The SAP Cloud Platform (SAPCP) is a platform-as-a-service offering which supports customers’ digital transformation. It does not only provide an environment for the development of new applications but also allows the extension of existing cloud and on-premise systems. SAPCP has evolved as a central component in many enterprise landscapes for integrating data and business processes and for leveraging innovative technologies. By connecting a HANA database which is included in SAPCP with SAP Analytics Cloud (SAC), customers are equipped with advanced analytics and business intelligence features for their enterprise data.
In this blog post, we are going to create a Live Connection from SAC to SAPCP using Single Sign-on (SSO). “Live” data means that whenever a user opens a story in SAC, changes to the data in the source system are immediately reflected in SAC.
This blog post is structured as follows:
You are using one of the following systems:
◈ SAP HANA 1.0 SPS10, revision 102.2, or
◈ SAPCP running on SAP HANA SPS10, revision 1.02.2, or
◈ SAP HANA 2.0 SP01 or newer.
This section provides information on how to configure your HANA system to be able to establish a Live Connection to this system. It is subdivided into 2.1. Roles for HANA administrator, 2.2. Installation of the HANA Info Access Service and 2.3. Roles for HANA users using the Live Connection.
2.1. Roles for HANA administrator
Please make sure that the following roles are assigned to your HANA administrator account:
sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator
sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdmin
In SAP HANA studio this can be verified under Security -> Users -> AdminName (Please note that AdminName has to be replaced with the name of your HANA administrator.) (a). Under Granted Roles you can see the roles that are assigned to your account (b).
2.2. HANA Info Access Service
If you are using a SAP HANA version from SPS10 ongoing, please verify that the Info Access Service is installed by default. In SAP HANA studio this can be done in the Systems view (a) under Content (b). You should see the following package (c):
sap\bc\ina\service
2.3. Roles for HANA users using the Live Connection
Please assign the Info Access Service role to all users who will use the Live Connection. The name of the Info Access Service role is:
sap.bc.ina.service.v2.userRole::INA_USER
In SAP HANA studio this can done under Security -> Users -> LiveConnectionUser (Please note that LiveConnectionUser has to be replaced with a HANA user that will use the Live Connection.) (a). Under Granted Roles click on the +-icon to add the Info Access Service role (b).
In this section we set up the trust relationship (3.1.) between SAP HANA and SAC, enable SAML (3.2.) and either perform an automatic (3.3.1.) or a manual (3.3.2.) user mapping to use SSO.
3.1. Setup of the Trust Relationship
1. Please navigate to the XS Admin Page of your SAP HANA system. The XS Admin Page can be accessed via https://<SAP HANA SYSTEM>/sap/hana/xs/admin. (Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)
2. Please click on the main menu and select SAML Service Provider.
3.2. Enabling SAML
1. In the XS Admin Page of your SAP HANA system, select Main Menu -> XS Artifact Administration.
3.3. User Mapping
You must either perform an automatic (3.3.1.) or a manual (3.3.2) user mapping. If you are using the same IdP for SAP HANA and SAC, you can automatically map all existing users to SAC. If you are using different IdPs for SAP HANA and SAC, you must perform a manual user mapping.
3.3.1. Automatic
1. Please navigate to the SAP HANA Web-based Development Workbench -> Catalog of your HANA system. (https://<SAP HANA SYSTEM>/sap/hana/ide/catalog/; Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)
2. In the main menu, click on New -> Schema.
3.3.2. Manual
1. Please navigate to Profile Management in SAC and copy the Cloud Identity. Please note that you may have to login first.
As pointed out in step 7 of 3.1. Setup of the Trust Relationship, we do now complete the definition of our Live Connection in SAC. In case the browser tab you opened in subsection 3.1. Setup of the Trust Relationship (steps 1-7) is still available, the only thing that has to be done is to click on OK. Otherwise, steps 1-7 of 3.1. Setup of the Trust Relationship have to be re-executed.
This section is only relevant in case the Info Access Service is not installed on your HANA system by default, i.e. you have not been able to complete subsection 2.2. HANA Info Access Service successfully.
In the following, we set up and activate the SAP HANA Info Access Service on your HANA system. Therefore, we are going to import the Info Access Toolkit and the SINA API first (steps 1-11) and thereafter we import the Info Access Service (steps 12-16).
