10/20/2020

SAP Analytics Cloud Connection Guide

Generated on: 2020-10-20

SAP Analytics Cloud | Q3 2020 (2020.14)

PUBLIC
10/20/2020

SAP Analytics Cloud Connection Guide

SAP Analytics Cloud is a new generation of Software-as-a-Service (SaaS) that rede nes analytics in the cloud by providing all
analytics capabilities for all users in one product. It's built natively on the SAP HANA Cloud Platform for extreme performance, and
it allows customers to simplify access to a new public cloud experience that they can trust.

SAP Analytics Cloud combines Business Intelligence, Predictive, Planning, and Digital Boardroom capabilities to analyze all data
from your landscape – on-premise or in the cloud.

SAP Analytics Cloud is a public Software-as-a-Service (SaaS) enabling access to on-premise and cloud data sources.
Furthermore, SAP Analytics Cloud provides live connection (online) and data acquisition (batch) connectivity – two ways for
accessing your data located anywhere in your information-system landscape:

You can create models from data sources in on-premise or cloud systems, build stories based on those models, and
perform online analysis without any data replication. This feature allows SAP Analytics Cloud to be used in scenarios where
data cannot be moved into the cloud for security or privacy reasons, or your data already exists on a different cloud
system.

You can also create connections to remote systems to allow data acquisition. Data is imported (copied) to SAP Analytics
Cloud HANA in-memory Database, and changes made to the data in the source system don't affect the imported data.

Furthermore, SAP Analytics Cloud provides SAML 2 capabilities to enable Single Sign-on, simplifying not only
authentication to SAP Analytics Cloud but also to connected data sources from your landscape.

Most of our customers want to get all the bene ts of such hybrid architecture. This document is intended to help you by explaining
connectivity, gathering all required links, and delivering tips and tricks, best practices, and warnings experienced by our customers
and partners.

The Importance of Managing a Connectivity

Project
To get all SAP Analytics Cloud bene ts, you rst have to connect your on-premise or cloud data sources.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 2/22
10/20/2020
SAP Analytics Cloud is a public Cloud Software-as-a-Service (Saas) that you should connect to your secured backend.
Establishing the connection settings requires people with expertise from different areas of your organization to ensure a smooth
deployment:

Person Areas of Expertise

SAP Analytics Cloud system owner SAP Analytics Cloud settings, such as SAML 2.0 settings, users and
roles management, and connection settings.

Data source expert Connectivity layer and security (SAP HANA, SAP BW or SAP
BW/HANA, SAP S4/HANA, and so on).

Network expert Proxy, rewall, DNS server, and so on.

Security expert SAML 2.0, your organization's Identity Provider (IdP), SSL
certi cates, and so on.

Information system architect General architecture topics.

Application expert SAP or non-SAP, depending on your data sources: connectivity,

security, modeling, and so on.

Project management is mandatory because maintaining connectivity settings can't be successful as a one-person task. Settings
follow a strict process where different stakeholders have to be engaged and have to deliver their own expertise in their respective
areas of responsibility.

Connecting SaaS applications to on-premise applications requires that you understand the big picture of the architecture. So,
before you start con guring any settings, we strongly suggest organizing an architecture workshop to align the necessary
stakeholders to perform a fast and smooth set up, on time, and within scope.

Choosing a Live Connection or Importing

Data
Customers need to decide which connection type to set up, according to their own needs. Here are some best practices and some
limitations to help you decide.

 Note
Before starting, please read the System Requirements and Technical Prerequisites and check if your landscape is compliant
with what is supported for your version and connection type.

As you begin, consider these criteria:

Functional needs

Data Privacy constraints

Data volume constraints

Live Connection

Functional Need Supported Datasources Description

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 3/22
10/20/2020

Functional Need Supported Datasources Description

Local (Cloud data sources) All data stays within the SAP Cloud Platform
SAP Cloud Platform
or SAP S4/HANA Cloud. The data is not
SAP S4/HANA Cloud replicated to SAP Analytics Cloud. Modeling
and model security is managed on the
source system. Data connection between
systems is secured within SAP Cloud
Platform.

Remote (On-premise data sources) All data stays within the remote (customer)
SAP HANA
landscape. The data is not replicated to SAP
SAP BW Analytics Cloud. Modeling and model
security is managed on the source system.
SAP S/4HANA
Data connection between systems is
SAP Universe secured.

