Live Data Connection to BTP with SSO

If you use the SAP Business Technology Platform (BTP) with SAML SSO, you can configure SSO to work with SAP Analytics Cloud, and create a live data connection to your SAP HANA system.

Who does this apply to?
  • Users with any of these permissions for Connections: Create, Read, Update, Delete, and Maintain.
  • Users with Execute permission for Other Data Sources.
  • Users with any of these standard application roles: Admin, Application Creator, BI Content Creator, BI Admin, and Planner Reporter.
  • Setting up a live connection requires working with the SAP Analytics Cloud system owner and different IT and application stakeholders within your organization. Most configuration steps are done on your SAP HANA server before creating the connection in your SAP Analytics Cloud tenant.

Prerequisites

  • To perform these steps, you must use an SAP HANA administrator account that is assigned to the following roles:
    sap.hana.xs.admin.roles::SAMLAdministrator 
sap.hana.xs.admin.roles::RuntimeConfAdministrator
sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdmin
  • You have set up and activated the SAP HANA Info Access Service (InA), version 4.10.0 or above, on your SAP HANA system.
    Note

    For more information on how to set up your SAP HANA InA service, see Installing the Info Access, Toolkit, API, and Service.

  • Ensure that the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection. This role is required in addition to the usual roles and authorizations that are granted to users for data access purposes.
Note
For SAP HANA version 1.00.112.04 and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to. For more information, see SAP Knowledge Base Article 2353833.
Note
For information on supported versions of SAP HANA, see System Requirements and Technical Prerequisites.
Related Information

Set up the trust relationship between SAP HANA and SAP Analytics Cloud

Context

You can use the same SAML Identity Provider (IdP) to log on to both SAP HANA and SAP Analytics Cloud. When you set up SAML SSO, you will also create a live data connection to your SAP HANA system.

Procedure

  1. In the XS Admin page of your SAP HANA system, select Start of the navigation path (menu) Next navigation step SAML Service ProviderEnd of the navigation path.

    You can access the XS Admin page at the following URL: https://<SAP HANA SYSTEM>/sap/hana/xs/admin.

    Note
    Replace <SAP HANA SYSTEM> with your SAP HANA system name.
  2. Under Service Provider Information, copy the name of the SAML service provider.
  3. From the side navigation, choose Start of the navigation path Connections Next navigation step  (Add Connection)End of the navigation path.
    The Select a data source dialog will appear.
  4. Expand Connect to Live Data and select SAP HANA.
  5. In the dialog, enter a name and description for your connection.
    The connection name cannot be changed later.
  6. Set the connection type to SAP Business Technology Platform (BTP).
  7. Add your SAP BTP account name, database name, and landscape host.

    This information is available from the Cockpit overview screen, when you have a running SAP HANA instance.

    Note
    The following landscape hosts are not yet available: Europe (Frankfurt), KSA (Riyadh), Russia (Moscow), UAE (Dubai).
  8. (Optional) Choose a Default Language from the list.
    This language will always be used for this connection and cannot be changed by users without administrator privileges.
    Note
    You must know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
  9. Under Credentials, select SAML Single Sign-On.
  10. Select Download Metadata and save the metadata file.
  11. Under SAML Provider Name, enter the IdP provider name you copied in step 2.
  12. Select OK.
    Note
    Select the Enable users to schedule for story publishing option if you want to let your users schedule the publishing of stories. For details on scheduling, see Schedule a Publication.
  13. In the XS Admin page of your SAP HANA system, select Start of the navigation path (menu) Next navigation step SAML Identity ProviderEnd of the navigation path.
  14. Select to begin importing metadata.
  15. Open the metadata file you downloaded, and copy the contents into the Metadata input area.
  16. Note the name of the trusted IdP in the metadata information.
  17. Under Destination, input the following into SingleSignOn URL (Redirect Binding) and SingleSignOn URL (PostBinding): /saml2/sso.
    Note
    These values will not be used, but a value must be entered.
  18. Select Save.
  19. Under General Data, note the Name of this SAML IdP.

Results

The connection is saved.
Note
The connection is not tested until you create a model. For more information, see Create a New Model.

Enable SAML

Procedure

  1. In the XS Admin page of your SAP HANA system, select Start of the navigation path (menu) Next navigation step XS Artifact AdministrationEnd of the navigation path.
  2. In the Packages area, select Start of the navigation pathsap Next navigation step bc Next navigation step ina Next navigation step service Next navigation step v2End of the navigation path.
    The SAP Security and Admin page appears.
  3. Select Edit.
  4. Select the SAML checkbox if the checkbox is not already enabled.
  5. Choose a SAML IdP if an IdP is not already selected.
    The name of the IdP should be the name you noted in the previous procedure.
  6. Select Save.

