Live Data Connection to SAP BW Using a Direct Connection and SSO

You must configure your on-premise SAP BW system in order to support SSO for live data connections that use the direct connection type.


  • You are using a supported version of SAP BW. For more information, see System Requirements and Technical Prerequisites.
    Additional correction notes must be applied for some versions of SAP BW. For more information, see SAP Note 2541557.
  • You are using same Identity Provider (IdP) for SAP Analytics Cloud and SAP NetWeaver. For more information on setting up your identity provider in SAP Analytics Cloud, see Enabling a Custom SAML Identity Provider.
  • Ensure that the InA package (/sap/bw/ina) or a higher-level package is configured for SAML authentication using the same identity provider URL as your SAP Analytics Cloud tenant. For more information on enabling SAML on SAP NetWeaver, see Enabling the SAML Service Provider.

    To check if the Ina package is enabled, open the following URL in your browser: https://<Your_ABAP_System>/sap/bw/ina/GetServerInfo?sap-client=<Your_Client_ID>. Make sure you are redirected to your IdP login page, and after login you get a JSON response. Replace <Your_ABAP_System> with your ABAP system host, and <Your_Client_ID> with your SAP BW client ID.

  • If you have multiple authentication methods configured on your ABAP system, see Alternative Logon Order.


For additional information and screenshots of the steps below, see the SAP BW (Live) Playlist.


  1. Configure Cross-Origin Resource Sharing (CORS) support on your SAP NetWeaver system.

    If your NetWeaver version does not meet the specifications in SAP Note 2547381, follow the instructions here Enable CORS on SAP NetWeaver releases lower than 7.52, and then skip to step 2 below.

    If you are using SAP NetWeaver version 7.52 or above, you must apply SAP Note 2531811 or import ABAP 7.52 SP1 to fix CORS related issues in SAP NetWeaver, and then follow the steps below.

    1. Enable CORS in your system parameters.
      1. Enter transaction code: RZ11.
      2. Enter Parameter: icf/cors_enabled
      3. Select Display.
      4. Set Value to 1.
    2. Add SAP Analytics Cloud to the HTTP whitelist.
      For more information on SAP NetWeaver HTTP Whitelists, see Managing HTTP Whitelists.
      1. Enter transaction code: /NUCONCOCKPIT.
      2. Change Scenario to HTTP Whitelist Scenario.
      3. Change the Mode of Cross-origin Resource Sharing to Active Check.
      4. Double-click Cross-origin Resource Sharing.
      5. Select the Display/Change icon.
      6. Under Whitelist, select the Add icon, and in the Input Window, add the following information:
        • Service Path: Add /sap/bw/ina.
        • Host rule: Add your SAP Analytics Cloud host. For example,
        • Allowed Methods: Select GET, HEAD, POST, and OPTIONS.
        • Add the following to Allowed Headers:
          • x-csrf-token
          • x-sap-cid
          • authorization
          • mysapsso2
          • x-request-with
          • sap-rewriteurl
          • sap-url-session-id
          • content-type
          • accept-language
        • Add the following to Exposed Headers:
          • x-csrf-token
          • sap-rewriteurl
          • sap-url-session-id
          • sap-perf-fesrec
          • sap-system
        • Allow Credentials: Ensure this is selected.
    3. Save this information.
  2. Install custom web content to your SAP NetWeaver server.
    1. Enter transaction code: SE24.
    2. Enter Object Type: ZCL_DUMMYAUTH_SERVICE, select Create, and then select Save.
    3. Go to the Interfaces tab, and add IF_HTTP_EXTENSION, plus a description.
    4. Go to the Methods tab, and add the following information:
      • Level: Instance Method
      • Visibility: Public
      • Description: Add a description
    5. Double click on IF_HTTP_EXTENSION~HANDLE_REQUEST and add the following code:
                html_content TYPE string.
          html_content = '<html><script type="text/javascript">window.close();</script></html>'.
          server->response->set_header_field( name = 'Cache-Control' value = 'no-cache,no-store').
          server->response->set_cdata( data = html_content ).
    6. Select Save, and then Activate.
    7. Enter transaction code: SICF.
    8. Enter Service Path: /sap/bw/ina, and then press Enter.
    9. Under Start of the navigation pathdefault_host Next navigation step sap Next navigation step bwEnd of the navigation path, right click ina, then choose New Sub-Element.
    10. In Service Name, enter auth.
    11. Add a description.
    12. Open the Handler List tab, and enter ZCL_DUMMYAUTH_SERVICE
    13. Save and return to the main menu.
    14. (Optional) Check if the auth package is installed.

      Open the following URL in your browser: https://<Your_ABAP_System>/sap/bw/ina/GetServerInfo?sap-client=<Your_Client_ID>. Make sure you are redirected to your IdP login page, and that you do not get 404 page after login.

      Replace <Your_ABAP_System> with your ABAP system host, and <Your_Client_ID> with your SAP BW client ID.

  3. Verify end-users' web browser configuration and access.
    Your end users' web browsers must be configured to:
    • Allow pop-up windows from the SAP Analytics Cloud domain: [*.]
    • Allow 3rd party cookies from the SAP BW server's domain or the domain of your reverse proxy. For example, in Internet Explorer 11, go to Start of the navigation pathInternet Options Next navigation step Security Next navigation step Trusted SitesEnd of the navigation path, add your domain name, then select Enable Protected Mode.
  4. Add a remote system to SAP Analytics Cloud:
    1. Go to Start of the navigation path (Main Menu) Next navigation step  Connection Next navigation step Connections Next navigation step  (Add Connection)End of the navigation path

      The Select a datasource dialog will appear.

    2. Expand Connect to Live Data and select SAP BW.
    3. In the dialog, enter a name and description for your connection.
      The connection name cannot be changed later.
    4. Set the connection type to Direct.
    5. Add your SAP BW host name, HTTPS port, and Client.
    6. (Optional) Choose a Default Language from the list.
      This language will always be used for this connection and cannot be changed by users without administrator privileges.
      You must know which languages are installed on your SAP BW system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
    7. Under Authentication Method select SAML Single Sign On.
    8. Select OK.


The connection is saved.
The connection is not tested until you create a model. For more information, see Creating a Model from a Live Data Connection.