Henceforth, we assume that you can access the SAP Software Download Center. Please note that your view may differ from the screenshots provided as it depends on your user rights.
1. Navigate to the Software Download Center.
Under Support Packages and Patches (a), click on By Category (b) and select SAP In-Memory (SAP HANA) (c).
In this blog post, we are going to create a Live Connection from SAC to SAPCP using Single Sign-on (SSO). “Live” data means that whenever a user opens a story in SAC, changes to the data in the source system are immediately reflected in SAC.
This blog post is structured as follows:
1. System Requirements
You are using one of the following systems:
◈ SAP HANA 1.0 SPS10, revision 102.2, or
◈ SAPCP running on SAP HANA SPS10, revision 1.02.2, or
◈ SAP HANA 2.0 SP01 or newer.
2. Setup of the HANA System
This section provides information on how to configure your HANA system to be able to establish a Live Connection to this system. It is subdivided into 2.1. Roles for HANA administrator, 2.2. Installation of the HANA Info Access Service and 2.3. Roles for HANA users using the Live Connection.
2.1. Roles for HANA administrator
Please make sure that the following roles are assigned to your HANA administrator account:
sap.hana.xs.admin.roles::SAMLAdministrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator
sap.hana.ide.roles::CatalogDeveloper
sap.hana.ide.roles::SecurityAdmin
In SAP HANA studio this can be verified under Security -> Users -> AdminName (Please note that AdminName has to be replaced with the name of your HANA administrator.) (a). Under Granted Roles you can see the roles that are assigned to your account (b).
To grant a missing role to your HANA user, please click on the +– icon (a), type in the name of the role (b), select the corresponding role (c) and click on OK (d).
If you are using a SAP HANA version from SPS10 ongoing, please verify that the Info Access Service is installed by default. In SAP HANA studio this can be done in the Systems view (a) under Content (b). You should see the following package (c):
sap\bc\ina\service
Please assign the Info Access Service role to all users who will use the Live Connection. The name of the Info Access Service role is:
sap.bc.ina.service.v2.userRole::INA_USER
In SAP HANA studio this can done under Security -> Users -> LiveConnectionUser (Please note that LiveConnectionUser has to be replaced with a HANA user that will use the Live Connection.) (a). Under Granted Roles click on the +-icon to add the Info Access Service role (b).
3. Configuration of the SAML Identity Provider
In this section we set up the trust relationship (3.1.) between SAP HANA and SAC, enable SAML (3.2.) and either perform an automatic (3.3.1.) or a manual (3.3.2.) user mapping to use SSO.
3.1. Setup of the Trust Relationship
1. Please navigate to the XS Admin Page of your SAP HANA system. The XS Admin Page can be accessed via https://<SAP HANA SYSTEM>/sap/hana/xs/admin. (Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)
2. Please click on the main menu and select SAML Service Provider.
3. Under Service Provider Information (a), copy the name of the SAML Service Provider (b).
4. Log onto SAP Analytics Cloud and click on Connection in the main menu.
Thereafter, click on the +-icon to add a new connection (a). Under Live Data Connection choose SAP HANA (b).
5. In the dialog that opens, enter a name for your new connection (Please note that the name cannot be changed later.) (a). Set the connection type to SAP Cloud Platform (b).
6. Add your SAP Cloud Platform account name (a), database name (b) and landscape name (c). You can optionally choose a default language from the list. Please note that the language can only be changed by the administrator later on. In case the language you have chosen is not installed on your system, SAC will choose the default language.
IMPORTANT: You can find your account name, database name and landscape name in your SAP Cloud Platform Cockpit. For detailed information, please see the following screenshots
After having clicked on the Global Account, please click again on Global Account to see your subaccounts.
Under Subaccount Information you can find your account name.
Please click on Databases & Schemas (a) to see the name of your database (b).
7. In SAC, please select SAML Single Sign-On (a) under Credentials. Thereafter, click on Download Metadata (b) and save the metadata file. Under SAML Provider Name, enter the IdP Provider Name (c) you copied in step 3.
