week 1: authentication and data connectivity 1 unit 1
TRANSCRIPT
Week 1 Authentication and Data Connectivity 1
Unit 1 Course Introduction and Connectivity
Overview
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Week 1 Authentication and Data Connectivity 1
SAP Analytics Cloud authentication options
Live connections to SAP HANA with SAML SSO
Week 2 Authentication and Data Connectivity 2
Live connections to SAP NW with SAML SSO
Live connections to SAP BusinessObjects BI Platform
Week 3 Authentication and Data Connectivity 3
Live connections to cloud sources
Import data connectivity
Troubleshooting direct authentication Internet scenarios
Course Introduction and Connectivity Overview
Course agenda
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data connectivity types
Live Connection
Performs analysis without data replication
Confidential data stays in customer landscape
Data security implemented in the source system
is respected
Leverages existing investments built in source
systems
Complex data modeling is performed centrally
by IT
Low latency ndash near real-time
End-to-end SSO accomplished via SAML 20
Import Connection
Data is imported into SAP Analytics Cloud
Leverages capabilities such as Planning and
Smart Assist
Best for data preparation and data blending
scenarios
Scheduled data replication
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data sources
Live
SAP Cloud Platform1 SAP S4HANA Cloud
SAP S4HANA
SAP BusinessObjects Universe
Access via SDI for SAP Cloud Platform amp SAP HANA2
Apache Hive AWS SAP Vora SAP Sybase ASE IQ ESP
Microsoft SQL Server Spark SQL Oracle Teradata
OData
MaxDB
IBM DB2 MySQL Netezza Facebook Google+ Twitter
Partner delivered
DB2
Microsoft SQL Server
Microsoft Analysis Services
Oracle ExadataOracle Oracle Essbase
Denodo
SAP SQL Anywhere
Teradata
1 Requires SAP Cloud Platform DBaaS license
2 SAP Cloud Platform connects to data using Smart Data Integration and smart data access adapters
3 This does not require the BI platform
Import
Cloud data sources
Google Drive
SAP Cloud Platform1 SAP Business ByDesignSAP Hybris Cloud for Customer
SAP Fieldglass
Google BigQuery Google Sheets
SAP S4HANA Cloud
ODataSalesforce
SAP SuccessFactors ConcurSAP Workforce Analytics
SAP data sources
SAP BPC NW amp MS SAP HANA SAP ERP SAP BusinessObjects Universe SAP BW
SAP S4HANA
Other data sources
IBM Microsoft SQL Server MySQL Netezza OData Oracle
Progress OpenEdgeCSV Excel
Partner delivered
Web Intelligence QuickBooks
NetSuite CRM amp ERP
Microsoft SharePoint
MongoDB
Oracle Marketing Cloud
eloqua
Google Analytics
Hubspot
Marketo
Microsoft Dynamics CRM
SugarCRM
SAP BW4HANA
Microsoft Azure
Redshift
MongoDB MongoDB Atlas MySQL
SAP data sources
SAP HANA SAP BW SAP BW4HANA
Cloud data sources
Netezza
Dow Jones DNA
Google BigQuery
SAP IQ
SAP BPC Embedded3rd party CRM3rd party Cloud Storage
HortonworksCloudera
Amazon S3
Same data sources as SAP BI 423
SAP Marketing Cloud
SAP Marketing Cloud
SAP Integrated Business Planning
5PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections
SAP Analytics
CloudMetadata
queries
Data queries
Direct connection between browser and source system
Only metadata is stored in SAP Analytics Cloud
Browser retrieves the metadata from SAP Analytics Cloud and queries the source system
Data doesnrsquot flow through SAP Analytics Cloud (some exceptions)
Connections are made over HTTPS and use SAPrsquos information access layer (InA)
protocol for data queries
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
SAP BPC
6PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
What is metadata
Connection definition
Browser uses this information to establish live connection to data sources
Connection name description data source server and port preferred language etcNo user and password are stored in SAC live connection description
Model definition
Based on connection definition model defines query on your data source based on data source metadata
Linked data source query (BW query name calculation view name universe name)Field definition (measures and dimensions)Field types scales decimals aggregation types formulas units and currencies aggregation exceptionsDimension definition and hierarchy typeInput control values to query data sourcesData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Story definition
Based on models story defines your dashboard
Linked models story description layout labels styling page names RSS feed definition embedded HTML images conditional formatting rules linked analysis navigation chart types chart positions in story specific chart parameters (color and styling comment variance definition reference line definition top N parameter sorting parameter all parameters depending on type of chart) filter values formulas linked column relationships for filtering (live connection) story defined variables etcData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Metadata isldquoIDrdquo ldquoNamerdquo ldquoPhone Numberrdquo ldquoSalaryrdquo
