Package Name enter
cors and click
Create.
-
Right-click the cors package and select .
-
Enter auth.html and click
Create.
-
Open auth.html, and add the following code:
<html>
<script type="text/javascript">
open(location, '_self').close();
</script>
</html>
-
Save auth.html.
-
Create another file under the cors package, and
name it .xsaccess.
-
Open .xsaccess, and add the following code:
{"cache_control" : "no-cache, no-store"}
-
Save .xsaccess.
-
Right-click the cors package, and click Activate
All.
-
In a new browser tab, go to the following URL:
https://<xs-host:port>/sap/bc/ina/service/v2/cors/auth.html.
If the html page is configured correctly, the page will load and close
automatically.
Note
You will need to repeat the configuration in step 2
after every
SAP HANA or
SAP EPM library
upgrade.
-
Increase the session timeout configuration parameters in SAP HANA
XS server.
To do this, you will need to increase the sessiontimeout parameter in the
httpserver section of the
xsengine.ini file. For example, if you change the
parameter to 43200, the session will be active for 12 hours.
For more information, see the SAP HANA XS Classic Configuration
Parameters.
-
Verify end-users' web browser configuration and access.
Your end users' web browsers must be configured to:
- Allow pop-up windows from the SAP Analytics Cloud domain: [*.]sapanalytics.cloud.
- Allow 3rd party cookies from the SAP HANA server's domain. For example, in Internet Explorer 11, go to , add your domain name, then select Enable Protected Mode.
-
Add a remote system to SAP Analytics Cloud:
-
Go to
The Select a data source dialog will appear.
-
Expand Connect to Live Data and select
SAP HANA.
-
In the dialog, enter a name and description for your connection.
The connection name cannot be changed later.
-
Set the connection type to Direct.
-
Add your SAP HANA host name, and HTTPS port.
-
(Optional) Choose a Default Language from the list.
This language will always be used for this connection and cannot be changed by users
without administrator privileges.
Note
You must know which languages
are installed on your
SAP HANA system before
adding a language code. If the language code you enter is
invalid,
SAP Analytics Cloud will default to the language specified by your system
metadata.
-
Under Authentication Method select
SAML Single Sign On.
-
Select OK.
Note
After creating a connection to a remote system and before creating
a model from a remote system, you must log off and log on to
SAP Analytics Cloud again.