Creating Direct Live Data Connections to On-Premise Data Sources

The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first webpage to access data in a second webpage, but only if both webpages have the same origin.

It's a critical security mechanism for isolating potentially malicious documents. This raises an issue, as your users are trying to access live data from a different origin (domain) than SAP Analytics Cloud.

Live connections from SAP Analytics Cloud to various on-premise data sources are created using direct connections with CORS.

SAP Analytics Cloud stores the metadata information required to generate queries for building stories.

Some examples of metadata information:

• Measure names
• Columns names
• Filter values

Basically, the metadata lets SAP Analytics Cloud rebuild the query. The actual data, not even the query results or part of the results, such as totals, are sent to SAP Analytics Cloud. Metadata is transferred to your browser and encrypted in memory. Throughout the whole process, the browser is actually interacting with direct live connection (CORS), which, in turn, sends out the requests to SAP Analytics Cloud or the remote data source, depending on the path of each request.

CORS is a mechanism that allows restricted resources on a webpage to be requested from another domain outside the domain from which the first resource was served. A webpage may freely embed cross-origin webpages, images, style sheets, scripts, iframes, and videos.

CORS is a way to let your users successfully access live data in an SAP Analytics Cloud page from their browser. In a live connection, the user's browser has to access both SAP Analytics Cloud, for metadata, and the on-premise data source. The results of those queries are returned to your browser, where visualizations are rendered. If your query was a list of profits per customer, for example, none of that information would actually return to or be stored in SAP Analytics Cloud.

Get/Resource: When a domain is requesting to interact with a resource on another domain, request headers are added from the first domain in order to use the cross-origin resource sharing feature.

These are the HTTP request headers that may be associated with the requesting domain:

• Origin
• Access-Control-Request-Method
• Access-Control-Request-Headers

Response: The domain from which resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are set:

• Access-Control-Allow-Origin
• Access-Control-Allow-Credentials
• Access-Control-Expose-Headers
• Access-Control-Max-Age
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers

For live data connections to on-premise data sources, SAP recommends a configuration using CORS.

• You have direct connectivity with no additional devices required. Your browser directly connects SAP Analytics Cloud, your IdP, and backend data sources by securely unlocking the same-origin policy.
• There are no additional devices, a direct connection enables better performance.

Your users' browser needs some settings allowed:

• Allow third-party cookies from the data source server's domain.
• CORS does not work in a mixed HTTPS/HTTP scenario. The SSL server certificate of the data source must be a valid one that is trusted by your organization's web browsers, and it must match the data source system's fully qualified domain name.

Live data connections to on-premise data sources use the direct connection option available in SAP Analytics Cloud. To use this connection type, CORS support is configured on back-end system. While it's possible to create a connection to an on-premise data source without SAML SSO, the best practice is to configure SAML SSO to enhance end user experience. For this reason, in this lesson, we will explore two different scenarios for creating direct live data connections with SSO.

A typical direct live connection workflow using CORS is shown in the diagram below. The browser is launched from within the customer network and end-to-end SSO is accomplished with SAML 2.0. To do this, both SAP Analytics Cloud and the on-premise data source have to be configured to trust the same IdP, such as the SAP Cloud Identity Authentication Service or SAP NetWeaver IdP. In this setup, there is no need to open any inbound firewall ports.

Creating direct live data connections to on-premise data sources with SSO can be broken down into three key steps:

1. Configure CORS for the on-premise system.
2. Establish trust between SAP Analytics Cloud and the on-premise data source and configure SSO.
3. Create the live data connection in SAP Analytics Cloud.

Let's take a closer look at the standard process for creating direct live data connections to on-premise data sources with SAML SSO, using SAP HANA as an example of an on-premise data source.