Data is1 Alex Bean 555-324-2342 $800002 Corey Foo 777-234-2318 $100000
7PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Exceptions to data movement for live connections
Smart grouping and predictive forecasting-
enabled
R integration enabled for live models
Blending between acquired and live models
Search to insight for live models
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Week 1 Authentication and Data Connectivity 1
SAP Analytics Cloud authentication options
Live connections to SAP HANA with SAML SSO
Week 2 Authentication and Data Connectivity 2
Live connections to SAP NW with SAML SSO
Live connections to SAP BusinessObjects BI Platform
Week 3 Authentication and Data Connectivity 3
Live connections to cloud sources
Import data connectivity
Troubleshooting direct authentication Internet scenarios
Course Introduction and Connectivity Overview
Course agenda
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data connectivity types
Live Connection
Performs analysis without data replication
Confidential data stays in customer landscape
Data security implemented in the source system
is respected
Leverages existing investments built in source
systems
Complex data modeling is performed centrally
by IT
Low latency ndash near real-time
End-to-end SSO accomplished via SAML 20
Import Connection
Data is imported into SAP Analytics Cloud
Leverages capabilities such as Planning and
Smart Assist
Best for data preparation and data blending
scenarios
Scheduled data replication
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data sources
Live
SAP Cloud Platform1 SAP S4HANA Cloud
SAP S4HANA
SAP BusinessObjects Universe
Access via SDI for SAP Cloud Platform amp SAP HANA2
Apache Hive AWS SAP Vora SAP Sybase ASE IQ ESP
Microsoft SQL Server Spark SQL Oracle Teradata
OData
MaxDB
IBM DB2 MySQL Netezza Facebook Google+ Twitter
Partner delivered
DB2
Microsoft SQL Server
Microsoft Analysis Services
Oracle ExadataOracle Oracle Essbase
Denodo
SAP SQL Anywhere
Teradata
1 Requires SAP Cloud Platform DBaaS license
2 SAP Cloud Platform connects to data using Smart Data Integration and smart data access adapters
3 This does not require the BI platform
Import
Cloud data sources
Google Drive
SAP Cloud Platform1 SAP Business ByDesignSAP Hybris Cloud for Customer
SAP Fieldglass
Google BigQuery Google Sheets
SAP S4HANA Cloud
ODataSalesforce
SAP SuccessFactors ConcurSAP Workforce Analytics
SAP data sources
SAP BPC NW amp MS SAP HANA SAP ERP SAP BusinessObjects Universe SAP BW
SAP S4HANA
Other data sources
IBM Microsoft SQL Server MySQL Netezza OData Oracle
Progress OpenEdgeCSV Excel
Partner delivered
Web Intelligence QuickBooks
NetSuite CRM amp ERP
Microsoft SharePoint
MongoDB
Oracle Marketing Cloud
eloqua
Google Analytics
Hubspot
Marketo
Microsoft Dynamics CRM
SugarCRM
SAP BW4HANA
Microsoft Azure
Redshift
MongoDB MongoDB Atlas MySQL
SAP data sources
SAP HANA SAP BW SAP BW4HANA
Cloud data sources
Netezza
Dow Jones DNA
Google BigQuery
SAP IQ
SAP BPC Embedded3rd party CRM3rd party Cloud Storage
HortonworksCloudera
Amazon S3
Same data sources as SAP BI 423
SAP Marketing Cloud
SAP Marketing Cloud
SAP Integrated Business Planning
5PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections
SAP Analytics
CloudMetadata
queries
Data queries
Direct connection between browser and source system
Only metadata is stored in SAP Analytics Cloud
Browser retrieves the metadata from SAP Analytics Cloud and queries the source system
Data doesnrsquot flow through SAP Analytics Cloud (some exceptions)
Connections are made over HTTPS and use SAPrsquos information access layer (InA)
protocol for data queries
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
SAP BPC
6PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
What is metadata
Connection definition
Browser uses this information to establish live connection to data sources
Connection name description data source server and port preferred language etcNo user and password are stored in SAC live connection description
Model definition
Based on connection definition model defines query on your data source based on data source metadata
Linked data source query (BW query name calculation view name universe name)Field definition (measures and dimensions)Field types scales decimals aggregation types formulas units and currencies aggregation exceptionsDimension definition and hierarchy typeInput control values to query data sourcesData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Story definition
Based on models story defines your dashboard
