- Foreword
SAP Analytics Cloud is a new generation of Software-as-a-Service (SaaS) that redefines analytics in the cloud by providing all analytics capabilities for all users in one product. It is built natively on the SAP HANA Cloud Platform for extreme performance, and it allows customers to simplify access to a new public cloud experience that they can trust.
Figure 1 : SAP Analytics Cloud Platform
SAP Analytics Cloud combines Business Intelligence, Predictive, Planning and Digital Boardroom capabilities to analyze all data from your landscape, on-premise or in the cloud.
SAP Analytics Cloud (SAC) is a public Software-as-a-Service (SaaS) enabling access to on-premise and cloud data sources. Furthermore, SAP Analytics Cloud provides live connection (online) and data acquisition (batch) connectivity, two ways for accessing your data located anywhere in your information system landscape:
- In SAP Analytics Cloud, you can create models from data sources in on-premise or cloud systems, build stories based on those models, and perform online analysis without any data replication. This feature allows SAP Analytics Cloud to be used in scenarios where data cannot be moved into the cloud for security or privacy reasons, or your data already exists on a different cloud system.
- You can also create connections to remote systems to allow data acquisition by SAP Analytics Cloud. Data is imported (copied) to SAP Analytics Cloud HANA in-memory Database, and changes made to the data in the source system don’t affect the imported data.
- Furthermore, SAP Analytics Cloud provides SAML 2 capabilities to enable Single Sign-on simplifying authentication to SAP Analytics Cloud but also to connected Data Sources from your landscape.
Most of our customers want to get all the benefits of such hybrid architecture. This document is intended to help you by explaining connectivity, gathering all required links and delivering tips & tricks, best practices, warnings, experienced by our customers and partners.
- The importance of managing Connectivity project
To get all above mentioned SAP Analytics Cloud benefits, you have first to connect your on-premise or cloud data sources. SAP Analytics Cloud is a public Cloud Software-as-a-Service you want to connect to your secured back-end. Then, connection settings require people within different areas of expertise from your organization to ensure a smooth and under controlled deployment:
| SAP Analytics Cloud System Owner | SAP Analytics Cloud settings such as data source configuration, SAC SAML 2 settings, Users and roles management, Connection settings |
| Data source expert | Connectivity layer and security (HANA, BW, Universe, S4/HANA…) |
| Network expert | Proxy, firewall, DNS server, etc. |
| Security expert | SAML 2, customer’s Identity Provider, SSL certificate, etc. |
| Information system architecture expertise | General Architecture topics |
| Application expert | SAP or non-SAP depending on your data sources: Connectivity, security, modeling |
Then, project management is a mandatory task because connectivity settings is not a one-man project to be successful. Settings follow a strict process where different stakeholders have to be engaged and have to deliver their own expertise in their respective area of responsibility.
Connecting SaaS application to on-premise applications requires to first deeply understand the overall big picture of the architecture. Then, before starting any settings, we strongly suggest organizing an architecture workshop to align all identified necessary stakeholders to perform a fast and smooth settings, on time and on scope.
- Live Connection or/and Data Acquisition?
Before starting, please, read cautiously System Requirements and Technical Prerequisites document and check if your landscape is compliant with what is supported, version and Connection type.
Most of our customers wonder about which connection type has to be set according to their own needs. It exists some best practices but also some limitations which should conduct customer choice.
Several criteria have to be considered:
- Functional needs
- Data Privacy constraints
- Data volume constraints
3.1. Functional perspective
| Data Acquisition | Analytic Model | All data (from whatever source is selected) is ‘uploaded’ (replicated) to SAP Analytics Cloud in-memory HANA Database. SAP Analytics Cloud then stores the model and data. Security can be added to the model within SAP Analytics Cloud. Both Analytic and Planning models generate an account type model. | |
| Planning Model | |||
| Predictive Capabilities | |||
| Live Connection | Local (Cloud data sources) | SAP Cloud Platform
SAP S4/HANA Cloud |
All data stays within the SAP Cloud Platform or SAP S4/HANA Cloud. The data is not replicated to SAP Analytics Cloud. Modelling and model security is managed on the source system. Data connection between systems is secured within SAP Cloud Platform. |
| Remote (On-premise data sources) | HANA
BW S4/HANA Universe |
All data stays within the remote (customer) landscape. The data is not replicated to SAP Analytics Cloud. Modelling and model security is managed on the source system.
data connection between systems is secured. |
|
3.2. Data Privacy constraints
With live connection, data stay in your back-end. As soon as customer wants to fully keep control of data privacy, live connection is the best choice.