To set up a direct live data connection to SAP HANA, there are prerequisites:

• If end users will access the live data connection from outside of your corporate network, ensure that the SAP Information Access (InA) service (/sap/bc/ina/service/v2) on your SAP HANA source server is exposed to browser users directly.
• Ensure that the InA package (/sap/bc/ina/service/v2) or a higher-level package is configured for basic authentication.
• Ensure that the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection. This role is required in addition to the usual roles and authorizations that are granted to users for data access purposes.
• Ensure that your SAP HANA XS server is configured for HTTPS (SSL) with a signed certificate, and that you know which port it is using for HTTPS requests.
• To ensure that Chrome and other browsers allow cross-site access to your SAP on-premise data source cookies from SAP Analytics Cloud, you must configure your SAP on-premise data source to issue cookies with specific attributes. Without these settings, user authentication to your live data connections will fail, and story visualizations based on these connections will not render.

  See SameSite Cookie Configuration for Live Data Connections.

To set up a direct live data connection with SSO, there are a few additional prerequisites:

• Use the same Identity Provider (IdP) for SAP Analytics Cloud and the on-premise data source.
• Ensure that all users are SAML configured.
• Ensure that the InA package (/sap/bc/ina/service/v2) or a higher-level package is configured for SAML authentication.

For detailed information on these prerequisites, including supported versions of SAP HANA, go to: Live Data Connection to SAP HANA On-Premise Using a Direct Connection | SAP Help Portal.

This step is completed by the SAP HANA administrator. CORS headers are configured in the SAP HANA XS Administration Tool for SAP HANA. This ensures that the HTTP responses from the InA service to users' web browsers include CORS headers.

1. In the sap.bc.ina.service.v2 package, select the CORS panel.
2. Select Enable Cross Origin Resource Sharing.
3. Add the SAP Analytics Cloud host to the Allowed Origins variable.

   For example, https://<Customer-Prefix>.<Data-Center>.sapbusinessobjects.cloud.

   More than one URL can be added to the variable. For more information on CORS options, see Application-Access File Keyword Options.

   Note

   If single sign-on (SSO) is used, add the IdP host to Allowed Origins.
4. Allowed Headers: Select + Add and select accept-language, x-sap-cid, x-request-with, x-csrf-token, content type, authorization, and accept.
5. Exposed Headers: Select + Add and add x-csrf-token.
6. Allowed Methods: Select GET, HEAD, POST, and Options.
7. Save the changes.

This step is completed by the SAP Universe administrator. It allows SSO to be established.

1. Exchange metadata between SAP HANA and the SAML 2.0 IdP. Any SAML 2 compliant IdP can be used, but it must match the one that's been used to configure custom SAML authentication for SAP Analytics Cloud tenant. In the screenshot below, you can see an example of the metadata imported into SAP HANA.

   For more information, go to the Enabling a Custom SAML Identity Provider lesson in the Managing Security and Administration in SAP Analytics Cloud learning journey.

   
2. To enable SSO when using a direct live connection, you must deploy some custom web content to your SAP HANA server. This web content is what will appear briefly to users once per session when they first create a live data connection to your SAP HANA system, or when they refresh charts or tables against that live data connection.

   Deploy custom web content on SAP HANA for SAML SSO using your SAP HANA server's Web IDE Editor. Go to https://<xs-host:port>/sap/hana/ide/editor/ and use the following steps to deploy the custom web content to your SAP HANA server.

   
3. Increase the session timeout configuration parameters in SAP HANA XS server by increasing the sessiontimeout parameter in the httpserver section of the xsengine.ini file. For example, if you change the parameter to 43200, the session will be active for 12 hours.

   For more information, see the SAP HANA XS Classic Configuration Parameters | SAP Help Portal.

Once the trust relationship has been established, they provide you with the Host and HTTPS Port as you will need them when creating the connection in SAP Analytics Cloud.

This step is completed by you, the SAP Analytics Cloud administrator. A new connection is created in SAP Analytics Cloud.

Data modelers can then use data from this live connection by creating new live models in SAP Analytics Cloud.

We will cover the steps in detail in the practice exercise for this lesson, however, using SAP HANA as an on-premise data source example, let's take a look at the summary of the process flow.

