Live Data Connection to SAP S/4HANA On-Premise Using a Direct CORS Connection via Unified Connectivity

Setup Cross-origin resource sharing (CORS) between your SAP S/4HANA on-premise system and SAP Analytics Cloud to establish a direct live connection.

Who does this apply to?
  • Users with Create, Read, Update, Delete and Maintain permissions for Connections.
  • Users with Execute permission for Other Data Sources.
  • Admin, Application Creator, BI Content Creator, BI Admin, and Planner Reporter standard application roles.
  • Setting up a live connection requires working with the SAP Analytics Cloud system owner and different IT and application stakeholders within your organization. Most configuration steps are done on your SAP NetWeaver ABAP Application Server (AS) before creating the connection in your SAP Analytics Cloud tenant.

Prerequisites

  • Configure cross-site cookies: To ensure that Chrome and other browsers allow cross-site access to your SAP on-premise data source cookies from SAP Analytics Cloud, you must configure your SAP on-premise data source to issue cookies with specific attributes. Without these settings, user authentication to your live data connections will fail, and Story visualizations based on these connections will not render.

    For steps on how to do this, see SameSite Cookie Configuration for Live Data Connections.

  • Setup SSO (optional): If you want users to have a single sign-on experience to your data, check you are using same Identity Provider (IdP) for SAP Analytics Cloud and SAP NetWeaver. For more information on setting up your identity provider in SAP Analytics Cloud, see Enable a Custom SAML Identity Provider.
  • If you have multiple authentication methods configured on your ABAP AS, see Alternative Logon Order.

Enable InA on your ABAP Application Server

Context

SAP Information Access (InA) is a REST HTTP-based protocol used by SAP Analytics Cloud to query your data sources in real time. Confirm that your InA package is enabled and services are running on the ABAP AS for your data source.

Procedure

  1. Check that your InA package is enabled.

    To check if the Ina package is enabled, open the following URL in your browser: https://<Your_ABAP_Server>/sap/bw/ina/GetServerInfo?sap-client=<Your_Client_ID>. Make sure you are prompted for user credentials, and after login you get a JSON response. Replace <Your_ABAP_Server> with your ABAP system host, and <Your_Client_ID> with your SAP BW client ID.

  2. Check that the required Information Access Services are active in your SAP BW/4HANA or SAP BW system.
    1. Access your system using SAP Logon.
    2. Enter transaction code: SICF.
    3. Enter the Service Path: /sap/bw/ina and then select Execute.
      The following dialog will appear:

    4. Under Virtual Hosts/Services go to: Start of the navigation pathdefault_host Next navigation step sap Next navigation step bw Next navigation step inaEnd of the navigation path.
    5. Make sure that the following services are active:
      BatchProcessing
      GetCatalog
      GetResponse
      GetServerInfo
      Logoff
      ValueHelp

Configure CORS on your ABAP Application Server

Context

Cross-Origin Resource Sharing (CORS) is the method you'll use to let your users successfully access live data in an SAP Analytics Cloud page from their Web browser. Configure CORS on your ABAP AS data source.

Note

If you are using SAP NetWeaver ABAP AS version 7.52 or above, you must apply SAP Note 2531811 or import ABAP 7.52 SP1 to fix CORS related issues, and then follow the steps below.

Procedure

  1. Enable CORS in your system parameters without restarting ABAP AS.
    Note
    These changes will disappear after a restart of ABAP AS.
    1. Access your SAP BW/4HANA or SAP BW system using SAP Logon.
    2. Enter transaction code: RZ11.
    3. Enter Parameter: icf/cors_enabled
    4. Click Display.

    5. Select Changes Value.

    6. Set New Value to 1.
    7. Select Save.

  2. Permanently enable CORS in your system parameters.
    1. Enter transaction code: rz10
    2. In Profile, if you have multiple authentication methods configured on your ABAP system, choose DEFAULT from the list.
    3. Select Extended Maintenance.
    4. Click Change.

    5. Click Start of the navigation pathParameter Next navigation step CreateEnd of the navigation path.

    6. Set the parameter name to icf/cors_enabled.
    7. Set the parameter value to 1.
    8. Click Exit and Yes to save.
    9. Click Profile | Save.
    10. Click Yes to activate.
    11. Click Continue.
    12. Click Exit and Yes to log off.
    13. Restart ABAP AS for the changes to take effect.
  3. Add SAP Analytics Cloud to the HTTP allowlist.
    Note
    For more information on SAP NetWeaver HTTP Allowlists, see Managing HTTP Allowlists.
    1. Enter transaction code: /NUCONCOCKPIT.
    2. Change Scenario to HTTP Allowlist Scenario.

    3. Change the Mode of Cross-origin Resource Sharing to Active Check.

    4. Double-click Cross-origin Resource Sharing.
    5. Select Display / Change.
    6. For SAP BW, under Allowlist, select Add. For SAP BW/4HANA, select To Allowlist.

    7. In the Input Window, add the following information:
      • Service Path: /sap/bw/ina.
      • Host rule: Add your SAP Analytics Cloud host. For example, mytenant.us1.sapbusinessobjects.cloud.
      • Allowed Methods: Select GET, HEAD, POST, and OPTIONS.
      • Add the following to Allowed Headers:
        x-csrf-token
        x-sap-cid
        authorization
        mysapsso2
        x-request-with
        sap-rewriteurl
        sap-url-session-id
        content-type
        accept-language
      • Add the following to Exposed Headers:
        x-csrf-token
        sap-rewriteurl
        sap-url-session-id
        sap-perf-fesrec
        sap-system
      • Ensure Allow Credentials and Allow Private Network Access are selected.

        Allow Private Network Access ensures that your ABAP AS responds with theAccess-Control-Allow-Private-Network: true header to Google Chrome and other browsers when they send a CORS preflight request ahead of any private network request for a subresource.