Data Acquisition implies data replication into SAP Analytics Cloud HANA database. Nevertheless, data are encrypted and fully secured. Please refer to http://www.sapdatacenter.com/ to get some more information about security measures and certificates in SAP data center.
3.3. Data volume constraints
With live connection, data volume is processed in your back-end system. There is no theoretical limitation. Query is executed in back-end system. Query should limit volume returned to Web Browser by applying adequate input control or aggregation.
With Data acquisition, it exists volume limitations as follow:
Data acquisition maximums:
- Columns: 100
- Rows: 800,000
- Dimension members:
- Planning models: 250,000
- Analytic models: if there are more than 250,000 unique members, the dimension will be made read-only
- Dimension members with attributes: 150,000
- Dimension members with geo enrichment: 200,000
- Dimension members in hierarchy: 150,000
- Hierarchy depth: 1,000
- SAP Analytics Cloud Live Connection
4.1. Understanding SAC live connection
SAP Analytics Cloud provides the business logic, and build the queries required to see your data to your browser. Your browser in turn sends those queries, through the reverse proxy, down or through Direct live connection to the on-premise database. The results of those queries are returned to the browser, where any charts are rendered. If your query was a list of profits per customer, none of that information would actually return to SAP Analytics Cloud.
Throughout the whole process, the browser is actually interacting with the reverse proxy or through Direct live connection (CORS), which in turn sends out the requests to SAP Analytics Cloud or the remote data source depending on the path of each request.
Figure 2 : Direct Live Connection SAC / Back-end with CORS and SAP IDP / SAML2
Figure 3 : Live Connection SAC / Back-end via Reverse Proxy with SAP IDP / SAML2
- Get/Post requests from Browser to SAC are dedicated to metadata.
- Get/Post requests from Browser to Identity Provider are dedicated sur SAML 2 Assertions.
- Get/Post requests from Browser to Back-end are dedicated to Data.
4.2. What is stored in SAP Analytics Cloud with Live Connection?
Metadata and only metadata. SAP Analytics Cloud stores queries for building the stories, measure names, columns names, filter values, etc. Basically, the metadata enables to rebuild query. But none of the actual data, not even the query results or part of the result, like totals. Metadata are transferred to browser and encrypted in memory.
4.3. Authentication
End to end SSO is accomplished with SAML 2. In order, both SAP Analytics Cloud and on-premise data source has to be configured to trust the same identity provider, such as your SAP Cloud Identity or your Active Directory using ADFS (Active Directory Federation Services). This means that the data security implemented at the source data will always be respected for each request.
4.4. Encryption
All communications between browser and SAP Analytics Cloud are always encrypted. The on-premise communications from your reverse proxy to back-end data sources should also be encrypted using TLS. All data and metadata persisted on SAP Analytics Cloud are also fully encrypted.
4.5. SAP Analytics Cloud and Information Access Service (InA)
SAP Information Access Service (InA) is a REST http based protocol used by SAP Analytics Cloud to query in real time your data sources. This component is part of all supported back-end as follow:
| HANA | SAP HANA 1.0 SPS10/11/12 – revision 102.2 or higher with SAP HANA Info Access Service (InA), version 4.10.0 or higher is required
SAP HANA 2.0 SP01 or newer on-premise, with the SAP HANA EPMMDS plugin installed on your SAP HANA 2.0 system. SAP Note 2456225 and SAP Note 2444261 provide additional setup information SAP Cloud Platform (SAPCP): latest version |
| BW | SAP BW/4HANA SP4+
SAP BW 7.4 SP17+ SAP BW 7.5 SP8+ |
| BOE Universe | SAP BusinessObjects BI 4.2 SP4 system installed. The .war file of the SAP BOE Live Data Connect component deployed on your application server |
| S4/HANA | SAP NW release 7.51 SP2 |
4.6. Understanding Browser’s Same Origin Policy
The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. It is a critical security mechanism for isolating potentially malicious documents.