Data Privacy: Data stays in your backend. If you want to have full control of data privacy, a live connection is the best choice.

Data Volume Maximums: Data volume is processed in your backend system. In theory, there is no limitation. A query is executed in
the backend system. The query should limit the volume returned to your Web Browser by applying adequate input control or
aggregation.

Importing Data

Functional Need Description

Works with analytic models All data from your data source is uploaded (replicated) to SAP
Analytics Cloud in-memory HANA Database. SAP Analytics Cloud
Works with planning Models then stores the model and data. Security can be added to the model
within SAP Analytics Cloud. Both Analytic and Planning models
Predictive Capabilities generate an account type model.

Data Privacy: Data is replicated into the SAP Analytics Cloud HANA database. Nevertheless, data is encrypted and fully secured.
Please refer to the SAP Trust Center for information on security measures and certi cates in the SAP data center.

Data Volume Maximums:

Columns: 100

Rows: 800,000

Dimension members:

Planning models: 250,000

Analytic models: if there are more than 250,000 unique members, the dimension will be made read-only

Dimension members with attributes: 150,000

Dimension members with geo enrichment: 200,000

Dimension members in hierarchy: 150,000

Hierarchy depth: 1,000

Live Connections Overview

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 4/22
10/20/2020
Learning the ow of information between the Web browser, SAP Analytics Cloud, and your data source will help you plan a
successful live connections project.

Using a live connection, SAP Analytics Cloud provides the business logic and builds the queries required to see your data in your
browser. Your browser in turn sends those queries through a direct live connection to the on-premise data source. The results of
those queries are returned to your browser, where visualizations are rendered. If your query was a list of pro ts per customer, for
example, none of that information would actually return to or be stored in SAP Analytics Cloud.

Throughout the whole process, the browser is actually interacting through direct live connection (CORS), which in turn sends out
the requests to SAP Analytics Cloud or the remote data source, depending on the path of each request.

Let's take a look at a how typical connection works. In the rst case below, the on-premise data is accessed from a Web browser
inside your organization's domain:

 Note
For this overview, let's assume you are using SAP Cloud Identity, the default Identity Provider (IdP) provided by SAP Analytics
Cloud. But a custom IdP may also be used with SAML 2.0.

Get/Post requests from the Web browser to SAP Analytics Cloud are dedicated to metadata.

Get/Post requests from the Web browser to the IdP are dedicated to SAML assertions.

Get/Post requests from the Web browser to the on-premise data source are dedicated to data.

There's another case to consider where the on-premise data is accessed from a Web browser sitting in the public Internet domain:

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 5/22
10/20/2020

In this case, a reverse proxy is used with the speci c purpose of publishing the on-premise data source to the public Internet and
again allowing a direct CORS connection to the data.

What Is Stored in SAP Analytics Cloud?

The short answer is: metadata and only metadata. SAP Analytics Cloud stores queries for building the stories, measure names,
columns names, lter values, and so on. Basically, the metadata lets SAP Analytics Cloud rebuild the query. But none of the actual
data, not even the query results or part of the results, such as totals, are saved to SAP Analytics Cloud. Metadata is transferred to
your browser and encrypted in memory.

Authentication
End-to-end Single-Sign On (SSO) is accomplished with SAML 2.0. To do this, both SAP Analytics Cloud and the on-premise data
source has to be con gured to trust the same IdP, such as your SAP Cloud Identity or your Active Directory using ADFS (Active
Directory Federation Services). This means that the data security implemented at the source data will always be respected for
each request.

Encryption
All communications between your browser and SAP Analytics Cloud are always encrypted. The on-premise communications from
your reverse proxy to backend data sources should also be encrypted using TLS. All data and metadata persisted on SAP Analytics
Cloud is also fully encrypted.

