Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

When I was working on the topic of the User Propagation between SAP BTP and third-party Applications. for a reason I picked the HAA-CF as my guinea pig application.

HAA-CF application simply has it all.

It has the app-router, a simple HTML5 front-end page and features a java backend micro-service being called through a destination service.

This brief is to demonstrate how one could consume a single HDI container with SAC/eSAC over a direct HANA live connection implemented with HANA Analytics Adapter (HAA) InA service.

The InA service is a java application and is provided by SAP "as is".

Good to know:

  • Nowadays, the mainstream SAP BTP cloud native database is SAP HANA Cloud. Although customers and partners on existing contracts may still be using SAP HANA Service.

  • The presented method is generic in the sense that it allows to consume a single HDI container of SAP HANA Cloud (or SAP HANA Service) database on BTP platform, at a time.

  • Please consider that neither embedded SAC nor MS Analysis for Office plug-in support SAP HANA Cloud live connection out-of-the-box (as for instance enterprise SAC does). They only support direct HANA live connectivity to SAP HANA BTP databases with HANA Analytics Adapter.


  • access to a sub-account with BTP Free / Trial / Paid account with Cloud Foundry environment enabled and a SAP HANA Cloud or SAP HANA Service instance up and running.

  • admin access to SAC or eSAC tenant.

  • good understanding of concepts behind SAP HANA HDI containers

  • good understanding of concepts presented in the blog post User Propagation between SAP BTP and third-party Applications.


  • The ideas presented in this blog are personal insights thus not necessarily endorsed by SAP.

  • This is a playground only. All deployment examples, code snippets, gists, etc are provided “as is”.

  • Images/data in this blog post is from internal/trial sandbox and/or demo systems. Any resemblance to real data is purely coincidental.

  • Access to some resources referenced in this blog may be subject to a contractual relationship with SAP and a S-user login may be required. Always refer to T&C.

Putting it all together

1.  SAP BTP sub-account and CF space

The main build components of the deployed HAA-CF application are as follows:

The app-router is bound to a single destination service instance and a single OAuth2SAMLBearerAssertion destination is used to authenticate and authorise user access to the java backed service via a route with the IDP-initiated flow.

The XSUAA service is still there and is used as the OAuth2 service provider to grant access to the java backend service (a resource).

For this reason, both the app-router and the java backend service must be bound the the same XSUAA service instance. Please refer to this gist for further details.

Last but not least. The below table summarises the steps required to create and deploy the HAA-CF application with the IDP-initiated SAML SSO authentication:

Create a Trusted IDP on the BTP sub-account level.

  • In order to establish the IDP-initiated flow, a dedicated trusted IDP will have to be created in the BTP sub-account where the java backend service is hosted.


  • For the sake of simplicity the destination service trust may be used as the Trusted IDP as explained in the following gist.


  • However, any other trust could be used as well, provided the saml assertion signing keypair is uploaded to the destination service vault (for saml assertion signing). So this time I have not used the default destination service trust but built this trusted IDP with a trust from an external identity provider. Please refer to the following gist for more details.

Quovadis. Building a destination definition.

  • The destinations can be defined inline in the mta.yaml or as a json file. Further details are in this gist.

Deploy the HAA-CF application to a BTP CF space.



  • The application structure and build is presented the following gist

Before going any further, it is important to test the application and the java backend service are working correctly using the test quovadis destination.

2. SAP Analytics Cloud tenant.

SP-initiated SAML SSO

Both SAC (enterprise) and eSAC (embedded) active user populations are controlled with a single SAML Identity Provider and the users authentication follows the SP-initiated, interactive authentication flow (SAML Web SSO).

So indeed, one might be tempted to hook up the same IDP to the BTP sub-account of the app-router application and then activate SAML SSO authentication option in the SAC's direct HANA live connection definition.

However, this might also result in an additional authentication pop-up window that would appear furtively in the left hand and upper side of the screen.

IDP-initiated SAML SSO

The IDP-initiated SAML SSO flow is unmanned by definition. The user access will be brokered behind the scenes by the app-router through a call to an OAuth2SAMLBearerAssertion destination. As a result the java backend InA service will be passed a bearer access token along its GetServerInfo or GetResponse InA endpoints calls.

Thus we need to select the None option as the Authentication Method in the live connection definition as depicted below:


Create a HANA live connection in SAC.

Things to know:

  • You can retrieve the host and port of the live connection from the HAA-CF application's HTML5 front-end page as follows:

  • If you were targeting eSAC the connection will have to be created programmatically with the eSAC APIs.

The live connection is operational on-the-spot.

It does allow to access any cubes defined in the HDI container.

and voila...


Last but not least, I hope you enjoyed reading this blog. Please provide your feedback in the comments section below.

Overall, I was able to demonstrate how to get access to a BTP micro-service from anywhere, including SAP Analytics Cloud direct HANA live connection, using an IDP-initiated flow with a BTP sub-account acting as a Service Provider. Literally by-the-book.



Additional resources

2589761 - Connecting to Live Data sources in SAP Analytics Cloud

SAP Analytics Cloud connectivity setup for SAP HANA database | SAP Store

SAP BW InA Provider | External Blog


1 Comment