In this blog I will explain my experience setting up a live data connection from SAC to SAP HANA Cloud with Single-Sign-On. The whole process took around 45 minutes.
Since SAP Analytics Cloud version 2020.20, the HANA Analytics Adapter is not required anymore. A live connection can be established directly from SAC to HANA Cloud as described in the official documentation.
You can find more information about the available connections for each data source on the official SAP Analytics Cloud website.
- This connection type works only in Cloud Foundry environments (non-SAP data centers). For Neo environments (SAP data centers), see Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO.
- Users need to have read access to SAP HANA Cloud database Calculation views that will be used to create and view models and stories in SAP Analytics Cloud. Learn how to grant access to an HDI Container's Schema.
- SAC can only see Calculation views of type CUBE (which include aggregation).
You cannot use Calculation views of type dimension, nor tables, nor SQL views for analysis in SAC. See this help page to learn more about HDI containers and the way users are set up. - You must use OAuth 2.0 for authentication.
- SAML SSO must be enabled in SAP Analytics Cloud. For more information, see Enabling a Custom SAML Identity Provider.
- The following steps must be carried out by a user who has administrator-level privileges inSAP HANA CloudandSAP Analytics Cloud, and logs on toSAP Analytics Cloudvia the SAML Identity Provider. For the steps in theSAP Analytics Cloud system, theBI Adminrole is required. For the steps in theSAP HANA Cloudsystem, theAdministratorrole is required.
Go to Main Menu > Connection > + (Add Connection).
In theSelect a data sourcedialog, expandConnect to Live Data, and selectSAP HANA.
In the dialog, enter a name and description for your connection.The connection name cannot be changed later.
Set the connection type toSAP HANA Cloud.
Add yourSAP HANA Cloudhost name.
UnderAuthentication Method, selectSAML Single Sign On.
Copy the SAML Identity Provider (IdP) from theProvider Namefield in the connection dialog, and also download the certificate from this dialog.
You'll need these two items to perform the trust configuration to set up SAML SSO.
In the SAP BTP co*ckpit, navigate to SAP HANA Cloud and open the SAP HANA co*ckpit.
From the SAP HANA co*ckpit, go to Certificate Store.
You will now upload the certificate that you previously downloaded. Click theImport button.
Select "Import from file" to upload the certificate. Then selectOK.
You will see your certificate added as below.
Now we need to create a SAML identity provider.
Go toSAML Identity Providers, and click the "Add Identity Provider"button.
Provide anIdentity Provider Name. Enter the SAML provider name that you copied from the connection dialog into theEntity ID field, and select the newly added certificate.Then select Add.
You will see your SAML identity provider registered as below.
Now we need to create a certificate collection.
From the SAP HANA co*ckpit, go to the Certificate Collections, and click theAdd Collectionbutton.
Type a collection name, and clickOK.
ClickAdd Certificate. Select the new certificate, and clickOK.
Select theEdit Purpose button. In thePurposefield, chooseSAML. In theProviders field, select the newly created SAML provider. ClickSave.
You will see your certificate collection registered as below.
Map anSAP Analytics Clouduser to anSAP HANA Clouduser.
From the SAP HANA co*ckpit, select User Management.
You can create a new user or you can modify an existing user by providing the proper role.
Click on+ (Create User).
SetDisable ODBC/JDBC AccesstoNo.
On theAuthenticationtab, selectSAML.
ClickAdd SAML Identity, and select your identity provider.
SetAutomatic Mapping by ProvidertoOFF.
Insert your identifier from SAP Analytics Cloud as theExternal Identityfield on theAuthenticationtab inUser Management. Note: by default, this is the user e-mail. You can set other identifiers from SAC by using other identity providers.
Grant your user the necessary rights to access the data that you want to expose from your HANA database.
In this case, I grant the access role to an HDI container where I created 1 calculation view of type CUBE. Learn more about the different methods to grant access rights to HDI containers in A live data connection to SAP HANA Cloud in SAP Analytics Cloud
For another user from the sameSAP Analytics Cloudtenant to be able to access the sameSAP HANA Cloudsystem, you'd need to create another user in SAP HANA and map the appropriate ID, or use the same SAP HANA user and map the appropriate ID.
Go back toSAP Analytics Cloud, and finish creating the connection by selectingOKin the connection dialog.
Create a new model.
Select "Get data from a data source", then choose "Live data connection".
Select SAP HANA as a system type, and the connection that you just set up.
Within the Data source, you will see all calculation views of type CUBE which your user can access. In my case, I only created 1 calculation view called "calcview".
Edit and save your model.
You can now create a new story based on that model. The data will be automatically pulled from SAP HANA Cloud, and authentication and authorizations are based on your unique user.
Thank you,
Maxime SIMON