SAP Analytics Cloud and Information Access Service (InA)

SAP Information Access Service (InA) is a REST HTTP-based protocol used by SAP Analytics Cloud to query your data sources in
real time. This component is part of all supported backends as follows:

System Supported Versions

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 6/22
10/20/2020

System Supported Versions

SAP HANA
SAP HANA 1.0 SPS10/11/12 – revision 102.2 or higher with
SAP HANA Info Access Service (InA), version 4.10.0 or
higher is required

SAP HANA 2.0 SP01 or newer on-premise, with the SAP

HANA EPMMDS plugin installed on your SAP HANA 2.0
system. SAP Note 2456225 and SAP Note 2444261
provide additional setup information

SAP Cloud Platform (SAPCP): latest version

SAP BW
SAP BW/4HANA 1.0 SP8+, recommended to upgrade to
SAP BW/4HANA 2.0 SP4+ (see 2715030 )

SAP BW 7.4 SP17+, recommended to upgrade to SAP BW 7.5

or SAP BW/4 HANA 2.0

SAP BW 7.5 SP10+, recommended to upgrade to SAP BW

7.5 SP16+ (see 2715030 )

SAP Universe SAP BusinessObjects BI 4.2 SP4 system installed. The .war le of
the SAP BOE Live Data Connect component deployed on your
application server

SAP S/4HANA SAP NW release 7.51 SP2

Understanding the Same-Origin Policy and

CORS
Cross-origin resource sharing (CORS) is a way to let your users successfully access live data in an SAP Analytics Cloud page from
their Web browser.

The same-origin policy is an important concept in the Web application security model. Under the policy, a Web browser permits
scripts contained in a rst web page to access data in a second web page, but only if both Web pages have the same origin. It is a
critical security mechanism for isolating potentially malicious documents. This raises an issue, since your users are trying to
access live data from a different origin (domain) than SAP Analytics Cloud!

In a live connection, your browser has to access both SAP Analytics Cloud for metadata and backend data sources (SAP HANA,
SAP BW, S4/HANA or SAP Universe).

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a Web page to be requested from
another domain outside the domain from which the rst resource was served. A Web page may freely embed cross-origin Web

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 7/22
10/20/2020
pages, images, stylesheets, scripts, iframes, and videos.

 Example
/resource 2 pre ight request header from the browser:

Origin: http://mySAC.eu1.sapanalytics.cloud
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-Custom-Header

 Example
/resource 2 server response header if authorized:

Access-Control-Allow-Origin: http://mySAC.eu1.sapanalytics.cloud
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: X-Custom-Header

In this example, authorization is checked by the backend and only allocated to URI
http://mySAC.eu1.sapanalytics.cloud. HTTP/SSL is then mandatory with a valid certi cate between the browser
and the backend, to avoid any malicious intrusion.

Bene ts of CORS
SAP recommends a con guration using CORS for these reasons:

You will have direct connectivity with no additional devices required. Your browser directly connects SAP Analytics Cloud,
your IdP, and backend data sources by securely unlocking the same-origin policy.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 8/22
10/20/2020
Because there are no additional devices, a direct connection enables better performance.

This con guration is easy to set up.

Network and Security Settings

In this con guration, when your browser is in a public domain, the on-premise data source's server address has to be
whitelisted, and inbound access has to be authorized.

Outbound access from your domain to SAP Analytics Cloud and SAP Cloud Identity have to be opened.

Prerequisites and Limitations

Your users' browser needs some settings allowed:

Allow pop-up windows from the SAP Analytics Cloud domain: [*.]sapanalytics.cloud.

Allow third-party cookies from the SAP HANA server's domain.

CORS does not work in a mixed HTTPS/HTTP scenario. The SSL server certi cate of the SAP HANA XS system must be a
valid one that is trusted by your organization's Web browsers, and it must match the SAP HANA system's fully quali ed
domain name.

SAP HANA: CORS has to be enabled in the SAP HANA database.

 Note
In some cases, hosting third-party providers do not include such settings in their hosting services.

Direct Live Connection with CORS

An overview of Direct Live Connections using CORS.

The following diagram shows how a typical connection works when accessing on-premise data from the customer domain:

 Note
SAP Cloud Identity is the default IdP used bySAP Analytics Cloud, but a custom SAML IdP may also be used.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86bbf… 9/22
10/20/2020

Bene ts
SAP recommends this con guration for these reasons:

You will have direct connectivity with no additional devices required. Your browser directly connects SAP Analytics Cloud,
IdP, and backend data sources by securely unlocking the Same Origin Policy (see Understanding the Same-Origin Policy
and CORS).

Because there are no additional devices, such a direct connection enables better performance.

This con guration is easy to set up.

It's available for HANA, BW, BOE Universe, and S/4HANA.

