Then, project management is a mandatory task because connectivity settings is not a one-man project to be successful. Settings follow a strict process where different stakeholders have to be engaged and have to deliver their own expertise in their respective area of responsibility.

Connecting SaaS application to on-premise applications requires to first deeply understand the overall big picture of the architecture. Then, before starting any settings, we strongly suggest organizing an architecture workshop to align all identified necessary stakeholders to perform a fast and smooth settings, on time and on scope.

3.   Live Connection and / or Data Acquisition?

Before starting, please, read cautiously the System Requirements and Technical Prerequisites document and check if your landscape is compliant with what is supported, for your version and Connection types.

Most of our customers wonder about which connection type has to be set according to their own needs. It exists some best practices but also some limitations which should conduct customer choice.

Several criteria have to be considered:

• Functional needs.
• Data Privacy constraints.
• Data volume constraints.

3.1. Functional perspective

3.2. Data Privacy constraints

With live connection, data stay in your back-end. As soon as customer wants to fully keep control of data privacy, live connection is the best choice.

Data Acquisition implies data replication into SAP Analytics Cloud HANA database. Nevertheless, data are encrypted and fully secured. Please refer to https://www.sap.com/about/cloud-trust-center/data-center.html to get some more information about security measures and certificates in SAP data center.

3.3. Data volume constraints

With live connection, data volume is processed in your back-end system. There is no theoretical limitation. Query is executed in back-end system. Query should limit volume returned to Web Browser by applying adequate input control or aggregation.

With Data acquisition, it exists volume limitations as follow:

Data Acquisition: File size limits

• Microsoft Excel (XLSX only): Maximum file size: 200 MB.
• Comma-separated values files (CSV): Maximum file size: 2 GB.
• Excel files (XLSX only) in cloud storage through Cloud Elements: Maximum file size: 200 MB.
• CSV files in cloud storage through Cloud Elements: Maximum file size: 2 GB.

Data Acquisition: row, column, and cell limits

• Models and stories:
  
  • For SAP BW, SAP Universe, SAP HANA, Google BigQuery, and SQL data sources only: 100,000,000 cells; 100 columns.
  • For CSV and XLSX files, there is a limit on file size and a maximum of 2,000,000,000 rows; 100 columns.
  • All versions of SAP Business Planning and Consolidation (BPC): 2,000,000,000 rows; 100 columns.
  • Google Sheets allows a maximum of 5 million cells (but CSV and XLSX files stored in Google Drive follow the above 2,000,000,000 row, 100 column limit)
  • For all other data sources: 800,000 rows; 100 columns
• Datasets:
  
  • For SAP BW, SAP HANA, Google BigQuery, and SQL data sources only: 1,000,000,000 cells; 1000 columns.
  • For CSV and XLSX files, there is a limit on file size and a maximum of 2,000,000,000 rows; 1000 columns.
  • Google Sheets allows a maximum of 5 million cells (but CSV and XLSX files stored in Google Drive follow the above 2,000,000,000 row, 1000 column limit)
  • For all other data sources: 1,000,000 rows; 1000 column Caution: While applying the predictive model to an application dataset, Smart Predict generates additional columns. The application process can get blocked if your application dataset already risks crossing the limit of 1,000 columns.

• The maximum number of characters in a cell is 4998.
• Each tenant can have a maximum of 30 concurrent data acquisition jobs. Additional submitted jobs will be queued.
• Each data acquisition job has a maximum 24 hours run time. Jobs will terminate when they reach the time limit.
• Modeling row limit:

• • Subsequent data imports to an existing model cannot exceed a total of 2^31-1 (2,147,483,647) rows.
  • You cannot import data or schedule a data import into an existing model if the resulting fact data would include over 2^31-1 (2,147,483,647) rows.