In Live Connection, browser has to access Both SAP Analytics Cloud for metadata and back-end data sources (HANA, BW, S4/HANA or Universe). Then, SAP Analytics Cloud provides two ways to enable Cross Sharing Resources accessed by the same web page in Browser:
– Via Reverse proxy access: Browser access only one point of access.
Figure 4 : Reverse Proxy access
– Via CORS: Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin web page, images, stylesheets, scripts, iframes, and videos.
Figure 5 : CORS access
Example of CORS request (POST):
/resource 2 preflight request header from browser:
Origin: http://mySAC.eu1.sapanalytics.cloud
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-Custom-Header
/resource 2 server response Header if authorized:
Access-Control-Allow-Origin: http://mySAC.eu1.sapanalytics.cloud
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: X-Custom-Header
In this example, authorization is checked by the back-end and only allocated to URI http://mySAC.eu1.sapanalytics.cloud. HTTP/SSL is then mandatory with valid certificate between Browser and back-end to avoid any malicious intrusion.
4.7. Direct Live Connection with CORS
Figure 6 : Standard settings when users are located in customer domain
Figure 7 : Standard settings when users are located outside customer domain
4.7.1. Network & security settings
- In such configuration, when browser is in public domain, on-premise data sources server address has to be whitelisted and inbound access has to be authorized (Figure 7 : Standard settings when users are located outside customer domain).
- Outbound accesses from Customer domain to SAP Analytics Cloud and SAP Cloud Identity have to be opened.
4.7.2. Benefits
- SAP recommends this configuration.
- Direct connectivity, no additional device required, Browser directly connects SAC, IDP and Back-end data sources by securely unlocking same origin policy see chapter Understanding Browser’s Same Origin Policy
- Because of no additional device, such direct connection enables better performance
- Easy to set up
- Available for HANA, BW, BOE Universe and S4/HANA
4.7.3. Prerequisites & limitations
- Mandatory Browser settings:
- Allow pop-up windows from the SAP Analytics Cloud domain: [*.]sapanalytics.cloud.
- Allow 3rd party cookies from the SAP HANA server’s domain
- CORS does not work in the mixed HTTPS/HTTP scenario. The SSL server certificate of the HANA XS system must be a valid one that is trusted by your users’ web browsers and match the HANA system’s fully-qualified domain name.
- HANA: CORS has to be enabled in HANA database. Sometime, hosting third party providers do not include such settings in their hosting services yet.
4.7.4. Setting Steps
| Step | Description | Owner |
| Enabling INA | HANA, BW, S4/HANA, Universe fully support INA | Data Source Expert |
| Enabling CORS | HANA, BW, S4/HANA, Universe fully support CORS | Data Source Expert |
| Enabling SSL | Configure valid SSL certificate refer to SAP Note 2502174. | Security Expert |
| Enabling Pop-Up in Browser | See Google Chrome documentation | Security Expert |
| Allowing 3rd party cookies in Browser | See Google Chrome documentation | Security Expert |
4.8. Live Connection with Reverse Proxy
Figure 8 : Standard settings when users are located in customer domain
Figure 9 : Standard settings when users are located outside customer domain
4.8.1. Network & security settings
- When browser is in public domain, apache reverse proxy server address has to be whitelisted to inbound access has to be authorized (Figure 9 : Standard settings when users are located outside customer domain).
- Outbound accesses from Customer domain to SAP Analytics Cloud and SAP Cloud Identity have to be opened.
4.8.2. Benefits
- Fully hide back-end system from external public access
- Avoid any specific browser settings such as pop-up and 3rd party cookies
4.8.3. Prerequisites & limitations
- This configuration requires knowledge about Reverse Proxy settings (SAP Web Dispatcher or Apache Reverse Proxy)
- User has to access SAP Analytics Cloud through Reverse Proxy, not flexible when users are located outside customer domain. You have to enable inbound access and whitelist reverse proxy server address.
