Live Data Connection to SAPCP with SSO

If you use the SAP Cloud Platform (SAPCP) with SAML SSO, you can configure SSO to work with SAP Analytics Cloud, and create a live data connection to your SAP HANA system.

Prerequisites

  • To perform these steps, you must use an SAP HANA administrator account that is assigned to the following roles:
    sap.hana.xs.admin.roles::SAMLAdministrator 
    sap.hana.xs.admin.roles::RuntimeConfAdministrator
    sap.hana.ide.roles::CatalogDeveloper
    sap.hana.ide.roles::SecurityAdmin
  • You have set up and activated the SAP HANA Info Access Service (InA), version 4.10.0 or above, on your SAP HANA system.
    Note
    For more information on how to set up your SAP HANA InA service, see Installing the SAP HANA Info Access Toolkit, API and Service.
  • You have created an SAP HANA info access user and assigned the sap.bc.ina.service.v2.userRole::INA_USER role to all users who will use the live connection.
    Note
    For SAP HANA version 1.00.112.04 and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to. For more information, see SAP Knowledge Base Article 2353833.
Note
For information on supported versions of SAP HANA, see System Requirements and Technical Prerequisites.

Context

You can use the same SAML Identity Provider (IdP) to log on to both SAP HANA and SAP Analytics Cloud. When you setup SAML SSO, you will also create a live data connection to your SAP HANA system.

Procedure

  1. Set up the trust relationship between SAP HANA and SAP Analytics Cloud.
    1. In the XS Admin page of your SAP HANA system, select Start of the navigation path (menu) Next navigation step SAML Service ProviderEnd of the navigation path.

      You can access the XS Admin page at the following URL: https://<SAP HANA SYSTEM>/sap/hana/xs/admin.

      Note
      Replace <SAP HANA SYSTEM> with your SAP HANA system name.
    2. Under Service Provider Information, copy the name of the SAML service provider.
    3. Go to Start of the navigation path (Main Menu) Next navigation step  Connection Next navigation step Connections Next navigation step  (Add Connection)End of the navigation path

      The Select a datasource dialog will appear.

    4. Expand Connect to Live Data and select SAP HANA.
    5. In the dialog, enter a name and description for your connection.
      The connection name cannot be changed later.
    6. Set the connection type to SAP Cloud Platform.
    7. Add your SAP Cloud Platform (SAPCP) account name, database name, and landscape host.
      Note
      The following landscape hosts are not yet available: Europe (Frankfurt), KSA (Riyadh), Russia (Moscow), UAE (Dubai).
    8. (Optional) Choose a Default Language from the list.
      This language will always be used for this connection and cannot be changed by users without administrator privileges.
      Note
      You must know which languages are installed on your SAPCP system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
    9. Under Credentials, select SAML Single Sign-On.
    10. Select Download Metadata and save the metadata file.
    11. Under SAML Provider Name, enter the IdP provider name you copied in step 1b.
    12. Select OK.
    13. In the XS Admin page of your SAP HANA system, select Start of the navigation path (menu) Next navigation step SAML Identity ProviderEnd of the navigation path.
    14. Select to begin importing metadata.
    15. Open the metadata file you downloaded, and copy the contents into the Metadata input area.
    16. Note the name of the trusted IdP in the metadata information.
    17. Under Destination, input the following into SingleSignOn URL (Redirect Binding) and SingleSignOn URL (PostBinding): /saml2/sso.
      Note
      These values will not be used, but a value must be entered.
    18. Select Save.
    19. Under General Data, note the Name of this SAML IdP.
  2. Enable SAML.
    1. In the XS Admin page of your SAP HANA system, select Start of the navigation path (menu) Next navigation step XS Artifact AdministrationEnd of the navigation path.
    2. In the Packages area, select Start of the navigation pathsap Next navigation step bc Next navigation step ina Next navigation step service Next navigation step v2End of the navigation path.
      The SAP Security and Admin page appears.
    3. Select Edit.
    4. Select the SAML checkbox if the checkbox is not already enabled.
    5. Choose a SAML IdP if an IdP is not already selected.
      The name of the IdP should be the name you noted in step 1r.
    6. Select Save.
  3. You must either perform an automatic or manual user mapping.