  4. Save your changes.

(Optional SSO) Add a Dummy HTML File to Your ABAP Application Server

Context

If you've set up SAML 2.0 Single Sign-On (SSO) for SAP Analytics Cloud and your data source system with the same Identity Provider, you must add a dummy HTML file to authenticate your users and follow the SAML HTTP redirects.

If you are using User Name and Password or None authentication methods, skip this section.

Procedure

  1. Enter transaction code: SE24.
  2. Enter Object Type: ZCL_DUMMYAUTH_SERVICE, select Create, and then select Save.

  3. Go to the Interfaces tab, and add IF_HTTP_EXTENSION, plus a description.

  4. Go to the Methods tab, and add the following information:
    • Method: IF_HTTP_EXTENSION~HANDLE_REQUEST
    • Level: Instance Method
    • Visibility: Public
    • Description: Add a description

  5. Double click on IF_HTTP_EXTENSION~HANDLE_REQUEST and add the following code:
    method IF_HTTP_EXTENSION~HANDLE_REQUEST.
        DATA:
              html_content TYPE string.
    
        html_content = '<html><script type="text/javascript">window.close();</script></html>'.
        server->response->set_header_field( name = 'Cache-Control' value = 'no-cache,no-store').
        server->response->set_cdata( data = html_content ).
    endmethod.
  6. Select Save, and then Activate.
  7. Enter transaction code: SICF.
  8. Enter Service Path: /sap/bw/ina, and then press Enter.
  9. Under Start of the navigation pathdefault_host Next navigation step sap Next navigation step bwEnd of the navigation path, right click ina, then choose New Sub-Element.
  10. In Service Name, enter auth then select Input.

  11. Add a description.
  12. Open the Handler List tab, and enter ZCL_DUMMYAUTH_SERVICE

  13. Save and return to the main menu.
  14. (Optional) Check if the auth package is installed.

    Open the following URL in your browser: https://<Your_ABAP_Server>/sap/bw/ina/GetServerInfo?sap-client=<Your_ABAP_Client_ID>. Make sure yo're redirected to your IdP login page, and that you don't see a 404 page after login.

    You can see the HTML file merely closes the dialog. This is needed because SAP Analytics Cloud will trigger this URL (/sap/bw/ina/auth). As this URL is SAML protected the browser first redirects to your IdP. The IdP then recognizes that the user is already authenticated from SAP Analytics Cloud and has a session. So your browser follows the redirects by the IdP and finally the dummy HTML content is delivered which closes the dialog.

Configure Your Web Browsers

Context

Your user's browsers must allow 3rd party cookies from the ABAP AS domain and pop-ups from the SAP Analytics Cloud domain. This can be easily configured in the browser's settings. As an example, see the steps below for Google Chrome.

Procedure

  1. At the top-right of your Google Chrome browser, click Start of the navigation path Next navigation step SettingsEnd of the navigation path.
  2. Under Privacy and security click Start of the navigation pathSite Settings Next navigation step Pop-ups and redirectsEnd of the navigation path.
  3. In the Allow section, add the domains relevant for your SAP Analytics Cloud tenant.
    [*.]sapanalytics.cloud
    [*.]hanacloudservices.cloud.sap
    [*.]hcs.cloud.sap
    [*.]analytics.sapcloud.cn
  4. Go back to Privacy and security and click Cookies and other site data.
  5. Under Sites that can always use cookies add your ABAP AS domain.

Create the Live Connection in SAP Analytics Cloud

Context

Now that you've configured your data source, you can finally create the live conection in SAP Analytics Cloud.

Procedure

  1. From the side navigation, choose Start of the navigation path Connections Next navigation step  (Add Connection)End of the navigation path.

    The Select a data source dialog will appear.

  2. Expand Connect to Live Data and select SAP S/4HANA.
  3. In the dialog, enter a name and description for your connection.
    The connection name cannot be changed later.
  4. Set the connection type to Direct.
  5. Add your data source's host name, HTTPS port, and Client.
  6. (Optional) Choose a Default Language from the list.
    This language will always be used for this connection and cannot be changed by users without administrator privileges.
    Note
    You must know which languages are installed on your data source system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
  7. Under Authentication Method select one of the following:
    • None - Using the None authentication option allows you to connect to data source systems that use SSO that are not based on SAML 2.0. For more information, see Using the 'None' Authentication Option.
    • User Name and Password - Enter a user name and password for your data source system.
    • SAML Single Sign On - Select this option for versions of SAP S/4HANA on-premise older than 1909 (7.54) or if you are using the Cloud Connector to connect to live SAP S/4 HANA.
    • SAML Single Sign On (Standard-Compliant) - Select this option for versions SAP S/4HANA on-premise 1909 (7.54) or newer.
    Note
    To enable single sign-on for the mobile app, see the "Cloud Connector-based Mobile Single Sign-On" topic in the SAP Analytics Cloud Mobile Administration Guide.
  8. If you are connecting to SAP S/4HANA through a front-end server, in the Connection Details section enter a Target System Alias.
    Note
    Leave this setting empty if you do not use a front-end server.

    For example, if you use an SAP Fiori Front-end Server (FES) to connect to a SAP S/4HANA, you must enter the system alias for your SAP S/4HANA back-end. For information on setting the back-end system alias, see Creating BW Systems in the Portal.

  9. (Optional) Select Let SAP support user sign in using basic authentication for this connection. By enabling this feature, support users are granted access to the new live data connection using basic authentication.
    Note

    Advanced features are not available when the Authentication Method is set to none.

    To enable an Advanced Feature, you must allow live on-premise data to securely leave your network.

Results

Once you've created your live data connection, test it by creating a model.