Data Acquisition: General limits

• Columns:
  • Models and stories: 100 columns
  • Datasets: 1000 columns. 
• Dimension members: 1,000,000
  • Dimension members with geo enrichment: 200,000
  • Dimension members with parent/child hierarchy: 250,000 (for other kinds of attributes, the 1,000,000 limit applies)
  • Analytic models: if there are more than 1,000,000 unique members, the dimension will be made read-only
• The maximum length of imported data values is 256 characters

Data Preparation/Modeling: General limits

• Columns:
  • Models and stories: 100 columns
• Dimension members: 1,000,000
  • Dimension members with geo enrichment: 200,000
  • Dimension members with parent/child hierarchy: 250,000 (for other kinds of attributes, the 1,000,000 limit applies)
  • Analytic models: if there are more than 1,000,000 unique members, the dimension will be made read-only
• The maximum length of imported data values is 256 characters
  
  

4.    SAP Analytics Cloud Live Connection

4.1. Understanding SAC live connection

SAP Analytics Cloud provides the business logic, and build the queries required to see your data to your browser.  Your browser in turn sends those queries, through the reverse proxy, down or through Direct live connection to the on-premise database. The results of those queries are returned to the browser, where any charts are rendered. If your query was a list of profits per customer, none of that information would actually return to SAP Analytics Cloud.

Throughout the whole process, the browser is actually interacting with the reverse proxy or through Direct live connection (CORS), which in turn sends out the requests to SAP Analytics Cloud or the remote data source depending on the path of each request.

Figure 2 : Direct Live Connection SAC / Back-end with CORS and SAP IDP / SAML2

• Get/Post requests from Browser to SAC are dedicated to metadata.
• Get/Post requests from Browser to Identity Provider are dedicated to SAML 2 Assertions.
• Get/Post requests from Browser to Back-end are dedicated to Data.

4.2. What is stored in SAP Analytics Cloud with Live Connection?

Metadata and only metadata.   SAP Analytics Cloud stores queries for building the stories, measure names, columns names, filter values, etc.  Basically, the metadata enables to rebuild query.  But none of the actual data, not even the query results or part of the result, like totals. Metadata are transferred to browser and encrypted in memory.

4.3. Authentication

End to end SSO is accomplished with SAML 2.   In order, both SAP Analytics Cloud and on-premise data source has to be configured to trust the same identity provider, such as your SAP Cloud Identity or your Active Directory using ADFS (Active Directory Federation Services). This means that the data security implemented at the source data will always be respected for each request.

4.4. Encryption

All communications between browser and SAP Analytics Cloud are always encrypted.  The on-premise communications from your reverse proxy to back-end data sources should also be encrypted using TLS.   All data and metadata persisted on SAP Analytics Cloud are also fully encrypted.

4.5. SAP Analytics Cloud and Information Access Service (InA)

SAP Information Access Service (InA) is a REST http based protocol used by SAP Analytics Cloud to query in real time your data sources. This component is part of all supported back-end as follow:

4.6. Understanding Browser’s Same Origin Policy

The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. It is a critical security mechanism for isolating potentially malicious documents.

In Live Connection, browser has to access Both SAP Analytics Cloud for metadata and back-end data sources (HANA, BW, S4/HANA or Universe). Then, SAP Analytics Cloud provides two ways to enable Cross Sharing Resources accessed by the same web page in Browser:

-        Via CORS (recommended): Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin web page, images, stylesheets, scripts, iframes, and videos.

Figure 3 : CORS access

Example of CORS request (POST):

/resource 2 preflight request header from browser:

Origin: http://mySAC.eu1.sapanalytics.cloud

Access-Control-Request-Method: POST

Access-Control-Request-Headers: X-Custom-Header

/resource 2 server response Header if authorized:

Access-Control-Allow-Origin: http://mySAC.eu1.sapanalytics.cloud

Access-Control-Allow-Methods: GET, POST

Access-Control-Allow-Headers: X-Custom-Header

In this example, authorization is checked by the back-end and only allocated to URI http://mySAC.eu1.sapanalytics.cloud. Please also note the domain used in this example is 'sapanalytics.cloud' which was the original top-level domain. New customers will be assigned to the top-level domain hcs.cloud.sap. HTTP/SSL is then mandatory with valid certificate between Browser and back-end to avoid any malicious intrusion.

4.7. Direct Live Connection with CORS

Figure 4 : Standard settings when users are located in customer domain

4.7.1.     Network & security settings

• In such configuration, when browser is in public domain, on-premise data dources server address has to be whitelisted and inbound access has to be authorized (Figure 7 : Standard settings when users are located outside customer domain).
• Outbound accesses from Customer domain to SAP Analytics Cloud and SAP Cloud Identity have to be opened.