IMPORTANT: Please do not click on OK, as you are not yet authorized to access the HANA system. We will complete the definition of your Live Connection in section 4. Saving the Live Connection in SAC.
8. In the XS Admin Page of your SAP HANA system, select Main Menu -> SAML Identity Provider.
9. Click on the +-icon in the bottom left corner to begin importing metadata.
10. Open the XML file that you have downloaded in step 7 b). Copy the content of the file and paste it to the Metadata input area in the XS Admin Page of your HANA system.
11. Please note down the name (b) of the SAML IdP under General Data (a).
12. Under Destination (a), input the following path into SingleSignOn URL (Redirect Binding) and SingleSignOn URL (PostBinding): /saml2/sso (b).
13. Please click on Save.
3.2. Enabling SAML
1. In the XS Admin Page of your SAP HANA system, select Main Menu -> XS Artifact Administration.
2. In the Packages area (a), please navigate to sap -> bc -> ina -> service -> v2 by clicking on the ->-icon (b).
3. Please make sure to have navigated to the correct directory (a). Click on v2 (b) to see the SAP Security Admin page (c).
5. Select the SAML checkbox, if it is not already enabled (a).
Choose a SAML IdP in case it is not already selected (b). The name of the IdP should be the name, you noted down in step 11 of 3.1. Setup of the Trust Relationship. Please click on Save (c).
3.3. User Mapping
You must either perform an automatic (3.3.1.) or a manual (3.3.2) user mapping. If you are using the same IdP for SAP HANA and SAC, you can automatically map all existing users to SAC. If you are using different IdPs for SAP HANA and SAC, you must perform a manual user mapping.
3.3.1. Automatic
1. Please navigate to the SAP HANA Web-based Development Workbench -> Catalog of your HANA system. (https://<SAP HANA SYSTEM>/sap/hana/ide/catalog/; Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)
2. In the main menu, click on New -> Schema.
3. Enter a name for the new schema (a) and click on OK (b).
4. Please open the SQL console (a) and add the following procedure (b):
CREATE PROCEDURE "<MYSCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp" (IN FROM_IdP VARCHAR(2048), TO_IdP VARCHAR(2048))
LANGUAGE SQLSCRIPT
SQL SECURITY INVOKER AS
BEGIN
DECLARE CURSOR vExistingMappings FOR
SELECT USER_NAME FROM "SYS"."SAML_USER_MAPPINGS" WHERE SAML_PROVIDER_NAME = TO_IdP;
DECLARE CURSOR vUserSamlMappings FOR
SELECT USER_NAME, SAML_PROVIDER_NAME, EXTERNAL_IDENTITY FROM "SYS"."SAML_USER_MAPPINGS";
FOR cur_row AS vExistingMappings DO
EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' DROP IDENTITY FOR SAML PROVIDER '||:TO_IdP||'';
END FOR;
FOR cur_row AS vUserSamlMappings DO
IF cur_row.SAML_PROVIDER_NAME = FROM_IdP THEN
EXECUTE IMMEDIATE 'ALTER USER '||:cur_row.USER_NAME||' ADD IDENTITY '''||:cur_row.EXTERNAL_IDENTITY||''' FOR SAML PROVIDER '||:TO_IdP||'';
END IF;
END FOR;
END;
IMPORTANT: Replace <MYSCHEMA> with the name of the schema you have created (here: UserMappingSAC).
5. Execute the procedure.
6. Please enter the following command in your SQL console:
CALL "<SCHEMA>"."sap.fpa.services::mapIdentityFromIdpToIdp"('<LOGIN IdP>', '<IMPORTED IdP NAME>');
Replace <SCHEMA> with the selected schema name (here: UserMappingSAC), <LOGIN IdP> with the name of the SAP HANA IdP and <IMPORTED IdP NAME> with the name of the SAC IdP you noted down in step 11 of the subsection 3.1. Setup of the Trust Relationship.
IMPORTANT: To find the name of your SAP HANA IdP, go to the XS Admin Page of your HANA system and select Main Menu -> SAML Identity Provider. Under Destination, copy the Base URL.
7. Execute the SQL statement.
3.3.2. Manual
1. Please navigate to Profile Management in SAC and copy the Cloud Identity. Please note that you may have to login first.
