Live Data Connection to SAP Universes Using a Direct Connection and SSO

Prerequisites

Caution

As of Google Chrome version 80, Chrome restricts cookies to first-party access by default, and requires you to explicitly mark cookies for access in third-party, or cross-site, contexts.

To ensure that Chrome and other browsers allow cross-site access to your SAP on-premise data source cookies from SAP Analytics Cloud, you must configure your SAP on-premise data source to issue cookies with specific attributes. Without these settings, user authentication to your live data connections will fail, and Story visualizations based on these connections will not render.

For details, see SameSite Cookie Configuration for Live Data Connections.

Context

Tip
We recommend using SAML authentication if you plan on deploying SAP BusinessObjects Live Data Connect in production mode.

Procedure

  1. In the Central Management Console of your BIP system, click Start of the navigation pathAuthentication Next navigation step EnterpriseEnd of the navigation path.
  2. In the Trusted Authentication section, check Trusted Authentication is enabled.
  3. Click New Shared Secret.
  4. Click Download Shared Secret.
  5. In the ldc.properties file, configure the saml.boe.sharedsecret parameter with the shared secret. You'll find the shared secret in the TrustedPrincipal.conf file. Look for the saml.boe.sharedsecret parameter, and copy the key in the ldc.properties file.
    Note
    The TrustedPrincipal.conf file can be found under <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\ or <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x86\.
  6. Set a validity period using the Shared Secret validity Period (days) parameter.
  7. Click Update.
    For more information on trusted authentication, refer to the Enabling Trusted Authentication section of the Business Intelligence Platform Administrator Guide.
  8. In the ldc.properties file, set the boe.authenticationMode parameter to saml.
    1. Run the following command to generate a new keystore: 
      <JAVA_HOME>/bin/keytool.exe -genkey -alias boe -keyalg RSA -keystore <PATH_TO_WEB-INF>/samlKeystore.jks -keysize 2048
      Tip
      If your SAP BI Platform has been configured for HTTPS, rather than creating a new keystore, you can reuse the same key store for SAP BusinessObjects Live Data Connect.

      In the ldc.properties file, add the path to this keystore in the value attribute in saml.keystore.file="/WEB-INF/samlKeystore.jks"/>.

    2. Run the following command to check the keystore validity: 
      <JAVA_HOME>/bin/keytool.exe -list -v -keystore <PATH_TO_WEB-INF>/samlKeystore.jks
    3. If not in the file already, add the SAML parameters in the ldc.properties file. Refer to Configuring SAP BusinessObjects Live Data Connect for more details.
  9. Download the SAML metadata of the Identity Provider (IDP) and save it in the WEB-INF\classes\metadata directory as idp_metadata.xml. Refer to the Tenant SAML 2.0 Configuration to know how to download the SAML metadata.
  10. Restart Tomcat.
  11. Go to https://<HOST>:<PORT>/sap/boc/ina/saml/metadata to download the metadata file locally on your file system.
  12. Go to your IDP, create an application and upload the metadata file:
    1. In the administration of the IDP, click Start of the navigation pathAdministration and Resources Next navigation step Applications Next navigation step + AddEnd of the navigation path.
    2. Give a name to the application.
    3. Click SAML 2.0 Configuration.
    4. In the Define from Metadata section, click Browse and upload the metadata file you have previously downloaded (see step 3).
  13. Click Name ID Attribute and select the attribute (Login Name or User ID) to map and match the Account Name property value of SAP BI Platform’s users.
  14. Create the mapping between the IDP user and the BIP user:
    1. In the IDP, click Start of the navigation pathUser & Authorizations  Next navigation step + Add UserEnd of the navigation path.
      Note
      Make sure the name you set in the selected attribute (Login Name or User ID) strictly corresponds to an existing Account Name in the SAP BI Platform (see step 5 of Defining the trust between the Identity Provider and SAP BusinessObjects Live Data Connect).
    2. Set the e-mail, login name, and initial password.
    3. In the user details, check E-mail Verified and save.
    4. Note down the user ID, you'll need it to add user rights in SAP Analytics Cloud.
  15. Add the IDP user to the SAP Analytics Cloud tenant.
    1. Log in SAP Analytics Cloud as an administrator.
    2. From the main menu, click Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path.
    3. Add the user you've created in the IDP using the same credentials.
      Note
      The e-mail corresponds to the e-mail address of the IDP user, and the SAML user mapping corresponds to the user ID.
    4. Save your changes.