Week 3: Authentication and Data Connectivity 3

Unit 1: Direct Authentication

Direct Authentication
Overview

▪ Leverage existing authentication mechanism SAML SAP Analytics

already in place in source system Cloud
▪ Typically done using either Kerberos or client
certificate authentication
▪ X509 Client Certificate
− Existing PKI infrastructure required to ▪ Kerberos
support client certificate authentication
− Kerberos typically only for Intranet scenarios SAP BW
SAP HANA
▪ Use the “None” authentication option in SAP SAP S/4HANA
Analytics Cloud connection SAP BPC
▪ Custom IDP not required for direct
authentication

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Thank you.
Contact information:

[email protected]
Follow all of SAP

www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.
Week 3: Authentication and Data Connectivity 3
Unit 2: Internet Scenarios for Live Connections
Internet Scenarios for Live Connections
Live connections workflow

Public Domain DMZ Customer Network

Firewall
Firewall
HTTPS SAP HANA
HTTPS CORS SAP BW
SAP Analytics SAML SAML
SAP BW/4HANA
Cloud SAP S/4HANA
Metadata Data SAP BusinessObjects BI4 Universes
SAP BPC

SAML
Firewall

Firewall

SAML 2 IDP

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Internet Scenarios for Live Connections
Live connections workflow in Internet scenarios

Public Domain DMZ Customer Network

Firewall
Firewall
SAP Analytics
Cloud HTTPS
CORS
SAP HANA
SAML
SAP BW
HTTPS SAP BW/4HANA
Metadata
SAML SAP S/4HANA
Data SAP BusinessObjects BI4 Universes
SAP BPC
Firewall

Firewall

SAML
SAML 2 IDP

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

Internet Scenarios for Live Connections
Reverse proxy in DMZ

Public Domain DMZ Customer Network

Firewall
Firewall
SAP Analytics
Cloud
SAP HANA
Reverse SAP BW
Proxy SAP BW/4HANA
(Pass thru SAP S/4HANA
CORS SAP BusinessObjects BI4 Universes
Headers) SAP BPC
Firewall

Firewall

SAML 2 IDP

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Internet Scenarios for Live Connections
Things to know

▪ Any reverse proxy can be used, provided it allows

CORS headers to pass through
▪ Reverse proxy must be configured for SSL
▪ Hostname use in SAC connection should reflect
reverse proxy domain name
▪ SAML endpoints in the custom IDP should reflect the
reverse proxy domain name

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

Thank you.
Contact information:

[email protected]
Follow all of SAP

www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.
Week 3: Authentication and Data Connectivity 3
Unit 3: Connecting to HANA in SAP Cloud Platform
Connecting to HANA in SAP Cloud Platform
Prerequisites

▪ Neo
– SAP HANA installed in SAP Cloud Platform (SAPCP) Neo
– SAP HANA Info Access Service (InA): version 4.10.0 or above
– SAP HANA user assigned
sap.bc.ina.service.v2.userRole::INA_USER role
– Access to SAP HANA’s XS admin
– SAML 2 Identity Provider (IdP)
▪ Cloud Foundry (CF)
– SAP HANA installed in SAPCP CF
– SAML 2 Identity Provider (IdP)
– HDI containers on your SAPCP system

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Connecting to HANA in SAP Cloud Platform
Who should be involved?

▪ Neo
– SAP Cloud Platform (SAPCP) global account /
Neo subaccount administrator
– SAP HANA administrator
– SAP Analytics Cloud administrator
– SAML IDP administrator
▪ Cloud Foundry
– SAP Cloud Platform (SAPCP) global account administrator
/ CF subaccount organization manager
– SAP HANA administrator
– SAP Analytics Cloud system owner
– SAML IDP administrator

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

Connecting to HANA in SAP Cloud Platform
HANA HDI in Cloud Foundry

▪ Install Development Tools

– Download and install the Cloud Foundry CLI
– Download and install the Cloud Foundry CLI MTA
– Download and install Oracle JDK 8 or SAP JDK 8: https://tools.hana.ondemand.com/#cloud
– Download and install Apache Maven: https://maven.apache.org/download.cgi
– Download and install Node.js: https://nodejs.org/en/download/
– Set npm for the sap registry modules with the command:
npm config set @sap:registry https://npm.sap.com