2. Please navigate to the SAP HANA Web-based Development Workbench -> Catalog of your HANA system. (https://<SAP HANA SYSTEM>/sap/hana/ide/catalog/; Please replace <SAP HANA SYSTEM> with the name of your SAP HANA system.)
3. Open the SQL console (a). Type in (b) and execute (c) the following query:
ALTER USER <HANA USER> ADD IDENTITY '<SAML MAPPING>' FOR SAML PROVIDER <IMPORTED IdP NAME>;
ALTER USER <HANA USER> ENABLE SAML;
Important: Please make sure that you are logged in to your HANA system with a user that is different from the user who appears in the SQL statement (i.e., <HANA USER>) as a user is not able to alter the second statement for herself. Replace <HANA USER> with the user ID of the HANA user that is using the Live Connection, <SAML MAPPING> with the Cloud Identity you copied in step 1 and <IMPORTED IdP NAME> with the name of the SAC IdP you noted down in step 11 of 3.1. Setup of the Trust Relationship.
4. Saving the Live Connection in SAC
As pointed out in step 7 of 3.1. Setup of the Trust Relationship, we do now complete the definition of our Live Connection in SAC. In case the browser tab you opened in subsection 3.1. Setup of the Trust Relationship (steps 1-7) is still available, the only thing that has to be done is to click on OK. Otherwise, steps 1-7 of 3.1. Setup of the Trust Relationship have to be re-executed.
You have now defined a Live Connection and can start creating models using this Live Connection. On top of those models you can build stories and thus consume live data from your HANA system in SAC.
In the screenshot above, you can find a sample story which consumes live data and shows the pipeline of the S/4HANA product for all regions.
[Optional: Download HANA Info Access Toolkit]
This section is only relevant in case the Info Access Service is not installed on your HANA system by default, i.e. you have not been able to complete subsection 2.2. HANA Info Access Service successfully.
In the following, we set up and activate the SAP HANA Info Access Service on your HANA system. Therefore, we are going to import the Info Access Toolkit and the SINA API first (steps 1-11) and thereafter we import the Info Access Service (steps 12-16).
Henceforth, we assume that you can access the SAP Software Download Center. Please note that your view may differ from the screenshots provided as it depends on your user rights.
1. Navigate to the Software Download Center.
Under Support Packages and Patches (a), click on By Category (b) and select SAP In-Memory (SAP HANA) (c).
3. Please click on SAP HANA Platform Edition.
4. Please click on SAP HANA Platform EDIT 1.0.
5. Please click on HANA INA TOOLKIT HTML CONTENT.
6. Please click on HANA INA TOOLKIT HTML 1.0 (b). (a) shows the directory, you should see having followed the steps described above.
7. Please download and unpack the file HCOINAUITOOLKIT<Version>. You can also select a .SAR archive instead. .SAR files can be unpacked using SAPCAR. Each of the archive files contains the SAP HANA Delivery Unit HCOINAUITOOLKIT.tgz.
8. In SAP HANA studio click on File -> Import (a), select SAP HANA Content -> Delivery Unit (b) and click on Next (c).
9. Under Target System select your database instance (a) and click on Next (b).
10. Please select Client (a) and choose the tgz Delivery Unit on your local disk (b) which you have extracted in step 2. Select both actions (c) and click on Finish (d).
11. If the import of the Delivery Unit has been successful, in the Systems view (a) under Content (b), you should see the following packages (c):
sap\bc\ina\api
sap\bc\ina\demos
sap\bc\ina\uitoolkit
12. Now that the Info Access Toolkit and the SINA API have been imported, we can import the Info Access Service.
In SAP HANA Studio, select File -> Import.
13. Please click on SAP HANA Content -> Delivery Unit and choose Next.
14. Under Target System choose your database instance.
15. Select Server (a) and from the dropdown list select the SYS/global/hdb/content/HCO_INA_SERVICE.tgz Delivery Unit (b). Please select both actions (c) and click on Finish (d).
16. If the import of the Delivery Unit has been successful, in the Systems view (a) under Content (b), you should see the following package (c):
17. The HANA Info Access Service is now set up and activated on your system.
No comments:
Post a Comment