It has the app-router, a simple HTML5 front-end page and features a java backend micro-service being called through a destination service.
This brief is to demonstrate how one could consume a single HDI container with SAC/eSAC over a direct HANA live connection implemented with HANA Analytics Adapter (HAA) InA service.
The InA service is a java application and is provided by SAP "as is".
Good to know:
Nowadays, the mainstream SAP BTP cloud native database is SAP HANA Cloud. Although customers and partners on existing contracts may still be using SAP HANA Service.
The presented method is generic in the sense that it allows to consume a single HDI container of SAP HANA Cloud (or SAP HANA Service) database on BTP platform, at a time.
Please consider that neither embedded SAC nor MS Analysis for Office plug-in support SAP HANA Cloud live connection out-of-the-box (as for instance enterprise SAC does). They only support direct HANA live connectivity to SAP HANA BTP databases with HANA Analytics Adapter.
access to a sub-account with BTP Free / Trial / Paid account with Cloud Foundry environment enabled and a SAP HANA Cloud or SAP HANA Service instance up and running.
admin access to SAC or eSAC tenant.
good understanding of concepts behind SAP HANA HDI containers
The ideas presented in this blog are personal insights thus not necessarily endorsed by SAP.
This is a playground only. All deployment examples, code snippets, gists, etc are provided “as is”.
Images/data in this blog post is from internal/trial sandbox and/or demo systems. Any resemblance to real data is purely coincidental.
Access to some resources referenced in this blog may be subject to a contractual relationship with SAP and a S-user login may be required. Always refer to T&C.
Putting it all together
1. SAP BTP sub-account and CF space
The main build components of the deployed HAA-CF application are as follows:
The app-router is bound to a single destination service instance and a single OAuth2SAMLBearerAssertiondestination is used to authenticate and authorise user access to the java backed service via a route with the IDP-initiated flow.
The XSUAA service is still there and is used as the OAuth2 service provider to grant access to the java backend service (a resource).
For this reason, both the app-router and the java backend service must be bound the the same XSUAA service instance. Please refer to this gist for further details.
Last but not least. The below table summarises the steps required to create and deploy the HAA-CF application with the IDP-initiated SAML SSO authentication:
In order to establish the IDP-initiated flow, a dedicated trusted IDPwill have to be created in the BTP sub-account where the java backend service is hosted.
For the sake of simplicity the destination service trust may be used as the Trusted IDP as explained in the following gist.
However, any other trust could be used as well, provided the saml assertion signing keypair is uploaded to the destination service vault (for saml assertion signing). So this time I have not used the default destination service trust but built this trusted IDP with a trust from an external identity provider. Please refer to the following gist for more details.
The application structure and build is presented the following gist
Before going any further, it is important to test the application and the java backend service are working correctly using the test quovadis destination.
2. SAP Analytics Cloud tenant.
SP-initiated SAML SSO
Both SAC (enterprise) and eSAC (embedded) active user populations are controlled with a single SAML Identity Provider and the users authentication follows the SP-initiated, interactive authentication flow (SAML Web SSO).
So indeed, one might be tempted to hook up the same IDP to the BTP sub-account of the app-router application and then activate SAML SSO authentication option in the SAC's direct HANA live connection definition.
However, this might also result in an additional authentication pop-up window that would appear furtively in the left hand and upper side of the screen.
IDP-initiated SAML SSO
The IDP-initiated SAML SSO flow is unmanned by definition. The user access will be brokered behind the scenes by the app-router through a call to an OAuth2SAMLBearerAssertion destination. As a result the java backend InA service will be passed a bearer access token along its GetServerInfo or GetResponse InA endpoints calls.
Thus we need to select the None option as the Authentication Method in the live connection definition as depicted below:
Create a HANA live connection in SAC.
Things to know:
You can retrieve the host and port of the live connection from the HAA-CF application's HTML5 front-end page as follows:
If you were targeting eSAC the connection will have to be created programmatically with the eSAC APIs.
The live connection is operational on-the-spot.
It does allow to access any cubes defined in the HDI container.
Last but not least, I hope you enjoyed reading this blog. Please provide your feedback in the comments section below.
Overall, I was able to demonstrate how to get access to a BTP micro-service from anywhere, including SAP Analytics Cloud direct HANA live connection, using an IDP-initiated flow with a BTP sub-account acting as a Service Provider. Literally by-the-book.
2589761 - Connecting to Live Data sources in SAP Analytics Cloud