Map users between SAP HANA and SAP Analytics Cloud

Procedure

Perform either an automatic or manual user mapping.

If you are using the same IdP for SAP HANA and SAP Analytics Cloud, you can automatically map all existing users to SAP Analytics Cloud.

If you use different IdPs for SAP HANA and SAP Analytics Cloud, you must perform a manual user mapping.

Note
If you do not map users, they will not have access to the SAP HANA database.
  • Automatically map users:
    1. Log on to the SAP Business Technology Platform Cockpit and select Databases & Schemas.
    2. Select the required DB/Schema ID from the list, then Start of the navigation pathSAP HANA Web-based Development Workbench Next navigation step CatalogEnd of the navigation path. A list of available schemas will appear.
    3. Select Start of the navigation pathFile Next navigation step New Next navigation step SchemaEnd of the navigation path.
    4. Enter a name for the new schema.
    5. In the editor, add the following procedure:
      CREATE PROCEDURE  "<MYSCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp" (IN FROM_IdP VARCHAR(2048), TO_IdP VARCHAR(2048))
							LANGUAGE SQLSCRIPT
							SQL SECURITY INVOKER AS
							BEGIN
							DECLARE CURSOR vExistingMappings FOR
							SELECT USER_NAME FROM "SYS"."SAML_USER_MAPPINGS" WHERE SAML_PROVIDER_NAME = TO_IdP;
							DECLARE CURSOR vUserSamlMappings FOR
							SELECT USER_NAME, SAML_PROVIDER_NAME, EXTERNAL_IDENTITY FROM "SYS"."SAML_USER_MAPPINGS";
							FOR cur_row AS vExistingMappings DO
							EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' DROP IDENTITY FOR SAML PROVIDER '||:TO_IdP||'';
							END FOR;
							FOR cur_row AS vUserSamlMappings DO
							IF cur_row.SAML_PROVIDER_NAME = FROM_IdP THEN
							EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' ADD IDENTITY '''||:cur_row.EXTERNAL_IDENTITY||''' FOR SAML PROVIDER '||:TO_IdP||'';
							END IF;
							END FOR;
							END;
      Note
      Replace <MYSCHEMA> with the name of the schema you created. The name is case sensitive.
    6. Execute the procedure.
    7. Select SQL, and enter the following command:
      CALL "<SCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp"('<LOGIN IdP>', '<IMPORTED IdP NAME>');
      Replace <SCHEMA> with the selected schema name, <LOGIN IdP> with the name of the SAP HANA IdP you use, <IMPORTED IdP NAME> with the name of the SAP Analytics Cloud IdP you noted in the preceding section Set up the trust relationship between SAP HANA and SAP Analytics Cloud.
      Note
      To find the name of your SAP HANA IdP, go to the XS Admin page, select Start of the navigation path (menu) Next navigation step  SAML Identity ProviderEnd of the navigation path. Under Destination, note the Base URL.
    8. Execute the SQL command.
      Note
      If new users are added to SAP Analytics Cloud, or SAP HANA, you can run the SQL command again to create a new mapping.
  • Manually map one user at a time:

    1. In SAP Analytics Cloud, from the side navigation, choose Start of the navigation path Security Next navigation step  UsersEnd of the navigation path.

      Copy a USER ID.

    2. Log on to the SAP Business Technology Platform Cockpit and select Databases & Schemas.
    3. Select the required DB/Schema ID from the list, then Start of the navigation pathSAP HANA Web-based Development Workbench Next navigation step CatalogEnd of the navigation path. A list of available schemas will appear.
    4. Select SQL and run the following query:
      ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;
						ALTER USER <HANA USER>  ENABLE SAML;
      Note

      Replace <HANA USER> with an SAP HANA user ID, <SAML MAPPING> with the corresponding ID you copied from SAP Analytics Cloud, and <Imported IdP Name> with the name of the SAP Analytics Cloud IdP you noted in the preceding section Set up the trust relationship between SAP HANA and SAP Analytics Cloud.

      The second command enables SAML authentication for the specified user. If authentication is already enabled, this command has no effect.

(Optional) Import the HCO_INA_SERVICE delivery unit

Procedure

  1. In SAP HANA Studio, switch to the SAP HANA Modeler perspective.
  2. Select Delivery Units and ensure that HCO_INA_SERVICE appears in the list.