Linked models story description layout labels styling page names RSS feed definition embedded HTML images conditional formatting rules linked analysis navigation chart types chart positions in story specific chart parameters (color and styling comment variance definition reference line definition top N parameter sorting parameter all parameters depending on type of chart) filter values formulas linked column relationships for filtering (live connection) story defined variables etcData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Metadata isldquoIDrdquo ldquoNamerdquo ldquoPhone Numberrdquo ldquoSalaryrdquo
Data is1 Alex Bean 555-324-2342 $800002 Corey Foo 777-234-2318 $100000
7PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Exceptions to data movement for live connections
Smart grouping and predictive forecasting-
enabled
R integration enabled for live models
Blending between acquired and live models
Search to insight for live models
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data connectivity types
Live Connection
Performs analysis without data replication
Confidential data stays in customer landscape
Data security implemented in the source system
is respected
Leverages existing investments built in source
systems
Complex data modeling is performed centrally
by IT
Low latency ndash near real-time
End-to-end SSO accomplished via SAML 20
Import Connection
Data is imported into SAP Analytics Cloud
Leverages capabilities such as Planning and
Smart Assist
Best for data preparation and data blending
scenarios
Scheduled data replication
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data sources
Live
SAP Cloud Platform1 SAP S4HANA Cloud
SAP S4HANA
SAP BusinessObjects Universe
Access via SDI for SAP Cloud Platform amp SAP HANA2
Apache Hive AWS SAP Vora SAP Sybase ASE IQ ESP
Microsoft SQL Server Spark SQL Oracle Teradata
OData
MaxDB
IBM DB2 MySQL Netezza Facebook Google+ Twitter
Partner delivered
DB2
Microsoft SQL Server
Microsoft Analysis Services
Oracle ExadataOracle Oracle Essbase
Denodo
SAP SQL Anywhere
Teradata
1 Requires SAP Cloud Platform DBaaS license
2 SAP Cloud Platform connects to data using Smart Data Integration and smart data access adapters
3 This does not require the BI platform
Import
Cloud data sources
Google Drive
SAP Cloud Platform1 SAP Business ByDesignSAP Hybris Cloud for Customer
SAP Fieldglass
Google BigQuery Google Sheets
SAP S4HANA Cloud
ODataSalesforce
SAP SuccessFactors ConcurSAP Workforce Analytics
SAP data sources
SAP BPC NW amp MS SAP HANA SAP ERP SAP BusinessObjects Universe SAP BW
SAP S4HANA
Other data sources
IBM Microsoft SQL Server MySQL Netezza OData Oracle
Progress OpenEdgeCSV Excel
Partner delivered
Web Intelligence QuickBooks
NetSuite CRM amp ERP
Microsoft SharePoint
MongoDB
Oracle Marketing Cloud
eloqua
Google Analytics
Hubspot
Marketo
Microsoft Dynamics CRM
SugarCRM
SAP BW4HANA
Microsoft Azure
Redshift
MongoDB MongoDB Atlas MySQL
SAP data sources
SAP HANA SAP BW SAP BW4HANA
Cloud data sources
Netezza
Dow Jones DNA
Google BigQuery
SAP IQ
SAP BPC Embedded3rd party CRM3rd party Cloud Storage
HortonworksCloudera
Amazon S3
Same data sources as SAP BI 423
SAP Marketing Cloud
SAP Marketing Cloud
SAP Integrated Business Planning
5PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections
SAP Analytics
CloudMetadata
queries
Data queries
Direct connection between browser and source system
Only metadata is stored in SAP Analytics Cloud
Browser retrieves the metadata from SAP Analytics Cloud and queries the source system
Data doesnrsquot flow through SAP Analytics Cloud (some exceptions)
Connections are made over HTTPS and use SAPrsquos information access layer (InA)
protocol for data queries
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
SAP BPC
6PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
What is metadata
Connection definition
Browser uses this information to establish live connection to data sources
Connection name description data source server and port preferred language etcNo user and password are stored in SAC live connection description
Model definition
Based on connection definition model defines query on your data source based on data source metadata
Linked data source query (BW query name calculation view name universe name)Field definition (measures and dimensions)Field types scales decimals aggregation types formulas units and currencies aggregation exceptionsDimension definition and hierarchy typeInput control values to query data sourcesData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Story definition
Based on models story defines your dashboard
