Live Data Connection to SAP S/4HANA Cloud Edition via OAuth

You can create a live data connection from SAP Analytics Cloud to your S/4HANA system that uses OAuth 2.0.

Prerequisites

  • SAP Analytics Cloud can be hosted either on SAP data centers or on non-SAP data centers (for example, Amazon Web Services (AWS)). Determine which environmentSAP Analytics Cloud is hosted on by inspecting yourSAP Analytics Cloud URL:

    • A single-digit number, for example us1 or jp1, indicates an SAP data center.
    • A two-digit number, for example eu10 or us30, indicates a non-SAP data center.
  • You must use OAuth 2.0 for authentication.

  • SAML Single Sign-On (SSO) must be enabled in SAP Analytics Cloud. For more information, see Enable a Custom SAML Identity Provider. The following settings must be applied:

    1. Under Start of the navigation pathStep 3End of the navigation path, set the SAML User Mapping to Custom SAML User Mapping. Under Start of the navigation pathSecurity Next navigation step  UsersEnd of the navigation path, the value in the Custom SAML User Mapping column must equal the Start of the navigation pathUser Data Next navigation step User NameEnd of the navigation path of the corresponding business user in the SAP S/4HANA system.
  • The following steps must be carried out by a user who logs on to both the SAP S/4HANA and SAP Analytics Cloud system via the SAML Identity Provider. For the steps in the SAP Analytics Cloud system, the BI Admin role is required. For the steps in the SAP S/4 HANA system, the Administrator role (role template ID SAP_BR_ADMINISTRATOR) is required. For more information, see SAP Analytics Cloud Integration.
  • To display custom analytical queries you must apply SAP Note 2710858.

Context

The steps below show how to connect SAP Analytics Cloud to SAP S/4HANA Cloud Edition using OAuth 2.0.

Note
With OAuth 2.0, you do not need to configure SAP Analytics Cloud to use the same SAML identity provider (IdP) as you use for SAP S/4HANA cloud edition.

However, there are other scenarios available:

  1. If you want to create stories in SAP Analytics Cloud using data you have in SAP S/4HANA Cloud Edition, and then embed stories in your SAP S/4HANA Cloud Edition system, see Integrating SAP Analytics Cloud.
  2. If you want to create stories in SAP Analytics Cloud using data you have in SAP Marketing Cloud, and then embed stories in your SAP Marketing Cloud system, see Integration with SAP Analytics Cloud (1SO).

Procedure

  1. Add a remote system to SAP Analytics Cloud.
    1. From the side navigation, choose Start of the navigation path Connections Next navigation step  (Add Connection)End of the navigation path.
      The Select a data source dialog will appear.
    2. Expand Connect to Live Data and select SAP S/4HANA.
    3. In the dialog, enter a name and description for your connection.
      The connection name cannot be changed later.
    4. Set the connection type to SAP S/4HANA Cloud.
    5. In the Host field, enter the URL for your SAP S/4HANA system.
      For example, <MySystem>.s4hana.ondemand.com.
    6. (Optional) Choose a Default Language from the list.

      This language will always be used for this connection and cannot be changed by users without administrator privileges.

      Note
      You must know which languages are installed on your SAP S/4HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
    7. Under Authentication Method, select OAuth 2 SAML Bearer Assertion.
    8. Select to copy the provider name.
      You will need to add this to your SAP S/4HANA cloud system.
    9. Select Download Signing Certificate to save the signing certificate for SAP Analytics Cloud.
      You will need to add this to your SAP S/4HANA cloud system.
    The New S/4HANA Live Connection dialog will be half completed. Keep the dialog open and switch to a new browser tab for step 3.
  2. Create a communication system in SAP S/4HANA.
    1. Open the Maintain Communication Systems app from the SAP Fiori Launchpad.
    2. Click New.
    3. UnderStart of the navigation path Technical Data Next navigation step General  Next navigation step Host NameEnd of the navigation path enter the host name of your SAP Analytics Cloud.
      The host name follows the schema: xxx.sapanalytics.cloud
    4. Under Start of the navigation pathTechnical Data Next navigation step OAuth 2.0 SettingsEnd of the navigation path, enter the Authorization URL and Token URL without the https:// prefix.

      To find the Authorization URL and Token URL, in SAP Analytics Cloud, from the side navigation, choose Start of the navigation path System Next navigation step  Administration Next navigation step App IntegrationEnd of the navigation path.

      For SAP data centers:

      • Example Authorization URL: oauthasservices-«xxx».int.sap.hana.ondemand.com/oauth2/api/v1/authorize.
      • Example Token URL: oauthasservices-«xxx».int.sap.hana.ondemand.com/oauth2/api/v1/token.

      For non-SAP data centers:

      • Example Authorization URL: https://<Tenant Name>.authentication.<Region ID>.hana.ondemand.com/oauth/authorize.
      • Example Token URL: https://<Tenant Name>.authentication.<Region ID>.hana.ondemand.com/oauth/token.
    5. Under OAuth 2.0 Identity Provider select Enabled.
    6. Enter the provider name and upload the signing certificate obtained in Step 2.
    7. Create a User for Inbound Communication with the Authentication Method User Name and Password and note down the user name and password.
    8. Save the communication system.
  3. Create a communication arrangement in SAP S/4HANA.
    1. Open the Communication Arrangements app.
    2. Click New.
    3. Select the communication scenario SAP_COM_0065 and the communication system you created in Step 2.
    4. Under Start of the navigation pathAdditional Properties Next navigation step Tenant IDEnd of the navigation path maintain your SAP Analytics Cloud tenant ID.

      You can find your tenant ID in the SAP Analytics Cloud URL. For example:

      • For SAP data centers: https://xxx.sapanalytics.cloud/sap/fpa/ui/tenants/<tenant ID>/app.html
      • For non-SAP data centers: leave this entry blank.
      Note
      Leave the System Alias field under Additional Properties blank.
    5. Under Start of the navigation pathInbound Communication Next navigation step User Name Next navigation step Authentication MethodEnd of the navigation path, select the user you created in Step 3g, with Authentication with OAuth 2.0, using the input help of the User Name field.
    6. Set all Outbound Services to inactive.
    7. Save the communication arrangement.
    Note
    You can connect multiple SAP Analytics Cloud tenants to one SAP S/4HANA Cloud system.
  4. Enter your SAP S/4HANA system information to SAP Analytics Cloud.
    1. Switch back to the New S/4HANA Live Connection dialog.
    2. In the Token Service User field, enter the User for Inbound Communication user name you created in Step 3g.
    3. In the Token Service Password field, enter the password you created in Step 3g.
    4. Enter the following space-separated list as OAuth Scope:
      SAP_BW_INA_BATCHPROCESSING_HTTP SAP_BW_INA_GETCATALOG_HTTP SAP_BW_INA_GETRESPONSE_HTTP SAP_BW_INA_GETSERVERINFO_HTTP SAP_BW_INA_LOGOFF_HTTP SAP_BW_INA_VALUEHELP_HTTP
    5. Select OK.

Results

The live data connection is saved, and users will have access to SAP Analytics Cloud.
Note

Users must have Read or Maintain privileges on the Connection permission in order to view models and stories created from this connection. For more information, see Permissions.

The connection is not tested until you create a model. For more information, see Create a New Model.

Next Steps

When you log on to SAP Analytics Cloud, you are notified if the service provider certificate is about the expire. For information on how to renew the certificate, see Renew the SAP Analytics Cloud SAML Signing Certificate.
Related Information