4.8.4. Data source prerequisites and limitations
4.8.5. Setting Steps
| Step | Description | Owner |
| Enabling INA | HANA:
BW: S4/HANA: Universe: |
Data Source Expert |
| Install Reverse Proxy | IT Expert | |
| Configure Reverse Proxy | WebDispatcher or
Apache Reverse Proxy |
IT or Network Expert |
4.9. Best practices
4.9.1. Multi-tenant HANA Databases
To enable Web-based applications to send HTTP(S) requests to multitenant database containers via the SAP HANA XS server, the internal SAP Web Dispatcher must be configured so it knows which requests to dispatch to which database on the basis of DNS alias virtual host names. You do this by specifying the public URL of every tenant database in the xsengine.ini configuration file. Please verify if virtual host names used in internal SAP Web Dispatcher are declared in customer Domain Name Services. It will be very useful to generate SSL certificate in PSE Management (mandatory settings for Live connection with CORS).
4.9.2. Reverse Proxy
You can use any port or host name when you configure Reverse Proxy. Please declare Reverse Proxy host name in customer Domain Name Service. It will make settings easier. Avoid any settings with IP address, favor use of host name declared in Domain Name Service.
Check if addresses used in reverse proxy configuration files are accessible from reverse proxy before starting settings. Due to specific customer landscape, maybe external systems would be reachable over internal proxy servers. You would need to add additional proxy setup in configuration script:
- Webdispatcher with subparameter PROXY=<server>:<port>
- Apache Reverse Proxy with proxyremote directive.
If you use https with SSL certificate (no self-signed certificate), check if used certificates are valid.
4.9.3. Desktop Browser to troubleshoot your connection
SAP Analytics Cloud supports latest version of Google Chrome. Google releases continuous updates to their Chrome browser. We make every effort to fully test and support the latest versions as they are released.
Furthermore, Google Chrome browser can be used to troubleshoot your Live Connection. Chrome Developer Tools are a set of web authoring and debugging tools built into Google Chrome. The DevTools provide web developers deep access into the internals of the browser and their web application. Then, do not hesitate to get familiar and use the DevTools to efficiently track down issues.
You can especially use Network Panel to get a graph which shows a timeline of when resources were retrieved. At a glance, such network panel tells you the total number of requests, amount of data transferred, request and responses contents and headers, load times, errors, warning, etc..
Figure 10 : Example of Developer view, Network Panel showing requests and timeline.
4.10. Best Reading
- Live Data Connection
https://help.sap.com/http.svc/rc/00f68c2e08b941f081002fd3691d86a7/release/en-US/5b4dad4d97664c41ae63bf1153e5e91e.html - SAP BusinessObjects Cloud: Live Data Connection to SAP HCP With SSO (Simple URLs) – by Dong Pan
https://blogs.sap.com/2016/11/27/sap-businessobjects-cloud-live-data-connection-to-sap-hcp-with-sso-simple-urls/
https://www.youtube.com/watch?v=GmNEqt7AbfE - SAP BusinessObjects Cloud: Using a Calculation View from HCP Trial – by Julian Jimenez
https://blogs.sap.com/2016/11/23/sap-businessobjects-cloud-using-a-calculation-view-from-hcp-trial/ - SAP BusinessObjects Cloud- BW Live Connectivity with SAP Web Dispatcher as Reverse Proxy – by Shailendar Anugu
https://blogs.sap.com/2017/03/20/sap-businessobjects-cloud-bw-live-connectivity-with-sap-web-dispatcher-as-reverse-proxy/ - Live Data Connection to SAP BW with Apache Reverse Proxy
https://help.sap.com/http.svc/rc/00f68c2e08b941f081002fd3691d86a7/release/en-US/5b4dad4d97664c41ae63bf1153e5e91e.html - How to Setup Connection to a Remote HANA System for SAP Cloud for Analytics via SAP Web Dispatcher
https://assets.cdn.sap.com/sapcom/docs/2016/03/0844080b-657c-0010-82c7-eda71af511fa.pdf - Introducing Direct Live HANA Connections in SAP Analytics Cloud – by Dong Pan
https://blogs.sap.com/2017/03/29/introducing-direct-live-hana-connections-in-sap-businessobjects-cloud/
Enabling Direct Connectivity for Live Data Connections with Basic Authentication
Enabling Direct Connectivity for Live Data Connections with SSO - Direct Live HANA Connections in the Internet Scenario CORS (Web Dispatcher) – by Dong Pan
https://blogs.sap.com/2017/04/10/direct-live-hana-connections-in-the-internet-scenario/ - Direct Live HANA Connections in the Internet Scenario CORS (Apache Reverse Proxy) – by Dong Pan
https://blogs.sap.com/2017/04/13/direct-live-hana-connections-in-the-internet-scenario-for-the-apache-fans/ - Same Origin Policy
https://en.wikipedia.org/wiki/Same-origin_policy
- SAP Analytics Cloud Data Acquisition
5.1. Understanding SAP Analytics Cloud Data Acquisition
You can create connections to remote systems to allow data acquisition by SAP Analytics Cloud. Data is imported (copied) to SAP Analytics Cloud, and changes made to the data in the source system don’t affect the imported data.