Network and Security Settings

In such a con guration, when your browser is in a public domain, the on-premise data source's server address has to be
whitelisted, and inbound access has to be authorized.

Outbound access from your domain to SAP Analytics Cloud and SAP Cloud Identity have to be opened.

Prerequisites and Limitations

Mandatory browser settings:

Allow pop-up windows from the SAP Analytics Cloud domain: [*.]sapanalytics.cloud.

Allow third-party cookies from the SAP HANA server's domain.

CORS does not work in a mixed HTTPS/HTTP scenario. The SSL server certi cate of the HANA XS system must be a valid one
that is trusted by your organization's web browsers, and it must match the HANA system's fully quali ed domain name.

SAP HANA: CORS has to be enabled in the HANA database.

 Note
In some cases, hosting third-party providers do not include such settings in their hosting services.

Setting Steps

Step Description Owner

Enabling INA HANA, BW, S/4HANA, Universe fully support Data Source Expert
INA

Enabling CORS HANA, BW, S/4HANA, Universe fully support Data Source Expert
CORS

Enabling SSL Con gure valid SSL certi cate. Refer to SAP Security Expert
Note 2502174

Enabling Pop-Ups in Browser See Google Chrome documentation Security Expert

Allowing third-party browser cookies See Google Chrome documentation Security Expert

Best Practices for Live Connections

Follow these best practices for Live Connections.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 10/22
10/20/2020

Multi-tenant HANA Databases

To enable Web-based applications to send HTTP(S) requests to multi-tenant database containers via the SAP HANA XS server, the
internal SAP Web Dispatcher must be con gured so it knows which requests to dispatch to which database on the basis of DNS
alias virtual host names. You do this by specifying the public URL of every tenant database in the xsengine.ini con guration le.
Please verify that virtual host names used in an internal SAP Web Dispatcher are declared in customer Domain Name Services. It
will be useful to generate SSL certi cate in PSE Management (mandatory settings for a Live Connection with CORS).

Use Your Desktop Browser to Troubleshoot Your Connection

SAP Analytics Cloud supports the latest version of Google Chrome. Google releases continuous updates to their Chrome browser.
We make every effort to fully test and support the latest versions as they are released.

Furthermore, the Google Chrome browser can be used to troubleshoot your Live Connection. Chrome Developer Tools are a set of
web authoring and debugging tools built into Google Chrome. The DevTools provide web developers deep access into the internals
of the browser and their web application. So, do not hesitate to get familiar with the DevTools to efficiently track down issues.

Especially, you can use the Network Panel to get a graph that shows a timeline of when resources were retrieved. At a glance, the
panel tells you the total number of requests, amount of data transferred, request and responses contents and headers, load times,
errors, warning, and so on.

Recommended Reading
Live Data Connection

Introducing Direct Live HANA Connections in SAP Analytics Cloud

Direct Live Connections in the Internet Scenario

Direct Live HANA Connections in the Internet Scenario – For the Apache Fans

Importing Data
You can create connections to remote systems to allow data acquisition bySAP Analytics Cloud.

Data is imported (copied) to SAP Analytics Cloud, and changes made to the data in the source system don't affect the imported
data.

Setup is required when creating an import data connection to system types, such as SAP Business Warehouse (BW), SAP
Business Planning and Consolidation (BPC), SAP BusinessObjects Business Intelligence platform universe (UNX), SAP Enterprise
Resource Planning (ERP), SQL Database, SuccessFactors, WorkforceAnalytics, OData, Concur, Salesforce.com (SFDC), Fieldglass,
Google Drive, Google BigQuery, File Server.

Recommended Reading
Import Data Connection

Installing the SAPCP Cloud Connector

Installing SAP Analytics Cloud Agent

Troubleshooting Hana Cloud Connector Installation Developer Edition

Julian Jimenez August 26, 2016 7 minute read Troubleshooting Guide: SAP Analytics Cloud Agent

SAPCP Cloud Connector

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 11/22
10/20/2020
The SAP Cloud Platform Cloud Connector serves as the link between SAP Analytics Cloud and existing on-premise systems.

The Cloud Connector combines an easy setup with a clear con guration of the systems that are exposed to SAP Analytics Cloud.
In addition, you can control the resources available for the cloud applications in those systems. Thus, you can bene t from your
existing assets without exposing the whole internal landscape.

