SAP Analytics Cloud (SAC) supports Direct Live Connection and Tunnel Live connection to On-Premise S/4HANA. Direct Live Connection is based on CORS and Tunnel Live Connection is based on SAP Cloud Connector. This blog explains the steps to establish Single Sign-On (SSO) using tunnel live connection to On-Premise S/4HANA.
This blog and configuration process is quite a lengthy one. It is requested for readers to not skip any of the sections and would suggest following the same sequence to avoid configuration errors.
- SAP Analytics Cloud (SAC)
- SAP S/4HANA On-Premise
- SAML Identity Provider
- SAP Cloud Connector (SCC)
- SAP Web-Dispatcher (Optional)
- Integration Architecture
- Overview of SSO using Principle Propagation
- Configure SAC to SCC
- Configure S/4HANA to SCC
- Principal Propagation Configuration in SCC
- Configure Certificates in SCC for Principal Propagation
- Setup Trust Between SCC and Web Dispatcher
- Setup Trust Between SCC and S/4HANA
- Configure Tunnel Live Connection in SAP Analytics Cloud
Overview of SSO Using Principal Propagation
The SSO in tunnel live connection between SAC and S/4HANA is based on Principle Propagation. In Principal Propagation, the provider dynamically generates a short-lived certificate for a user who has been authenticated to SAP Analytics Cloud by an identity provider.
Please find below the details of the request flow from SAC to S/4HANA.
The SAP Analytics Cloud is configured with SAML based identity provider for user authentication. In order to configure Tunnel based live connection with SSO to the backend system, the identity provider and identifier used for the SAC and backend S/4HANA system should be the same.
1) When users access an SAC dashboard, SAC establishes an https tunnel based connection to the backend S/4HANA using SAP Cloud Connector (SCC).
2) The SAP Cloud Connector receives the request from SAC along with a SAML/JWT token from the Cloud Foundry environment.
3) SCC generates a short-lived X.509 client certificate based on the SAML/JWT token.
4) The conversion from SAML/JWT to X.509 certificate only preserves the principal information, other SAML attributes will not be propagated to backend.
5) This short-lived X.509 certificate is propagated to the backend to establish SSO between SAC and S/4HANA.
6) This principle propagation configuration can be classified as two segments:
Configure SSL handshake: The two communication partners establish (mutual) trust between each other by exchanging certificates to establish an encrypted connection.
Configure user authentication: Where backend S/4HANA server validates and authenticates user requests based on the identifier coming from the client and then creates a user session for that particular user.