Live Data Connection to SAPCP with SSO
If you use the SAP Cloud Platform (SAPCP) with SAML SSO, you can
configure SSO to work with SAP Analytics Cloud, and create a live
data connection to your SAP HANA system.
Prerequisites
- To perform these steps, you must use an SAP HANA administrator
account that is assigned to the following
roles:
sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator
sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdmin
- You have set up and activated the SAP HANA Info Access Service (InA), version
4.10.0 or above, on your SAP HANA system.
- You have created an SAP HANA info access user and assigned the
sap.bc.ina.service.v2.userRole::INA_USER role to all users
who will use the live connection.
Note
For
SAP HANA version
1.00.112.04 and above, users require both the
INA_USER
role, and additional object rights. The
SAP HANA
administrator must grant users
SELECT privileges on all
view items in the
_SYS_BIC schema that users should have
access to. For more information, see
SAP Knowledge Base Article
2353833.
Context
You can use the same SAML Identity Provider (IdP) to log on to both
SAP
HANA and
SAP Analytics Cloud. When you setup
SAML SSO, you will also create a live data connection to your
SAP HANA
system.
Procedure
-
Set up the trust relationship between SAP HANA and SAP Analytics Cloud.
-
In the XS Admin page of your SAP
HANA system, select .
You can access the XS Admin page at the following URL:
https://<SAP HANA
SYSTEM>/sap/hana/xs/admin.
Note
Replace
<SAP HANA SYSTEM> with your
SAP HANA
system name.
-
Under Service Provider Information, copy the
name of the SAML service provider.
-
Go to
The Select a data source dialog will appear.
-
Expand Connect to Live Data and select
SAP HANA.
-
In the dialog, enter a name and description for your connection.
The connection name cannot be changed later.
-
Set the connection type to SAP Cloud Platform.
-
Add your SAP Cloud Platform (SAPCP) account name, database name, and
landscape host.
Note
The following landscape hosts are not yet available: Europe
(Frankfurt), KSA (Riyadh), Russia (Moscow), UAE (Dubai).
-
(Optional) Choose a Default Language from the
list.
This language will always be used for this connection and cannot be changed by users
without administrator privileges.
Note
You must know which languages
are installed on your
SAPCP system before adding
a language code. If the language code you enter is invalid,
SAP Analytics Cloud will default to the language specified by your system
metadata.
-
Under Credentials, select SAML Single
Sign-On.
-
Select Download Metadata and save the metadata
file.
-
Under SAML Provider Name, enter the IdP provider name you copied
in step 1b.
-
Select OK.
-
In the XS Admin page of your SAP
HANA system, select .
-
Select to begin importing metadata.
-
Open the metadata file you downloaded, and copy the contents into the
Metadata input area.
-
Note the name of the trusted IdP in the metadata information.
-
Under Destination, input the following into
SingleSignOn URL (Redirect Binding) and
SingleSignOn URL (PostBinding):
/saml2/sso.
Note
These values will not be used, but a value must be entered.
-
Select Save.
-
Under General Data, note the Name of this
SAML IdP.
-
Enable SAML.
-
In the XS Admin page of your SAP
HANA system, select .
-
In the Packages area, select .
The SAP Security and Admin page appears.
-
Select Edit.
-
Select the SAML checkbox if the checkbox is not already enabled.
-
Choose a SAML IdP if an IdP is not already selected.
The name of the IdP should be the name you noted in step 1r.
-
Select Save.
-
You must either perform an automatic or manual user mapping.
If you are using the same IdP for SAP HANA and SAP Analytics Cloud, you
can automatically map all existing users to SAP Analytics Cloud.
If you use different IdPs for SAP HANA and SAP Analytics Cloud, you
must perform a manual user mapping.
Note
If you do not map users, they will not have access to the
SAP HANA
database.
- Automatically map users:
- Log on to the SAP Cloud Platform Cockpit and select
Databases & Schemas.
- Select the required DB/Schema ID from the
list, then . A list of available schemas will appear.
- Select .
- Enter a name for the new schema.
- In the editor, add the following
procedure:
CREATE PROCEDURE "<MYSCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp" (IN FROM_IdP VARCHAR(2048), TO_IdP VARCHAR(2048))
LANGUAGE SQLSCRIPT
SQL SECURITY INVOKER AS
BEGIN
DECLARE CURSOR vExistingMappings FOR
SELECT USER_NAME FROM "SYS"."SAML_USER_MAPPINGS" WHERE SAML_PROVIDER_NAME = TO_IdP;
DECLARE CURSOR vUserSamlMappings FOR
SELECT USER_NAME, SAML_PROVIDER_NAME, EXTERNAL_IDENTITY FROM "SYS"."SAML_USER_MAPPINGS";
FOR cur_row AS vExistingMappings DO
EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' DROP IDENTITY FOR SAML PROVIDER '||:TO_IdP||'';
END FOR;
FOR cur_row AS vUserSamlMappings DO
IF cur_row.SAML_PROVIDER_NAME = FROM_IdP THEN
EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' ADD IDENTITY '''||:cur_row.EXTERNAL_IDENTITY||''' FOR SAML PROVIDER '||:TO_IdP||'';
END IF;
END FOR;
END;
Note
Replace
<MYSCHEMA> with the name of the
schema you created. The name is case sensitive.
- Execute the procedure.
- Select SQL, and enter the following
command:
CALL "<SCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp"('<LOGIN IdP>', '<IMPORTED IdP NAME>');
Replace
<SCHEMA> with the selected schema name,
<LOGIN
IdP> with the name of the
SAP
HANA IdP you use,
<IMPORTED IdP
NAME> with the name of the
SAP Analytics Cloud IdP you noted in step 1m.
Note
To find the name of your
SAP HANA IdP, go to the
XS
Admin page, select . Under
Destination,
note the
Base URL.
- Execute the SQL command.
Note
If new users are added to
SAP Analytics Cloud, or
SAP HANA, you can run the SQL command
again to create a new mapping.
- Manually map one user at a time:
-
In SAP Analytics Cloud, go to .
Copy a user ID in the column.
- Log on to the SAPCloud Platform Cockpit and select
Databases & Schemas.
- Select the required DB/Schema ID from the
list, then . A list of available schemas will appear.
- Select SQL and run the following query:
ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;
ALTER USER <HANA USER> ENABLE SAML;
Note
Replace <HANA USER> with an SAP HANA user ID,
<SAML MAPPING> with the
corresponding ID you copied from SAP Analytics Cloud, and <Imported IdP Name> with the
name of the SAP Analytics Cloud IdP you noted in step 1m.
The second command enables SAML authentication for the
specified user. If authentication is already enabled, this
command has no effect.
-
(Optional) Ensure HCO_INA_SERVICE delivery unit is imported.
-
In SAP HANA Studio, switch to the SAP HANA
Modeler perspective.
-
Select Delivery Units and ensure that
HCO_INA_SERVICE appears in the list.
Note
(Beta) Select the Enable users to schedule for story publishing option if you want to let your
users schedule the publishing of stories. For details on scheduling, see Schedule a Publication.
Results
The live data connection is saved, and users with mapped
SAP HANA accounts
will have access to
SAP Analytics Cloud.