The Cloud Connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy between the on-
premise networking customer domain and SAP Analytics Cloud. Due to its reverse invoke support, you don't need to con gure the
on-premise rewall to allow external access from the cloud to internal systems.

Compared to the approach of opening ports in the rewall and using reverse proxies in the customer domain to establish access to
on-premise systems, the Cloud Connector has the following advantages:

The rewall of the on-premise network does not have to open an inbound port to establish connectivity from SAP Analytics
Cloud to an on-premise system. In the case of allowed outbound connections, no modi cations are required.

The Cloud Connector allows propagating the identity of cloud users to on-premise systems in a secure way.

The Cloud Connector is easy to install and con gure; that is, it comes with a low total cost of ownership and ts well to
cloud scenarios. SAP provides standard support for the Cloud Connector.

Con guration
If the data you want to import is stored on one domain: One SAP Analytics Cloud system can only be connected to one cloud
connector, but the same cloud connector may be used by multiple SAP Analytics Cloud systems.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 12/22
10/20/2020

If the data you want to import is stored on multiple domains: You can add multiple cloud connectors to a single SAP Analytics
Cloud system.

 Note
In this con guration, each cloud connector must be installed on a different domain or on a different provider.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 13/22
10/20/2020

Network Prerequisites
SAP Cloud Connector enables the use of a speci c proxy in con guration tools.

Nevertheless, you need to have an Internet connection to at least the following hosts (depending on the region), to which you can
connect your Cloud Connector.

For SAP Data Centers:

Region (Region Host) Hosts IP Addresses

Europe (Rot)
connectivitynotification.hana.ondemand.com 155.56.210.83
(hana.ondemand.com)
connectivitycertsigning.hana.ondemand.com 155.56.210.43

connectivitytunnel.hana.ondemand.com 155.56.210.84

Europe (Frankfurt)
connectivitynoti cation.eu2.hana.ondemand.com 157.133.70.140
(eu2.hana.ondemand.com)
connectivitycertsigning.eu2.hana.ondemand.com 157.133.70.132

connectivitytunnel.eu2.hana.ondemand.com 157.133.70.141

Europe (Amsterdam)
connectivitynoti cation.eu3.hana.ondemand.com 157.133.141.140
(eu3.hana.ondemand.com )
connectivitycertsigning.eu3.hana.ondemand.com 157.133.141.132

connectivitytunnel.eu3.hana.ondemand.com 157.133.141.141

United States East (Ashburn)

connectivitynoti cation.us1.hana.ondemand.com 65.221.12.40
(us1.hana.ondemand.com)
connectivitycertsigning.us1.hana.ondemand.com 65.221.12.241

connectivitytunnel.us1.hana.ondemand.com 65.221.12.41

United States West (Chandler)

connectivitynoti cation.us2.hana.ondemand.com 64.95.110.215
(us2.hana.ondemand.com)
connectivitycertsigning.us2.hana.ondemand.com 64.95.110.211

connectivitytunnel.us2.hana.ondemand.com 64.95.110.214

United States (Sterling)

connectivitynoti cation.us3.hana.ondemand.com 169.145.118.140
(us3.hana.ondemand.com )
connectivitycertsigning.us3.hana.ondemand.com 169.145.118.132

connectivitytunnel.us3.hana.ondemand.com 169.145.118.141

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 14/22
10/20/2020

Region (Region Host) Hosts IP Addresses

Australia (Sydney)
connectivitynoti cation.ap1.hana.ondemand.com Previous: 210.80.140.247
(ap1.hana.ondemand.com)
connectivitycertsigning.ap1.hana.ondemand.com Current:157.133.97.47

 Note connectivitytunnel.ap1.hana.ondemand.com Previous: 210.80.140.227

The IP addresses for the
Current: 157.133.97.27
Sydney data center changed
by 30 June 2018. Make sure Previous: 210.80.140.246
to adjust your rewall
settings accordingly if Current: 157.133.97.46
required.