Setup is required when creating an import data connection to the following system types, such as SAP Business Warehouse (BW), SAP Business Planning and Consolidation (BPC), SAP BusinessObjects Business Intelligence platform universe (UNX), SAP Enterprise Resource Planning (ERP), SQL Database, SuccessFactors, WorkforceAnalytics, OData, Concur, Salesforce.com(SFDC), Fieldglass, Google Drive, Google BigQuery, File Server.
5.2. Prerequisites & Limitations
Data Acquisition Maximums:
- Columns: 100
- Rows: 800,000
- Dimension members:
- Planning models: 250,000
- Analytic models: if there are more than 250,000 unique members, the dimension will be made read-only
- Dimension members with attributes: 150,000
- Dimension members with geo enrichment: 200,000
- Dimension members in hierarchy: 150,000
- Hierarchy depth: 1,000
5.2.1. Data source prerequisites and limitations
| BW | https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/780967ff44294c01b7f66ef837695f2b.html |
5.3.1 SAP Cloud Connector
The Cloud Connector serves as the link between SAP Analytics Cloud and existing on-premise systems. It combines an easy setup with a clear configuration of the systems that are exposed to SAP Analytics Cloud. In addition, you can control the resources available for the cloud applications in those systems. Thus, you can benefit from your existing assets without exposing the whole internal landscape.
The Cloud Connector runs as on-premise agent in a secured network and acts as a reverse invoke proxy between the on-premise networking customer domain and SAP Analytics Cloud. Due to its reverse invoke support, you don’t need to configure the on-premise firewall to allow external access from the cloud to internal systems.
Figure 11 : SAP Cloud Connector and SAP Analytics Agent Architecture
Compared to the approach of opening ports in the firewall and using reverse proxies in the customer Domain to establish access to on-premise systems, the Cloud Connector has the following advantages:
- The firewall of the on-premise network does not have to open an inbound port to establish connectivity from SAP Analytics Cloud to an on-premise system. In the case of allowed outbound connections, no modifications are required.
- The Cloud Connector allows propagating identity of cloud users to on-premise systems in a secure way.
- The Cloud Connector is easy to install and configure, that is, it comes with a low TCO and fits well to cloud scenarios. SAP provides standard support for it.
5.3.1.1 Configuration
You can connect only one SAP Cloud connector to a SAP Analytics Cloud tenant.
You can connect multiple SAP Analytics Tenant from one SAP Cloud Connector.
Figure 12 : SAP Cloud Connector with multiple SAP Analytics Cloud tenants
Figure 13 : Configuration not supported
In case of multi-domain access (Usually when customer works with hosting third party providers), we suggest connecting SAP Analytics Agent to data source through a VPN connection between the two domains as below:
Figure 14 : Configuration supported
5.3.1.2 Network prerequisites
SAP Cloud Connector enables use of specific proxy in configuration tools.
Nevertheless, you need to have Internet connection at least to the following hosts (depending on the region), to which you can connect your Cloud Connector:
5.3.1.3 Tenant ID, S-User & Password
Before configuring the cloud connector for the first time, the SAP Analytics Cloud system owner must open an SAP Product Support Incident at the following link: https://launchpad.support.sap.com/#incident/solution using the component LOD-ANA-BI. In the support ticket, indicate that you want to set up data acquisition with the cloud connector, and include your SAP Analytics Cloud tenant URL along with your S-User account ID. It takes a very short time (less than a day) to get your connection information.
