Live Data Connection to SAP Universes Using a Direct Connection and SSO
As of Google Chrome version 80, Chrome restricts cookies to first-party access by default, and requires you to explicitly mark cookies for access in third-party, or cross-site, contexts.
To ensure that Chrome and other browsers allow cross-site access to your SAP on-premise data source cookies from SAP Analytics Cloud, you must configure your SAP on-premise data source to issue cookies with specific attributes. Without these settings, user authentication to your live data connections will fail, and Story visualizations based on these connections will not render.
For details, see SameSite Cookie Configuration for Live Data Connections.
- In the Central Management Console of your BIP system, click .
- In the Trusted Authentication section, check Trusted Authentication is enabled.
- Click New Shared Secret.
- Click Download Shared Secret.
In the ldc.properties file, configure the
saml.boe.sharedsecret parameter with the shared secret.
You'll find the shared secret in the TrustedPrincipal.conf
file. Look for the saml.boe.sharedsecret parameter, and copy
the key in the ldc.properties file.
NoteThe TrustedPrincipal.conf file can be found under <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\ or <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x86\.
- Set a validity period using the Shared Secret validity Period (days) parameter.
For more information on trusted authentication, refer to the Enabling Trusted Authentication section of the Business Intelligence Platform Administrator Guide.
In the ldc.properties file, set the
boe.authenticationMode parameter to
Run the following command to generate a new keystore:
<JAVA_HOME>/bin/keytool.exe -genkey -alias boe -keyalg RSA -keystore <PATH_TO_LDC/CONF>/samlKeystore.jks -keysize 2048TipIf your SAP BI Platform has been configured for HTTPS, rather than creating a new keystore, you can reuse the same key store for SAP BusinessObjects Live Data Connect.
In the ldc.properties file, add the path to this keystore in the value attribute in saml.keystore.file="/WEB-INF/samlKeystore.jks"/>.
Run the following command to check the keystore validity:
<JAVA_HOME>/bin/keytool.exe -list -v -keystore <PATH_TO_WEB-INF>/samlKeystore.jks
- If not in the file already, add the SAML parameters in the ldc.properties file. Refer to Configuring SAP BusinessObjects Live Data Connect for more details.
- Run the following command to generate a new keystore:
- Download the SAML metadata of the Identity Provider (IDP) and save it locally as idp_metadata.xml. Refer to the SAP Cloud Platform documentation to know how to download the SAML metadata.
- Restart SAP BusinessObject Live Data Connect.
- Go to https://<HOST>:<PORT>/sap/boc/ina/saml/metadata to download the metadata file locally on your file system. Make sure to use the host and port used for SAP BusinessObjects Live Data Connect.
Go to your IDP, create an application and upload the metadata file:
- In the administration of the IDP, click .
- Give a name to the application.
- Click SAML 2.0 Configuration.
- In the Define from Metadata section, click Browse and upload the metadata file you have previously downloaded (see step 3).
- Click Name ID Attribute and select the attribute (Login Name or User ID) to map and match the Account Name property value of SAP BI Platform’s users.
Create the mapping between the IDP user and the BIP user:
In the IDP, click
.NoteMake sure the name you set in the selected attribute (Login Name or User ID) strictly corresponds to an existing Account Name in the SAP BI Platform (see step 5 of Defining the trust between the Identity Provider and SAP BusinessObjects Live Data Connect).
- Set the e-mail, login name, and initial password.
- In the user details, check E-mail Verified and save.
- Note down the user ID, you'll need it to add user rights in SAP Analytics Cloud.
- In the IDP, click .
Add the IDP user to the SAP Analytics Cloud tenant.
- Log in SAP Analytics Cloud as an administrator.
- From the main menu, click .
Add the user you've created in the IDP using the same
NoteThe e-mail corresponds to the e-mail address of the IDP user, and the SAML user mapping corresponds to the user ID.
- Save your changes.