China (Shanghai)
connectivitynoti cation.cn1.hana.ondemand.com 157.133.192.140
(cn1.hana.ondemand.com)
connectivitycertsigning.cn1.hana.ondemand.com 157.133.192.132

connectivitytunnel.cn1.hana.ondemand.com 157.133.192.141

Japan (Tokyo)
connectivitynoti cation.jp1.hana.ondemand.com 157.133.150.140
(jp1.hana.ondemand.com)
connectivitycertsigning.jp1.hana.ondemand.com 157.133.150.132

onnectivitytunnel.jp1.hana.ondemand.com 157.133.150.141

Canada (Toronto)
connectivitynoti cation.ca1.hana.ondemand.com 157.133.54.140
(ca1.hana.ondemand.com )
connectivitycertsigning.ca1.hana.ondemand.com 157.133.54.132

onnectivitytunnel.ca1.hana.ondemand.com 157.133.54.141

Russia (Moscow)
connectivitynoti cation.ru1.hana.ondemand.com 157.133.2.140
(ru1.hana.ondemand.com)
connectivitycertsigning.ru1.hana.ondemand.com 157.133.2.132

onnectivitytunnel.ru1.hana.ondemand.com 157.133.2.141

Brazil (São Paulo)

connectivitynoti cation.br1.hana.ondemand.com 157.133.246.140
(br1.hana.ondemand.com)
connectivitycertsigning.br1.hana.ondemand.com 157.133.246.132

onnectivitytunnel.br1.hana.ondemand.com 157.133.246.141

UAE (Dubai)
connectivitynoti cation.ae1.hana.ondemand.com 157.133.85.140
(ae1.hana.ondemand.com)
connectivitycertsigning.ae1.hana.ondemand.com 157.133.85.132

onnectivitytunnel.ae1.hana.ondemand.com 157.133.85.141

KSA (Riyadh)
connectivitynoti cation.sa1.hana.ondemand.com 157.133.93.140
(sa1.hana.ondemand.com)
connectivitycertsigning.sa1.hana.ondemand.com 157.133.93.132

onnectivitytunnel.sa1.hana.ondemand.com 157.133.93.141

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 15/22
10/20/2020
Non-SAP Data Centers (Cloud Foundry Environment):

 Note
The IP Address is always dynamic.

Region (Region Host) Hosts

Europe (Frankfurt)
connectivitynoti cation.cf.eu10.hana.ondemand.com
(cf.eu10.hana.ondemand.com)
connectivitycertsigning.cf.eu10.hana.ondemand.com

connectivitytunnel.cf.eu10.hana.ondemand.com

Europe (Netherlands) - Azure

connectivitynoti cation.cf.eu20.hana.ondemand.com
(cf.eu20.hana.ondemand.com)
connectivitycertsigning.cf.eu20.hana.ondemand.com

connectivitytunnel.cf.eu20.hana.ondemand.com

United States East (VA) - AWS

connectivitynoti cation.us30.hana.ondemand.com
(cf.us30.hana.ondemand.com)
connectivitycertsigning.us30.hana.ondemand.com

connectivitytunnel.cf.us30.hana.ondemand.com

Brazil (São Paulo) - AWS

connectivitynoti cation.cf.br10.hana.ondemand.com
(cf.br10.hana.ondemand.com)
connectivitycertsigning.cf.br10.hana.ondemand.com

connectivitytunnel.cf.br10.hana.ondemand.com

Japan (Tokyo) - AWS

connectivitynoti cation.cf.jp10.hana.ondemand.com
(ae1.hana.ondemand.com)
connectivitycertsigning.cf.jp10.hana.ondemand.com

connectivitytunnel.cf.jp10.hana.ondemand.com

Trial (SAP and Non-SAP Data Centers):

Region (Region Host) Hosts IP Address

Trial (Europe only)

connectivitynoti cation.hanatrial.ondemand.com 155.56.219.26
(hanatrial.ondemand.com)
connectivitycertsigning.hanatrial.ondemand.com 155.56.219.22

connectivitytunnel.hanatrial.ondemand.com 155.56.219.27

Setting Steps

Step Description Owner

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 16/22
10/20/2020

Step Description Owner

JVM release Check JVM release according to your IT Expert

operating system. For supported SAP JVM
versions, see Prerequisites (SAP Cloud
Platform Connectivity). You can download
the SAP JVM from SAP Development Tools.

Apply Network prerequisite Network Expert

Request S-User, Password and Tenant ID Business Intelligence Expert

Install SAP Cloud Connector Installing the SAPCP Cloud Connector. IT Expert

Con gure SAP Cloud Connector As soon as SAP Analytics Agent is installed Business Intelligence Expert
and con gured (see Single Sign-On (SSO)),
you can con gure SCC. See Con guring the
SAPCP Cloud Connector.