4.7.2.     Benefits

• SAP recommends this configuration.
• Direct connectivity, no additional device required, Browser directly connects SAC, IDP and Back-end data sources by securely unlocking same origin policy see chapter Understanding Browser’s Same Origin Policy
• Because of no additional device, such direct connection enables better performance
• Easy to set up
• Available for HANA, BW, BOE Universe and S4/HANA

4.7.3.     Prerequisites & limitations

• Mandatory Browser settings:
  • Allow pop-up windows from the SAP Analytics Cloud domain which will be either [*.]sapanalytics.cloud or [*.]hcs.cloud.sap. The domain sapanalytics.cloud was the original domain and is still used, whilst new customers will be assigned to the hcs.cloud.sap domain.
  • Allow 3rd party cookies from the SAP HANA server’s domain
• CORS does not work in the mixed HTTPS/HTTP scenario. The SSL server certificate of the HANA XS system must be a valid one that is trusted by your users’ web browsers and match the HANA system’s fully-qualified domain name.
• HANA: CORS has to be enabled in HANA database. Sometime, hosting third party providers do not include such settings in their hosting services yet.

4.7.4.     Setting Steps

4.8. Best Practices

4.8.1.     Multi-tenant HANA Databases

To enable Web-based applications to send HTTP(S) requests to multitenant database containers via the SAP HANA XS server, the internal SAP Web Dispatcher must be configured so it knows which requests to dispatch to which database on the basis of DNS alias virtual host names. You do this by specifying the public URL of every tenant database in the xsengine.ini configuration file. Please verify if virtual host names used in internal SAP Web Dispatcher are declared in customer Domain Name Services. It will be very useful to generate SSL certificate in PSE Management (mandatory settings for Live connection with CORS).

4.8.2.     Desktop Browser to troubleshoot your connection

SAP Analytics Cloud supports latest version of Google Chrome. Google releases continuous updates to their Chrome browser. We make every effort to fully test and support the latest versions as they are released.

Furthermore, Google Chrome browser can be used to troubleshoot your Live Connection. Chrome Developer Tools are a set of web authoring and debugging tools built into Google Chrome. The DevTools provide web developers deep access into the internals of the browser and their web application. Then, do not hesitate to get familiar and use the DevTools to efficiently track down issues.

You can especially use Network Panel to get a graph which shows a timeline of when resources were retrieved. At a glance, such network panel tells you the total number of requests, amount of data transferred, request and responses contents and headers, load times, errors, warning, etc..

Figure 5 : Example of Developer view, Network Panel showing requests and timeline.

4.9. Further Reading

• SSL Certificate Best Practices in BW and HANA for Live Connection
  Settings SSL Certificate for SAP Analytics Cloud Live Connection

  
  

• Live Data Connection
  https://help.sap.com/http.svc/rc/00f68c2e08b941f081002fd3691d86a7/release/en-US/5b4dad4d97664c41ae63bf1153e5e91e.html

• Introducing Direct Live HANA Connections in SAP Analytics Cloud – by Dong Pan
  https://blogs.sap.com/2017/03/29/introducing-direct-live-hana-connections-in-sap-businessobjects-cloud/
  Enabling Direct Connectivity for Live Data Connections with Basic Authentication
  Enabling Direct Connectivity for Live Data Connections with SSO

• Direct Live HANA Connections in the Internet Scenario CORS (Web Dispatcher) – by Dong Pan
  https://blogs.sap.com/2017/04/10/direct-live-hana-connections-in-the-internet-scenario/

• Direct Live HANA Connections in the Internet Scenario CORS (Apache Reverse Proxy) – by Dong Pan
  https://blogs.sap.com/2017/04/13/direct-live-hana-connections-in-the-internet-scenario-for-the-apache-fans/ 

• Same Origin Policy
  https://en.wikipedia.org/wiki/Same-origin_policy

5.   SAP Analytics Cloud Data Acquisition

5.1. Understanding SAP Analytics Cloud Data Acquisition

You can create connections to remote systems to allow data acquisition by SAP Analytics Cloud. Data is imported (copied) to SAP Analytics Cloud, and changes made to the data in the source system don’t affect the imported data.