1. In the side navigation menu, go to Connections.
2. Select Add Connection and select SAP HANA from the Connect to Live Data options.
3. In the New SAP HANA Connection dialog, enter a Connection Name and Description.
4. Enter the following information, as provided by the SAP HANA administrator:
   • Enter the Host.
   • Enter the HTTPS Port.
     Note

     If User Name and Password is selected as the Authentication Method, the User Name and Password will have to be entered to create the connection.
5. Select OK. The new connection is added to the list of connections in the Connections area in SAP Analytics Cloud.

For system-specific information on creating live data connections in SAP Analytics Cloud (includes both cloud applications and on-premise data sources), go to: Creating Live Data Connections | SAP Help Portal.

Now, let's explore the differences when creating a direct live connection with SSO to an SAP Universe.

To enable this connection, the SAP Business Objects Live Data Connect component must be deployed in your on-premise server SAP Business Objects BI4 server. The Live Data Connect component hosts and handles all of the CORS configuration in its configuration file.

Live Data Connect is a bridge between SAP Analytics Cloud and the SAP Universe or WebI document. If your SAP BusinessObjects Enterprise system is installed in your corporate network, then all the exchanges between Live Data Connect and your browser are contained within this network. The client web browser connects to SAP Analytics Cloud and dashboard metadata is downloaded. The browser establishes a live connection to Live Data Connect, which, in turn connects to the SAP Universe, bringing data back through the Live Data Connect to the web browser. This allows for better control over data privacy as data stays within the customer network.

This step is completed by the SAP system administrator. The installation procedure for Live Data Connect is relatively straightforward, as it just requires the software to be downloaded and the files extracted into a directory on your server. Live Data Connect can be downloaded from https://me.sap.com.

Full instructions for installation and deployment can be found at: Installing SAP BusinessObjects Live Data Connect.

Once installed, the SAP system administrator configures it for SAP Analytics Cloud using the following steps: Live Data Connection to SAP Universes Using a Direct Connection and SSO.

Once SAP Analytics Cloud tenant is configured for SAML, the process to create a direct live data connection with SAML SSO from SAP Analytics Cloud to an SAP Universe involves the following steps:

1. Configure the SAP BusinessObjects Live Data Connect to issue CORS headers.
2. Enable trusted authentication in the SAP Universe.
3. Update the SAP BusinessObjects Live Data Connect configuration for SAML setup.
4. Exchange metadata with the SAML IdP.
5. Configure the users' browsers to accept cookies from the SAP BusinessObjects Live Data Connect server and allow popups from SAP Analytics Cloud.
6. The SAP Analytics Cloud administrator creates a direct live connection to the SAP Universe with SSO in SAP Analytics Cloud.

This step is completed by you, the SAP Analytics Cloud administrator. A new connection is created in SAP Analytics Cloud.

Data modelers can then use data from this live connection by creating new live models in SAP Analytics Cloud.

We will cover the steps in detail in the practice exercise for this lesson, however, using an SAP Universe as an on-premise data source example, let's take a look at the summary of the process flow.

1. In the side navigation menu, go to Connections.
2. Select Add Connection and select SAP Universe or WebI Document from the Connect to Live Data options.
3. In the New Universe Live Connection dialog, enter a Connection Name and Description.
4. Enter the following information, as provided by the SAP Universe administrator:
   • Enter the Host.
   • Enter the HTTPS Port.
5. Select OK. The new connection is added to the list of connections in the Connections area in SAP Analytics Cloud.

As with import connections, it's important to test your new live connection. To test the live data connection, you create an SAP Analytics Cloud model using the connection. In this lesson, we'll use SAP HANA as an example.

1. From the Modeler start page, select Live Data Model from the two Create New options.
2. Select system type SAP HANA.
3. Select your newly created connection.
4. Select the Input Help icon to search for a data source or choose one from a list.
5. The model must be created based on a query or view that contains a measure. Drag data from the Available Data list to the Selected Data and Filters areas to build a query.
6. Select OK.

   If the data appears in the data integration view, then you successfully created the connection.