Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO

To access SAP HANA Cloud on an SAP Cloud Platform (SAPCP) system that is running a Cloud Foundry (CF) environment, you can create a live data connection using the SAP HANA Analytics Adapter for Cloud Foundry.

Who does this apply to?

Users with any of these permissions for Connections: Create, Read, Update, Delete, and Maintain.
Users with Execute permission for Other Data Sources.
Users with any of these standard application roles: Admin, Application Creator, BI Content Creator, BI Admin, and Planner Reporter.
Setting up a live connection requires working with the SAP Analytics Cloud system owner and different IT and application stakeholders within your organization. Most configuration steps are done on your SAP HANA server before creating the connection in your SAP Analytics Cloud tenant.

Prerequisites

Note

We highly recommend that you use the SAP HANA Cloud connection type (see details here) for Cloud Foundry environments. However, this direct connection type is still available for both Neo and Cloud Foundry environments.

SAP HANA Cloud must be installed on an SAP Cloud Platform (SAPCP) system that uses a Cloud Foundry (CF) environment. See this video for details.
A SAML 2 Identity Provider (IdP) must be configured. Both the SAPCP and SAP Analytics Cloud must use the same IdP.

For instructions on setting up SAML 2.0 on the SAPCP, see Trust and Federation with SAML 2.0 Identity Providers.

For instructions on setting up SAML in SAP Analytics Cloud, see Enable a Custom SAML Identity Provider.
You must have HDI containers available on your SAPCP system. For more information, see Set Up an HDI Container.

Note

The following SAP Analytics Cloud features are not supported with this connection type at this time:

Enriched time dimensions
Timestamp dimensions
Dynamic image widgets
Smart Insights
Smart Assist/Changes Over Time in Smart Insights
Smart Predict
Story scheduling
Android/iOS Mobile App:
- SAP Cloud Connector-based single sign-on
- Basic Authentication connections
- Geo maps
OEM scenarios through “Extended Live Connections”

Install and configure tools

Procedure

Download and install the Cloud Foundry CLI.
Download and install the Cloud Foundry CLI MTA.
Install the plugin using the command:
```
cf install-plugin mta-plugin-windows.exe -f
```
Download and install Oracle JDK 8 or SAP JDK 8.
To verify that the JDK is ready, check the version of the JDK you have installed. For example:
```
javac -version
```
Download and install Apache Maven.
To verify that Maven is ready, check the version of Maven you have installed. For example:
```
mvn --version
```
Download and install Node.js.
To verify that Node is ready, check the version of Node you have installed. For example:
```
node --version
```
Also verify that npm (Node Package Manager) is installed with Node. For example:
```
npm --version
```

Set npm for the sap registry modules with the command:

npm config set @sap:registry https://registry.npmjs.org

Deploy the analytics adapter for SAP HANA

Procedure

Create a local folder. For example: c:\haa.
This directory is referred to as <HAA_ROOT> in the following steps.
Download or clone the analytics adapter (HAA) project from SAP GitHub.
Unzip the file in the <HAA_ROOT>.

Prepare the Multi-Target Application (MTA)

Context

See this video Information published on non-SAP site

for details.

Procedure

Download the Cloud MTA Build Tool (MBT) from https://sap.github.io/cloud-mta-build-tool/.
Create a new folder under <HAA_ROOT>/haa-java and name it target.
Download the latest version of the Analytics adapter for SAP HANA extended application services, advanced model from https://tools.hana.ondemand.com/#hanatools.
The file to download is named: xsahaa-release-<version>-release.zip.
Extract the zip file into a temporary folder.
Copy the java-xsahaa.war file into the project folder <HAA_ROOT>/haa-java/target.