Linked models story description layout labels styling page names RSS feed definition embedded HTML images conditional formatting rules linked analysis navigation chart types chart positions in story specific chart parameters (color and styling comment variance definition reference line definition top N parameter sorting parameter all parameters depending on type of chart) filter values formulas linked column relationships for filtering (live connection) story defined variables etcData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Metadata isldquoIDrdquo ldquoNamerdquo ldquoPhone Numberrdquo ldquoSalaryrdquo
Data is1 Alex Bean 555-324-2342 $800002 Corey Foo 777-234-2318 $100000
7PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Exceptions to data movement for live connections
Smart grouping and predictive forecasting-
enabled
R integration enabled for live models
Blending between acquired and live models
Search to insight for live models
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data sources
Live
SAP Cloud Platform1 SAP S4HANA Cloud
SAP S4HANA
SAP BusinessObjects Universe
Access via SDI for SAP Cloud Platform amp SAP HANA2
Apache Hive AWS SAP Vora SAP Sybase ASE IQ ESP
Microsoft SQL Server Spark SQL Oracle Teradata
OData
MaxDB
IBM DB2 MySQL Netezza Facebook Google+ Twitter
Partner delivered
DB2
Microsoft SQL Server
Microsoft Analysis Services
Oracle ExadataOracle Oracle Essbase
Denodo
SAP SQL Anywhere
Teradata
1 Requires SAP Cloud Platform DBaaS license
2 SAP Cloud Platform connects to data using Smart Data Integration and smart data access adapters
3 This does not require the BI platform
Import
Cloud data sources
Google Drive
SAP Cloud Platform1 SAP Business ByDesignSAP Hybris Cloud for Customer
SAP Fieldglass
Google BigQuery Google Sheets
SAP S4HANA Cloud
ODataSalesforce
SAP SuccessFactors ConcurSAP Workforce Analytics
SAP data sources
SAP BPC NW amp MS SAP HANA SAP ERP SAP BusinessObjects Universe SAP BW
SAP S4HANA
Other data sources
IBM Microsoft SQL Server MySQL Netezza OData Oracle
Progress OpenEdgeCSV Excel
Partner delivered
Web Intelligence QuickBooks
NetSuite CRM amp ERP
Microsoft SharePoint
MongoDB
Oracle Marketing Cloud
eloqua
Google Analytics
Hubspot
Marketo
Microsoft Dynamics CRM
SugarCRM
SAP BW4HANA
Microsoft Azure
Redshift
MongoDB MongoDB Atlas MySQL
SAP data sources
SAP HANA SAP BW SAP BW4HANA
Cloud data sources
Netezza
Dow Jones DNA
Google BigQuery
SAP IQ
SAP BPC Embedded3rd party CRM3rd party Cloud Storage
HortonworksCloudera
Amazon S3
Same data sources as SAP BI 423
SAP Marketing Cloud
SAP Marketing Cloud
SAP Integrated Business Planning
5PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections
SAP Analytics
CloudMetadata
queries
Data queries
Direct connection between browser and source system
Only metadata is stored in SAP Analytics Cloud
Browser retrieves the metadata from SAP Analytics Cloud and queries the source system
Data doesnrsquot flow through SAP Analytics Cloud (some exceptions)
Connections are made over HTTPS and use SAPrsquos information access layer (InA)
protocol for data queries
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
SAP BPC
6PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
What is metadata
Connection definition
Browser uses this information to establish live connection to data sources
Connection name description data source server and port preferred language etcNo user and password are stored in SAC live connection description
Model definition
Based on connection definition model defines query on your data source based on data source metadata
Linked data source query (BW query name calculation view name universe name)Field definition (measures and dimensions)Field types scales decimals aggregation types formulas units and currencies aggregation exceptionsDimension definition and hierarchy typeInput control values to query data sourcesData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Story definition
Based on models story defines your dashboard
Linked models story description layout labels styling page names RSS feed definition embedded HTML images conditional formatting rules linked analysis navigation chart types chart positions in story specific chart parameters (color and styling comment variance definition reference line definition top N parameter sorting parameter all parameters depending on type of chart) filter values formulas linked column relationships for filtering (live connection) story defined variables etcData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Metadata isldquoIDrdquo ldquoNamerdquo ldquoPhone Numberrdquo ldquoSalaryrdquo
Data is1 Alex Bean 555-324-2342 $800002 Corey Foo 777-234-2318 $100000
7PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Exceptions to data movement for live connections
Smart grouping and predictive forecasting-
enabled
R integration enabled for live models
Blending between acquired and live models
Search to insight for live models
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
5PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections
SAP Analytics
CloudMetadata
queries
Data queries
Direct connection between browser and source system
Only metadata is stored in SAP Analytics Cloud
Browser retrieves the metadata from SAP Analytics Cloud and queries the source system
Data doesnrsquot flow through SAP Analytics Cloud (some exceptions)
Connections are made over HTTPS and use SAPrsquos information access layer (InA)
protocol for data queries
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
SAP BPC
6PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
What is metadata
Connection definition
Browser uses this information to establish live connection to data sources
Connection name description data source server and port preferred language etcNo user and password are stored in SAC live connection description
Model definition
Based on connection definition model defines query on your data source based on data source metadata
Linked data source query (BW query name calculation view name universe name)Field definition (measures and dimensions)Field types scales decimals aggregation types formulas units and currencies aggregation exceptionsDimension definition and hierarchy typeInput control values to query data sourcesData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Story definition
Based on models story defines your dashboard
Linked models story description layout labels styling page names RSS feed definition embedded HTML images conditional formatting rules linked analysis navigation chart types chart positions in story specific chart parameters (color and styling comment variance definition reference line definition top N parameter sorting parameter all parameters depending on type of chart) filter values formulas linked column relationships for filtering (live connection) story defined variables etcData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Metadata isldquoIDrdquo ldquoNamerdquo ldquoPhone Numberrdquo ldquoSalaryrdquo
Data is1 Alex Bean 555-324-2342 $800002 Corey Foo 777-234-2318 $100000
7PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Exceptions to data movement for live connections
Smart grouping and predictive forecasting-
enabled
R integration enabled for live models
Blending between acquired and live models
Search to insight for live models
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
6PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
What is metadata
Connection definition
Browser uses this information to establish live connection to data sources
Connection name description data source server and port preferred language etcNo user and password are stored in SAC live connection description
Model definition
Based on connection definition model defines query on your data source based on data source metadata
Linked data source query (BW query name calculation view name universe name)Field definition (measures and dimensions)Field types scales decimals aggregation types formulas units and currencies aggregation exceptionsDimension definition and hierarchy typeInput control values to query data sourcesData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Story definition
Based on models story defines your dashboard
Linked models story description layout labels styling page names RSS feed definition embedded HTML images conditional formatting rules linked analysis navigation chart types chart positions in story specific chart parameters (color and styling comment variance definition reference line definition top N parameter sorting parameter all parameters depending on type of chart) filter values formulas linked column relationships for filtering (live connection) story defined variables etcData or dimension value from data sources are not stored in SAP Analytics Cloud except values of filters and input controls used in query if any
Metadata isldquoIDrdquo ldquoNamerdquo ldquoPhone Numberrdquo ldquoSalaryrdquo
Data is1 Alex Bean 555-324-2342 $800002 Corey Foo 777-234-2318 $100000
7PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Exceptions to data movement for live connections
Smart grouping and predictive forecasting-
enabled
R integration enabled for live models
Blending between acquired and live models
Search to insight for live models
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
7PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Exceptions to data movement for live connections
Smart grouping and predictive forecasting-
enabled
R integration enabled for live models
Blending between acquired and live models
Search to insight for live models
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
8PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Cross-origin resource sharing (CORS)
Live connections with SAP Analytics Cloud using CORS