 Caution
Leave Location ID eld blank. SAP
Analytics Cloud can support only one
SAP Cloud Connector.

SAP Analytics Cloud Agent

The SAP Analytics Cloud, on-premise access agent (SAP Analytics Cloud agent) is a connectivity component.

The SAP Analytics Cloud agent is an on-premise data connectivity component that is used to:

Import data connections from SAP Business Planning and Consolidation, version for Microsoft Platform (BPC MS).

Import data connections from SAP Business Warehouse (BW).

Import data connections from SAP Universes.

Import data connections from SAP ERP.

Import data connections to an SQL database.

Import data from a le server.

It is recommended to install SAP Analytics Cloud agent on the same SAP Cloud Connector Server.

Setting Steps

Step Description Owner

Apache Tomcat See the SAP Analytics Cloud agent section IT Expert
in the System Requirements and Technical
Prerequisites.

Install SAP Analytics Cloud agent Installing SAP Analytics Cloud Agent IT Expert

Con gure and check SAP Analytics Cloud Con guring SAP Analytics Cloud Agent Business Intelligence Expert
agent

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 17/22
10/20/2020

Step Description Owner

Install JCO library if you want to connect Installing the SAP Java Connector (JCo) IT Expert
SAP ERP and SAP BW

Install JDBC driver if you want to connect an Import Data Connection to an SQL Database IT Expert
SQL database

Allowing Data Import and Model Export with Allowing Data Import and Model Export with IT Expert
a File Server a File Server

Single Sign-On (SSO)

SAP Analytics Cloud fully supports the SAML 2.0 web browser-based SSO. SAP Cloud Identity is delivered by default and can act
as the identity provider of a single sign-on system with minimal con gurations.

The following are some of the advantages you can have with SSO:

Users need only a single username/password pair to access multiple services – they don't have to remember multiple
pairs.

Users are authenticated only once at the identity provider and then they are automatically logged into all services within
that "trust-domain".

This process is more convenient to users since they do not have to provide their username/password at every service
provider.

Service providers do not have the overhead of managing user identities, which is more convenient for them.

User identities are managed at a central point. This is more secure, less complex, and easily manageable.

What is SAML 2.0?

SAML 2 (Security Assertion Markup Language) is an Oasis standard for exchanging authentication and authorization data
between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass
information about a principal (usually an end user) between an identity provider and a web service provider (SAP Analytics Cloud).
SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO).

SAML2 uses a claim attribute to map Identity between the Identity Provider and Service Provider(s). It can be a User ID, email
address, or any custom eld. The mapping attribute is case sensitive. SAP Analytics Cloud supports only uppercase for User IDs.

The SAML2 process ow is strictly dependent on time. The SAML2 process ow must be executed within a short period of time, as
speci ed by the optional NotBefore and NotOnOrAfter attributes. Please check the server Identity Provider clock and/or the Data
Sources server clock.

SAP Analytics Cloud Single Sign-on

SAML 2 federation involves two parties:

1. An identity provider (IdP): authenticates users and provides Service Providers with an Authentication Assertion if
successful. As an Identity Provider, SAP Analytics Cloud provides SAP Cloud Identity by default. You can set your own
SAML 2 based identity provider.

2. A service provider (SP): relies on the Identity Provider to authenticate users. SAP Analytics Cloud and backend data
sources (HANA, BW, S4/HANA or Universe) can rely on the same Identity Provider to authenticate.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 18/22
10/20/2020

The process ow:

1. A user tries to log into SAP Analytics Cloud from a Chrome browser.

2. SAP Analytics Cloud responds by generating a SAML request.

3. The browser redirects the user to Identity Provider.

4. Identity Provider parses the SAML request and veri es if the user is already authenticated.

5. Identity Provider asks for authentication. If the user is already authenticated on the Identity Provider, this step will be
skipped and IDP directly generates a SAML response.

6. Identity Provider returns the encoded SAML response to the browser.

7. The browser sends the SAML response to SAP Analytics Cloud for veri cation.

8. If the veri cation is successful, the user will be logged into SAP Analytics Cloud and granted access to all the various
resources.