Edit the yaml file in the folder <HAA_ROOT> using the following example (copy & paste the text below):

file into the projectID: xsahaa
_schema-version: '2.0'
version: 0.0.2

modules:

- name: xsahaa-be
type: java
build-parameters:
  builder: custom
  commands: []
path: haa-java
parameters:
memory: 1G
buildpack: sap_java_buildpack
properties:
TARGET_RUNTIME: tomee

JBP_CONFIG_RESOURCE_CONFIGURATION: "['tomee/webapps/ROOT/WEB-INF/resources.xml': {'xsahaa-hdi-container':'<customer_hdi>'}]"
provides:
- name: xsahaa-be
properties:
url: ${default-url}
requires:
- name: xsahaa-uaa
- name: <customer_hdi>

- name: xsahaa-rt
type: nodejs
path: haa-entry
parameters:
memory: 1G
buildpack: nodejs_buildpack
requires:
- name: xsahaa-uaa
- name: xsahaa-be
group: destinations
properties:
name: xsahaa-be
url: ~{url}
forwardAuthToken: true
timeout: 600000
properties:
CORS: >
[
{
"uriPattern": "^/sap/bc/ina/(.*)$",
"allowedOrigin": [
{"host":"<orca-tenant-host>", "protocol":"https"}
],
"allowedMethods": ["GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE"],
"allowedHeaders": ["Origin", "Accept", "X-Requested-With", "Content-Type", "Access-Control-Request-Method", "Access-Control-Request-Headers", "Authorization", "X-Sap-Cid", "X-Csrf-Token"],
"exposeHeaders": ["Accept", "Authorization", "X-Requested-With", "X-Sap-Cid", "Access-Control-Allow-Origin", "Access-Control-Allow-Credentials", "X-Csrf-Token", "Content-Type"]
}
]
COOKIES: '{"SameSite": "None"}'
TENANT_HOST_PATTERN: '^(.*)-<space>-xsahaa-rt.cfapps.(.*).hana.ondemand.com'
INCOMING_CONNECTION_TIMEOUT: 600000

resources:
- name: <customer_hdi>
type: org.cloudfoundry.existing-service
- name: xsahaa-uaa
type: com.sap.xs.uaa
parameters:
path: ./xs-security.json

Note

Replace <customer_hdi> with your own HDI name; for example, sales-hdi.
Replace <orca-tenant-host> with the CF SAP Analytics Cloud tenant URL.
Example: customer.us10.sapanalytics.cloud
In the TENANT_HOST_PATTERN line, replace <space> with the CF space name (where the HANA instance is located) in lowercase characters.
If the Organization name and the Subdomain name are different, then the TENANT_HOST_PATTERN should follow the format: <org name>-<space>.
Replace spaces and underscores in the organization name with hyphens, and use lowercase characters. For example, if the organization name is “AAA_bbbb/123 456”, then change it to “aaa-bbbb-123-456”.

Edit the xs-security.json file in the folder <HAA_ROOT>, and replace “SalesApp” with “HAAApp”.

Edit the xs-app.json file in the folder <HAA_ROOT>/haa-entry and replace this code block:

"source": "^/(.*)",
"localDir": "resources",
"authenticationType": "xsuaa",
"scope": "$XSAPPNAME.USER"

with this one:

"source": "^/(.*)",
"localDir": "resources",
"authenticationType": "none"

Build and deploy the analytics adapter

Procedure

Start a command prompt window.
Build the mta file with the command:
```
mbt build -p=cf
```
This command will generate a new file named <HAA_ROOT>.mtar.
In the SAPCP Cockpit, in your subaccount overview, find the CF API endpoint.
In the command prompt, set the CLI variable using the command:
```
cf api <api-endpoint>
```
Log on to CF using the command:
```
cf login
```
Deploy the mta to CF with the command:
```
cf deploy <HAA_ROOT>.mtar
```
After deployment, two new services and three new applications should appear in the SAPCP Cockpit.
To authenticate with a named user, set USE_NAMED_USER=true.

Grant permissions and set up roles

Procedure

In the SAPCP Cockpit, go to the subaccount and click Role Collections.
Create a new role collection with the name SACToHAA.
Select SACToHAA, click Add Role, and select SalesApp_User from the list.