CORS is an Internet standard that defines a way in which a browser and server can interact to determine
whether or not it is safe to allow the cross-origin request
CORS allows us to get around browserrsquos same-origin policyResource 1
Resource 2
Get resource 1
Response
Get resource 2
Response
When a domain is requesting to interact with a resource on another domain request headers are added from the first domain in order to use the cross-origin resource sharing feature These are the HTTP request headers that may be associated with the requesting domain- Origin- Access-Control-Request-Method- Access-Control-Request-Headers
The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are setAccess-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Allow-MethodsAccess-Control-Allow-Headers
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
9PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Live connections workflow
SAP BW
SAP HANA
SAP BW4HANA
SAP S4HANA
SAP BusinessObjects BI4 Universes
HTTPS
CORS
SAML
SA
ML
SAML 2 IDP
SAP BW
SAP BPC
SAP Analytics
CloudF
irew
all
HTTPS
SAML
Metadata Data
Fir
ew
all
Fir
ew
all
Fir
ew
all
Public Domain Customer NetworkDMZ
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
10PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
SAML workflow
Identity Provider
Service Provider
Web B
row
ser
Resource
1
2
8
7
3
4
5
6
Service Request
ltSAMLRequestgt
Resource
ltSAMLResponsegt
ltSAMLRequestgt
ltSAMLResponsegt
Login Request
Login1 Service request (protected access)
2 Service needs authentication
3 ltSAMLRequestgt in POST (HTTP body) in a
HTML form or in GET (URL parameter)
4 Login request of IDP
5 Send credentials
6 Send SAML assertion as ltSAMLResponsegt
with secured user name identifier in HTTP body
7 Forward ltSAMLResponsegt as POST
parameter to assertion consumer service of SP
8 Send data of the service to the user
ACS
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
11PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
On-premise import data connections
Additional on-premise components to deploy
1 SAP Cloud Connector
2 SAP Analytics Cloud agent
Cloud Connector
Secure data transfers between the on-premise data
source and SAP Cloud Platform
SAP Analytics Cloud agent
Connect and send query requests to the on-premise
data source
Supports Apache Tomcat 7 or higher
Java Standard Edition Runtime Environment version
7 or higher
Cloud Connector
SAP Analytics Cloud
Agent
On-Premise Data
Sources
SAP Analytics
Cloud
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
12PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Course Introduction and Connectivity Overview
Data import workflow
ODATA
SAP BPC NW
SQL Databases
Data
SAP Analytics Cloud Agent SAP BW
SAP ERP
SAP Analytics
Cloud
Public Domain Customer Network
Fir
ew
all
Fir
ew
all
DMZ
Fir
ew
all
Fir
ew
all
Cloud Connector
SAP S4HANA
SAP BPC MS
SAP BusinessObjects BI4 Universes
File Server
Data
Data
Data
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
13PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Target Audience
IT administrators
Cloud architects
Course Requirements
Background in SAP applications such as
SAP HANA SAP BW SAP S4HANA and
SAP BusinessObjects BI4
Understanding of SAML SSO concepts
Course Introduction and Connectivity Overview
Target audience and course requirements
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
14PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Option 1
Deploy the provided solution system in your own AWS
account Solution system contains 3 images that include
minus SAP NetWeaver IDP
minus SAP BW4HANA
minus SAP HANA
minus SAP BusinessObjects BI42 SP6
minus SAP Web Dispatcher Reverse Proxy
Requires existing subscription to SAP Analytics Cloud or
purchase of a new BI-only subscription for USD 23month
Option 2
Use provided click-through demos that simulate working
with a real system
Course Introduction and Connectivity Overview
Development system access
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
Week 1 Authentication and Data Connectivity 1
Unit 2 Custom SAML SSO to SAP Analytics Cloud
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAP Analytics Cloud uses SAP Cloud
Platform Identity Authentication Service
as the default authentication method
Single Sign-On (SSO) authentication to
a custom identity provider (IDP) can be
configured using SAML 20 protocol
minus Cloud or on-premise IDP can be used
minus Dynamic user creation and teamrole
mapping
minus Allows for seamless SSO
minus Two-factor authentication and Social
single-sign-on is possible
Custom SAML SSO to SAP Analytics Cloud
Authentication options
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Custom SAML SSO to SAP Analytics Cloud
Who should be involved
SAP Analytics Cloud system owner