5.3.1.4 Setting Steps
| Step | Description | Owner |
| JVM release | Check JVM release according to your Operating system. For supported SAP JVM versions, see Prerequisites. You can download the SAP JVM here. | IT Expert |
| Apply Network prerequisite | See chapter 5.3.1 | Network Expert |
| Request S-User, Password andTenant ID | See chapter 5.3.3 | Business Intelligence Expert |
| Install SAP Cloud Connector | https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/ae39ab60b1154c179e2baabd26aa249c.html | IT Expert |
| Configure SAP Cloud Connector | As soon as SAP Analytics Agent is installed and configured (see next chapter), you can configure SCC. See https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/8d8511532794429caa243b6fb7c79989.html
Warning: Leave Location ID field blank. SAP Analytics Cloud can support only one SAP Cloud Connector. |
Business Intelligence Expert |
5.3.2 SAP Analytics Agent
The SAP Analytics Cloud, on-premise access agent (SAP Analytics Cloud agent) is a connectivity component.
SAP Analytics Cloud agent is an on-premise data connectivity component that is used to:
- Import data connections from SAP Business Planning and Consolidation version for Microsoft Platform (BPC MS)
- Import data connections from SAP Business Warehouse (BW).
- Import data connections from SAP BusinessObjects Business Intelligence platform
- Import data connections from SAP ERP and S4/HANA
It is recommended to install SAP Analytics Agent on the same SAP Cloud Connector Server.
5.3.2.1 Setting Steps
| Step | Description | Owner |
| Apache Tomcat 7 or higher | For more information, see Apache Tomcat Setup. | IT Expert |
| Install SAP Analytics Agent | https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/7c35129451f5432194773adac7f89598.html | IT Expert |
| Configure and check SAP Analytics Agent | Business Intelligence Expert | |
| Install JCO library if you want to connect SAP ERP, SAP BW and SQL. | Installing the SAP Java Connector (JCO).
|
IT Expert |
5.4 Best Reading
- Import Data Connection
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/2017.22/en-US/5339a2395ccd4befb047c625a15f8481.html - Install SAP Cloud Connector
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/2017.22/en-US/ae39ab60b1154c179e2baabd26aa249c.html - Install SAP Analytics Cloud Agent
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/2017.22/en-US/7cb6ffb38c294a5c871d6cc6ad5b1b36.html - Troubleshooting SAP Cloud Connector Installation – Amol Gupta
https://blogs.sap.com/2015/12/24/troubleshooting-hana-cloud-connector-installation-developer-edition/ - Troubleshooting SAP Analytics Cloud Agent – Julian Jimenez
https://blogs.sap.com/2016/08/26/troubleshooting-guide-sap-businessobjects-cloud-agent/
- Single-Sign-on (SSO)
The following are some of the advantages you can have with SSO:
- Users need only a single username/password pair to access multiple services. Thus, they do not have the issue of remembering multiple username/password pairs.
- Users are authenticated only once at the identity provider and then they are automatically logged into all services within that “trust-domain”.
- This process is more convenient to users since they do not have to provide their username/password at every service provider.
- Service providers do not have the overhead of managing user identities, which is more convenient for them.
- User identities are managed at a central point. This is more secure, less complex and easily manageable.
SAP Analytics Cloud fully supports the SAML 2.0 web browser-based SSO. SAP Cloud Identity is delivered by default and can act as the identity provider of a single sign on system with minimal configurations.
6.1. What is SAML 2?
SAML 2 (Security Assertion Markup Language) is an Oasis standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider and a web service provider (SAP Analytics Cloud). SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO). General information relating to SAML2 is located in PDF form at http://docs.oasis-open.org/security/saml/v2.0/
6.2. SAP Analytics Cloud Single-Sign-on
SAML 2 federation involves two parties:
- An identity provider(IdP): authenticates users and provides to Service Providers an Authentication Assertion if successful; As Identity Provider, SAP Analytics Cloud provides SAP Cloud Identity by default. Customer can set their own SAML 2 based identity provider.
- A service provider(SP): relies on the Identity Provider to authenticate users. SAP Analytics Cloud but also back-end data sources (HANA, BW, S4/HANA or Universe) could rely on the same Identity Provider to authenticate.
Figure 15 : SAML 2 process flow between SAP Analytics Cloud and Identity Provider
Description of process flow:
- The user tries to log in to SAP Analytics Cloud from a Chrome browser.
- SAP Analytics Cloud responds by generating a SAML request.
- The browser redirects the user to Identity Provider.
- Identity Provider parses the SAML request, verifies if user is already authenticated.
- Ask for authentication. if the user is already authenticated on identity provider, this step will be skipped and IDP directly generates a SAML response.