Set up trust between XSUAA and the SAP HANA database container

Procedure

Add a JSON Web Token (JWT) identity provider:
1. In the SAPCP Cockpit, click Add Identity Provider.
2. Open a new browser tab, and enter the URL: UAA_URL/sap/trust/jwt. You will see response content.
3. In the Add Identity Provider dialog, enter the following information:
  1. Identity Provider Name: Enter a name for your IdP; for example, JWTPROVIDER_1.
  2. Issuer URL: Copy the URL from the “Issuer” property in the response content.
  3. JWT Identity Claim: Enter user_name.
4. Click Add.
Create a certificate:
1. In the SAPCP Cockpit, get the UAA_URL value from the deployed application:
2. Create the certificate based on information from the JWT trust endpoint.
  The basic format of the URL is: UAA_URL/sap/trust/jwt
  
  Example: https://hcsacorca1.authentication.sap.hana.ondemand.com/sap/trust/jwt
  
  The following steps need information obtained from this endpoint.
  1. Import a trusted certificate.
  2. Select “Paste content”.
  3. Open a new browser tab, and enter the URL: UAA_URL/sap/trust/jwt. You will see response content similar to the above screenshot.
  4. Copy the content starting from -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, and paste it into the “Paste content” input field.
  5. Click “OK” to complete the certificate creation.
Create a certificate collection.
If the certificate collection already exists and you want to edit it, you'll need to restart your SAP HANA instance afterward.
1. In the Database Overview, click Certificate Collections Add Collection to create a certificate collection.
2. Type a name for your certificate collection, and click OK.
3. Select Add Certificate to open the Select Certificate dialog.
4. Select the certificate you created earlier, and then click OK.
5. Click Edit Purpose.
6. In the Edit Purpose dialog, select JWT in the Purpose field, choose the JWT provider you created earlier in the Providers field, and then click Save.

Set up the IdP

Procedure

In the SAPCP cockpit, under Security Trust Configuration, set the default IDP as inactive.
This ensures you won't be prompted during a data refresh.
Under Custom, select the name of the Active trust configuration.
Click Role Collection Assignment, and assign the SACToHAA role collection to the user ID for your SAML IdP.

Map SAP HANA users to external SAML IdP users

Context

This step depends on the states of the User-Provided Variables from the HAA service in the preceding section Build and deploy the analytics adapter. If USE_NAMED_USER is true, then follow all the substeps below, down to and including “Click Object Privileges”.

Procedure

In the SAP HANA Cockpit, select Manage users.
Create a new user and give it the user ID you used in the preceding section Set up the IdP (“Click Role Collection Assignment”).
Scroll through the authentication area, and select the JWT check box.
Click Add JWT Identity.
Map the JWT Provider to match the External SAML IdP UserID attribute.
Click Save.
In the Authorization Mode area for the new user, click Assign Roles.
Click Edit Add.
Search for the access_role and the external_privileges_role defined in your HDI schema.
Click Assign Privileges in the Authorization Mode area for the new user.
Click Object Privileges, then Edit, and add two new objects: EXECUTE_MDS and _SYS_BI.

Note
If your HAA version is earlier than 1.5.2, add EXECUTE_MDS_DEV instead of EXECUTE_MDS.

Create a connection to an SAP HANA Cloud system in SAP Analytics Cloud

Procedure

From the side navigation, choose Connections (Add Connection).
The Select a data source dialog will appear.
Expand Connect to Live Data, and select SAP HANA Cloud.
In the dialog, enter a name and description for your connection.
The connection name cannot be changed later.
Set the connection type to Direct.
Add your SAP HANA host name, and 443 as the port.
The host should be the haa application route. You can find this information in the SAPCP Cockpit on the Application: haa – Overview page.
(Optional) Choose a Default Language from the list.

This language will always be used for this connection and cannot be changed by users without administrator privileges.
Note
You must know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
Under Authentication Method, select SAML Single Sign On.
Select OK.

Note
After creating a connection to a remote system and before creating a model from a remote system, you must log off and log on to SAP Analytics Cloud again.

Note
Select the Enable users to schedule for story publishing option if you want to let your users schedule the publishing of stories. For details on scheduling, see Schedule a Publication.