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Connecting to HANA in SAP Cloud Platform
HANA HDI in Cloud Foundry

▪ Deploy analytics adapter (xsahaa)

– Download SAP HANA analytics adapter (HAA) project zip from
SAP GitHub
– Download SalesApp.zip from
https://github.com/saphanaacademy/SalesApp
– Download the multi-target application (MTA) archive builder
– Download the latest version of the Analytics adapter for
SAP HANA extended application services, advanced model
– mta.yaml
▫ Organization Name = Subdomain Name
TENANT_HOST_PATTERN: '^(.*)-<space>-xsahaa-rt.cfapps.(.*).hana.ondemand.com’
▫ Organization Name ≠ Subdomain Name
TENANT_HOST_PATTERN: ‘<org name>-(.*)-<space>-xsahaa-rt.cfapps.(.*).hana.ondemand.com’

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

Connecting to HANA in SAP Cloud Platform
HANA HDI in Cloud Foundry

▪ Grant permissions and set up roles

– User access to SAP HANA database container
▪ Set up trust from Cloud Foundry UAA to SAP HANA database container
– SAP Note: 2470084 – XSUAA metadata for XS_APPLICATIONUSER
trust creation
– An SAP HANA JWT IDP user will be created
▪ Set up SCP Cloud Foundry SSO and SAC SSO using the same IDP
– Use e-mail as user attribute in SCP Cloud Foundry, SAC, and IDP
– Set the default IDP in SCP Cloud Foundry as inactive
▪ Map SAP HANA JWT IDP user to the external SAML IDP user
▪ Create SAP HANA live connection in SAP Analytics Cloud

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

Thank you.
Contact information:

[email protected]
Follow all of SAP

www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.
Week 3: Authentication and Data Connectivity 3
Unit 4: SAP S/4HANA Cloud Connection
SAP S/4HANA Cloud Connection
Prerequisites

▪ SAP S/4HANA Cloud, version 1708 or above

▪ SAP S/4HANA Cloud is configured to use identity provider
as authentication service
▪ SAP Analytics Cloud is configured to use SAML Single Sign-
On (SSO) as authentication method
▪ SAP Analytics Cloud is configured to use custom SAML user
mapping as user attribute
▪ The custom SAML user mapping account must be the same
as the user name of the corresponding business user in
SAP S/4HANA Cloud

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

SAP S/4HANA Cloud Connection
OAuth 2.0

Authorization Server

Request Service

Web Browser SAP Analytics Cloud

Data

SAP S/4HANA Cloud

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

SAP S/4HANA Cloud Connection
Who should be involved?

▪ SAP Analytics Cloud system owner

▪ SAML IDP administrator
▪ SAP S/4HANA system administrator
(role template ID SAP_BR_ADMINISTRATOR)

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Thank you.
Contact information:

[email protected]
Follow all of SAP

www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.
Week 3: Authentication and Data Connectivity 3
Unit 5: On-Premise Import Data Connectivity I
On-Premise Import Data Connectivity
Data import workflow

Public Domain DMZ Customer Network

Firewall
Firewall
SAP BPC NW

Data ODATA

SAP Analytics
Cloud Connector
Cloud Data

Data

SAP Analytics Cloud Agent SQL Databases

SAP BW
Firewall

Firewall
File Server
SAP ERP
Data SAP BusinessObjects BI4 Universes
SAP BPC MS
SAP S/4HANA

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

On-Premise Import Data Connectivity
Multiple cloud connectors for one SAP Analytics Cloud system

Public Domain DMZ Customer Network 1

Firewall
Firewall
Cloud Connector

Data Data
Databases
SAP Analytics
SAP Analytics Cloud Agent
Cloud Data
Firewall
Customer Network 2

Cloud Connector
Firewall

Firewall
Databases
Data
Data

SAP Analytics Cloud Agent

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

On-Premise Import Data Connectivity
One cloud connector for multiple SAP Analytics Cloud systems

Public Domain DMZ Customer Network

Firewall
Firewall
SAP Analytics
Cloud Connector
Cloud Data

Data Databases
Data

SAP Analytics SAP Analytics Cloud Agent

Cloud
Firewall

Firewall
Data
(Prod)

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Thank you.
Contact information:

[email protected]
Follow all of SAP

www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.