    If you are using the same IdP for SAP HANA and SAP Analytics Cloud, you can automatically map all existing users to SAP Analytics Cloud.

    If you use different IdPs for SAP HANA and SAP Analytics Cloud, you must perform a manual user mapping.

    Note
    If you do not map users, they will not have access to the SAP HANA database.
    • Automatically map users:
      1. Log on to the SAP Cloud Platform Cockpit and select Databases & Schemas.
      2. Select the required DB/Schema ID from the list, then Start of the navigation pathSAP HANA Web-based Development Workbench Next navigation step CatalogEnd of the navigation path. A list of available schemas will appear.
      3. Select Start of the navigation pathFile Next navigation step New Next navigation step SchemaEnd of the navigation path.
      4. Enter a name for the new schema.
      5. In the editor, add the following procedure:
        CREATE PROCEDURE  "<MYSCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp" (IN FROM_IdP VARCHAR(2048), TO_IdP VARCHAR(2048))
              LANGUAGE SQLSCRIPT
              SQL SECURITY INVOKER AS
           BEGIN
              DECLARE CURSOR vExistingMappings FOR
                 SELECT USER_NAME FROM "SYS"."SAML_USER_MAPPINGS" WHERE SAML_PROVIDER_NAME = TO_IdP;
              DECLARE CURSOR vUserSamlMappings FOR
                 SELECT USER_NAME, SAML_PROVIDER_NAME, EXTERNAL_IDENTITY FROM "SYS"."SAML_USER_MAPPINGS";
              FOR cur_row AS vExistingMappings DO
                 EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' DROP IDENTITY FOR SAML PROVIDER '||:TO_IdP||'';
              END FOR;
              FOR cur_row AS vUserSamlMappings DO
                 IF cur_row.SAML_PROVIDER_NAME = FROM_IdP THEN
                    EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' ADD IDENTITY '''||:cur_row.EXTERNAL_IDENTITY||''' FOR SAML PROVIDER '||:TO_IdP||'';
                 END IF;
              END FOR;
        END;
        Note
        Replace <MYSCHEMA> with the name of the schema you created. The name is case sensitive.
      6. Execute the procedure.
      7. Select SQL, and enter the following command:
        CALL "<SCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp"('<LOGIN IdP>', '<IMPORTED IdP NAME>');
        Replace <SCHEMA> with the selected schema name, <LOGIN IdP> with the name of the SAP HANA IdP you use, <IMPORTED IdP NAME> with the name of the SAP Analytics Cloud IdP you noted in step 1m.
        Note
        To find the name of your SAP HANA IdP, go to the XS Admin page, select Start of the navigation path (menu) Next navigation step  SAML Identity ProviderEnd of the navigation path. Under Destination, note the Base URL.
      8. Execute the SQL command.
        Note
        If new users are added to SAP Analytics Cloud, or SAP HANA, you can run the SQL command again to create a new mapping.
    • Manually map one user at a time:
      1. In SAP Analytics Cloud, go to Start of the navigation path (Main Menu) Next navigation step  Security Next navigation step  UsersEnd of the navigation path.

        Copy a user ID in the column.

      2. Log on to the SAPCloud Platform Cockpit and select Databases & Schemas.
      3. Select the required DB/Schema ID from the list, then Start of the navigation pathSAP HANA Web-based Development Workbench Next navigation step CatalogEnd of the navigation path. A list of available schemas will appear.
      4. Select SQL and run the following query:
        ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;
        ALTER USER <HANA USER>  ENABLE SAML;
        Note

        Replace <HANA USER> with an SAP HANA user ID, <SAML MAPPING> with the corresponding ID you copied from SAP Analytics Cloud, and <Imported IdP Name> with the name of the SAP Analytics Cloud IdP you noted in step 1m.

        The second command enables SAML authentication for the specified user. If authentication is already enabled, this command has no effect.

  4. (Optional) Ensure HCO_INA_SERVICE delivery unit is imported.
    1. In SAP HANA Studio, switch to the SAP HANA Modeler perspective.
    2. Select Delivery Units and ensure that HCO_INA_SERVICE appears in the list.

Results

The live data connection is saved, and users with mapped SAP HANA accounts will have access to SAP Analytics Cloud.
Note
The connection is not tested until you create a model. For more information, see Creating a Model from a Live Data Connection.