Settings Principles
As seen above, there are two roles; Service Providers and Identity Providers (IP). The important characteristic of a single sign-on
system is the prede ned trust relation between the Service Providers and the Identity Provider; Service Providers trust the
assertions issued by the Identity Providers and the Identity Providers issue assertions based on the results of the authentication
and the authorization of principles that access services at the Service Providers.

If you decide to use SAP Cloud Identity, you do not need any settings – it is con gured by default. Otherwise, follow this process:

1. Get SAP Analytics Cloud Service Provider metadata (with certi cate).

2. Con gure the Service Provider to the Identity Provider, based on SAP Analytics Cloud Service Provider metadata.

3. Get Identity Provider metadata.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 19/22
10/20/2020
4. Upload the Identity Provider metadata into SAP Analytics Cloud.

5. Indicate the Mapping attribute (User ID, email address, or any customer eld).

6. Test before saving the con guration, and apply the change.

Setting Steps

Step Description Owner

Identity Provider settings in SAP Analytics Enabling a Custom SAML Identity Provider Business Intelligence Expert (Admin)
Cloud

Service Provider settings in Identity Provider Steps depend on the identity provider used. Identity Provider Expert

SSO Data Source Settings Backend Single Sign-On Data Source IT Expert

Connector settings in SAP Analytics Cloud Business Intelligence Expert

Network Setting Network and Security Expert

Recommended Reading
Enabling a Custom SAML Identity Provider

SAML authentication in SAP Analytics Cloud

How to con gure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

Tutorial: Azure Active Directory integration with SAP Business Object Cloud

SAP Note: 2487567 Troubleshooting SAML assertions when con guring SAML SSO in SAP Analytics Cloud

What is SAML2

SSO Setup for SAP Analytics Cloud using okta as an Identity Provider

Embedding SAP Analytics Cloud Story with URL API and SAML2 SSO based on WSO2 Identity Server

Dong Pan's Blog Posts

How to setup SAML with ActiveDirectory (ADFS)

Identity Providers
SAP Analytics Cloud supports SAML 2 Identity Providers based on OASiS speci cations.

We have already tested the following products:

SAP Cloud Identity (Default)

Active Directory Federation Services

Azure Active Directory SSO

Okta

WSO2 Identity Server

F5 Identity Provider

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 20/22
10/20/2020
Based on your Identity Provider location, please ensure your browser is able to access it.

User and Role Management

When a custom Identity Provider is set, you have to map users between your Identity Provider and SAP Analytics Cloud.

Log in credentials depend on the User Attribute you selected when you set the Identity Provider. If you selected a custom SAML
User, the log in credentials should be the User ID of your account on your SAML Identity Provider.

If Email is selected, the log in credentials should be the email address of your account on your SAML Identity Provider. If User is
selected, the log in credentials are set to your SAP Analytics Cloud user name by default.

As you begin, it is important to have alignment between the Identity Provider and the Service Provider (SAC) user list. You can
manually enter users, but remember, the mapping attribute is case sensitive. Two options to simplify and ensure simple user
deployment exist:

You can upload and map a user list into SAP Analytics Cloud. Choose between a CSV le or an Active Directory upload.

You can select Dynamic User creation in SAP Analytics Cloud. When dynamic user creation is enabled, new users will be
automatically created using the default role and will be able to use SAML SSO to log onto SAP Analytics Cloud. To ensure
that mapping SAML attributes to users, and mapping roles using SAML attributes works with dynamic user creation, you
must submit an SAP Product Support Incident at the following link:
https://launchpad.support.sap.com/#incident/solution using the component LOD-ANA-BI. In the support ticket,
indicate that you want to set up user pro les and role assignment based on custom SAML attributes, and include your SAP
Analytics Cloud URL.

You can also create a SAML role mapping to automatically assign roles to users based on their SAML attributes. Please read:
Mapping Roles Using SAML Attributes

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 21/22
10/20/2020

Backend Single Sign-On

To enable end-to-end Live Connection SSO scenarios, SAP Analytics Cloud also supports SAML2 SSO to connect Data Sources.

For SAP HANA, see Con gure SSO with SAML Authentication for SAP HANA XS Applications.

For SAP BW or SAP S4/HANA, see Enabling the SAML Service Provider.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21847563&topics=9b941b974b594a5897c7cef86b… 22/22