SAML IDP administrator
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
Week 1 Authentication and Data Connectivity 1
Unit 3 Additional Authentication Options
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Additional Authentication Options
Seamless SSO Social SSO and two-factor authentication
SAML 2 IDP
X509 Client
Certificate
Kerberos
SAML
Seamless SSO to SAP Analytics Cloud
minus Requires custom IDP to support either
Kerberos or client certificate authentication
minus Existing PKI infrastructure required to
support client certificate authentication
minus Kerberos typically only for Intranet
scenarios
Two-factor authentication and Social SSO
possible provided your custom IDP supports
these features
SAP
Analytics
Cloud
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
Week 1 Authentication and Data Connectivity 1
Unit 4 Live Connection to SAP HANA with SAML SSO
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
2PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Prerequisites
CORS
minus Minimum SAP HANA versions SAP HANA 10 SPS12 or
SAP HANA 20 SP01
minus Compatible EPMMDS package installed on SAP HANA 2x
minus SAP HANA XS server is configured for HTTPS (SSL) with a
signed certificate
minus Users assigned sapbcinaservicev2userRoleINA_USER role
minus Access to SAP HANArsquos XS admin
https[HANA_XS_HOST][HTTPS_Port]saphanaxsadmin
minus Browser configured to accept cookies from SAP HANA server
SAML
minus SAP Analytics Cloud pre-configured to use custom SAML
minus Browser configured to allow popups from sapanalyticscloud
minus Access to SAP HANArsquos Web IDE
https[HANA_XS_HOST][HTTPS_Port]saphanaideeditor
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
3PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
SAML2 Identity Provider
auth
InA
Service
1 Web Request
2 ltSAMLRequestgt
3 ltSAMLRequestgt
4 ltSAMLResponsegt
5 ltSAMLResponsegt
6 Content (auto-close popup)
7 CORS AJAX Request
8 CORS AJAX Response (Content)
Popup
Window
Main
Window
0 Popup window opens
1 Popup window requests the
auth node
2 Authentication required for
the auth node
3 SAMLRequest sent to IdP
4 IdP returns SAML response
as the browser was already
authenticated during SAP
Analytics Cloud logon
5 SAML assertion sent to SP
6 SP returns content of the
auth node causing auto-
closure of the popup window
7 Main browser window sends
CORS AJAX request to InA
service
8 SP returns InA content as
the browser is already
authenticatedSAML 2 Service Provider
SAP HANA
SAP BW
SAP S4HANA
SAP BusinessObjects BI4
SAP BPC
Live Connection to SAP HANA with SAML SSO
SAML workflow for SAP live sources
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
4PUBLICcopy 2019 SAP SE or an SAP affiliate company All rights reserved ǀ
Live Connection to SAP HANA with SAML SSO
Who should be involved
SAP HANA administrator
SAP Analytics Cloud admin
SAML IDP administrator
Network security administrator (for signed SSL certificates)
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
Thank you
Contact information
opensapcom
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-
copy 2019 SAP SE or an SAP affiliate company All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company
The information contained herein may be changed without prior notice Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors National product specifications may vary
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only without representation or
warranty of any kind and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services if any Nothing herein should be construed as constituting an additional
warranty
In particular SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation or to develop or release any functionality mentioned therein This document or any related presentation
and SAP SErsquos or its affiliated companiesrsquo strategy and possible future developments products andor platforms directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice The information in this document is not a commitment promise or legal obligation to deliver any material code or
functionality All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations Readers are cautioned not to place undue reliance on these forward-looking statements and they
should not be relied upon in making purchasing decisions
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries All other product and service names
mentioned are the trademarks of their respective companies
See wwwsapcomcopyright for additional trademark information and notices
wwwsapcomcontactsap
Follow all of SAP
- openSAP_sac2_Week_1_Unit_1_COURSEINTRO_Presentation
- openSAP_sac2_Week_1_Unit_2_CUSTSAMLSSO_Presentation
- openSAP_sac2_Week_1_Unit_3_ADDAUT_Presentation
- openSAP_sac2_Week_1_Unit_4_LIVECONN_Presentation
-