- Identity Providerreturns the encoded SAML response to the browser.
- The browser sends the SAML response to SAP Analytics Cloud for verification.
- If the verification is successful, the user will be logged in to SAP Analytics Cloud and granted access to all the various resources.
6.2.1. Some remarks
SAML2 uses claim attribute to map Identity between Identity Provider and Service Provider(s). It can be User ID, email address or any custom field. Mapping attribute is case sensitive. SAP analytics Cloud only supports uppercase for User Id.
SAML2 process flow is strictly dependent of time. SAML2 process flow must be executed within a very short period of time period specified by the optional NotBefore and NotOnOrAfter attributes. Please, check server Identity Provider clock and/or Data Sources server clock.
6.2.2. Settings principles
We have seen above, there are basically two roles; Service Providers and Identity Providers (IP). The important characteristic of a single sign on system is the pre-defined trust relation between the service providers and the identity provider; Service providers trust the assertions issued by the identity providers and the identity providers issue assertions based on the results of authentication and authorization of principles which access services at service providers.
If you decide to use SAP Cloud Identity, you do not need any settings. It is configured by default. Otherwise, you will have to follow this process:
- Get SAP Analytics Cloud Service Provider metadata (with certificate)
- Configure Service Provider into Identity Provider based on SAP Analytics Cloud Service Provider metadata.
- Get Identity Provider Metadata.
- Upload Identity Provider metadata into SAP Analytics Cloud
- Indicate Mapping attribute (User Id, Email address or any customer field)
- Test before saving configuration, and apply change.
6.3. Identity Providers
SAP Analytics Cloud supports SAML 2 Identity Providers based on OASiS specification. https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
We have already experienced the following product:
- SAP Cloud Identity (Default)
- Active Directory Federation Services
- Azure Active DIrectory SSO
- Okta
- WSO2 Identity Server
- F5 Identity Provider
6.3.1. Third party Identity Providers location and network settings
Based on your Identity Provider location please, ensure that browser is able to access it.
Figure 16 : Different Identity Provider Locations
6.4. User & role management
When custom Identity Provider is set, you have to map users between your Identity Provider and SAP Analytics Cloud. The login credential depends on the User Attribute you selected when you set Identity Provider. If you have selected custom SAML User the login credential should be the user Id of your account on your SAML Identity Provider.
If Email is selected, the login credential should be the email address of your account on your SAML Identity Provider. If User is selected, Login Credential is set to your SAP Analytics Cloud user name by default.
At the beginning, it is very important to have an alignment between Identity Provider and Service Provider (SAC) user list. You can manually enter user, but, mapping attribute is case sensitive… It exists two options to simplify and ensure simple user deployment:
- You can upload and map User list into SAP Analytics Cloud. You can choose between CSV file or Active Directory upload. As soon as, Mapping attribute is case sensitive, then, by uploading User list, you ensure a smooth and fast deployment.
- You can select Dynamic User creation in SAP Analytics Cloud. When dynamic user creation is enabled, new users will be automatically created using the default role and will be able to use SAML SSO to log onto SAP Analytics Cloud. To ensure mapping SAML attributes to users, and mapping roles using SAML attributes, works with dynamic user creation, you must submit an SAP Product Support Incident at the following link: https://launchpad.support.sap.com/#incident/solutionusing the component LOD-ANA-BI. In the support ticket, indicate that you want to set up user profiles and role assignment based on custom SAML attributes, and include your SAP Analytics Cloud tenant URL.
You can also create a SAML role mapping to automatically assign roles to users based on their SAML attributes. Please read: https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/8cef38224562457fa87069a6d8e596ab.html
6.5. Back-end Single Sign-on
To enable end to end Live Connection SSO scenario, SAP Analytics Cloud also supports SAML2 SSO to connect Data Sources:
6.6. Setting Steps
| Step | Description | Owner |
| Identity Provider settings in SAC | Enabling a Custom SAML Identity Provider | Business Intelligence Expert (Admin) |
| Service Provider settings in Identity Provider | Depending on Identity Provider | Identity Provider Expert |
| SSO Data Source Settings | See Chapter: Back-end Single Sign-on | Data Source IT Expert |
| Connector settings in SAC | Business Intelligence Expert | |
| Network Setting | Network & Security Expert |