Setup is required when creating an import data connection to the following system types, such as SAP Business Warehouse (BW), SAP Business Planning and Consolidation (BPC), SAP BusinessObjects Business Intelligence platform universe (UNX), SAP Enterprise Resource Planning (ERP), SQL Database, SuccessFactors, WorkforceAnalytics, OData, Concur, Salesforce.com (SFDC), Fieldglass, Google Drive, Google BigQuery, File Server.

5.2. Prerequisites & Limitations

Data Acquisition Maximums:

• Columns: 100
• Rows: 800,000
• Dimension members:
• Planning models: 250,000
• Analytic models: if there are more than 250,000 unique members, the dimension will be made read-only
• Dimension members with attributes: 150,000
• Dimension members with geo enrichment: 200,000
• Dimension members in hierarchy: 150,000
• Hierarchy depth: 1,000

5.2.1.     Data source prerequisites and limitations

5.3.1 SAP Cloud Connector

The Cloud Connector serves as the link between SAP Analytics Cloud and existing on-premise systems. It combines an easy setup with a clear configuration of the systems that are exposed to SAP Analytics Cloud. In addition, you can control the resources available for the cloud applications in those systems. Thus, you can benefit from your existing assets without exposing the whole internal landscape.

The Cloud Connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy between the on-premise networking customer domain and SAP Analytics Cloud. Due to its reverse invoke support, you do not need to configure the on-premise firewall to allow external access from the cloud to internal systems.

Figure 6 : SAP Cloud Connector and SAP Analytics Cloud Agent Architecture

Compared to the approach of opening ports in the firewall and using reverse proxies in the customer Domain to establish access to on-premise systems, the Cloud Connector has the following advantages:

• The firewall of the on-premise network does not have to open an inbound port to establish connectivity from SAP Analytics Cloud to an on-premise system. In the case of allowed outbound connections, no modifications are required.
• The Cloud Connector allows propagating identity of cloud users to on-premise systems in a secure way.
• The Cloud Connector is easy to install and configure, that is, it comes with a low TCO and fits well to cloud scenarios. SAP provides standard support for it.

5.3.1.1     Configuration

You can connect only one SAP Cloud connector to a SAP Analytics Cloud tenant.

You can connect multiple SAP Analytics Tenant from one SAP Cloud Connector.

Figure 7 : SAP Cloud Connector with multiple SAP Analytics Cloud tenants

In case of multi-domain access you can now connect several Sap Cloud Connectors to a single tenant. Such configuration enables to connect data sources located in different domains or providers. 

Figure 8 : Configuration supported

5.3.1.2     Network Prerequisites

SAP Cloud Connector enables use of specific proxy in configuration tools.

Nevertheless, you need to have Internet connection at least to the following hosts (depending on the region), to which you can connect your Cloud Connector.

5.3.1.3     Tenant ID, S-User & Password

Before configuring the cloud connector for the first time, the SAP Analytics Cloud system owner must configure their S-User account ID.
See the following page for more information and the steps: Installing the SAPCP Cloud Connector.

5.3.1.4     Setting Steps

5.3.2 SAP Analytics Cloud Agent

The SAP Analytics Cloud, on-premise access agent (SAP Analytics Cloud agent) is a connectivity component.
SAP Analytics Cloud agent is an on-premise data connectivity component that is used to:

• Import data connections from SAP Business Planning and Consolidation version for Microsoft Platform (BPC MS)
• Import data connections from SAP Business Warehouse (BW).
• Import data connections from SAP BusinessObjects Business Intelligence platform
• Import data connections from SAP ERP and S4/HANA

It is recommended to install SAP Analytics Cloud Agent on the same SAP Cloud Connector Server.

5.3.2.1     Setting Steps

5.4 Further Reading

• Import Data Connection
  https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/5339a2395ccd4befb047c625a15f8481.html
• Installing SAPCP Cloud Connector
  https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/ae39ab60b1154c179e2baabd26aa249c.html
• Installing SAP Analytics Cloud Agent
  https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/7c35129451f5432194773adac7f89598.html
• Troubleshooting SAP Cloud Connector Installation – Amol Gupta
  https://blogs.sap.com/2015/12/24/troubleshooting-hana-cloud-connector-installation-developer-edition/
• Troubleshooting SAP Analytics Cloud Agent – Julian Jimenez
  https://blogs.sap.com/2016/08/26/troubleshooting-guide-sap-businessobjects-cloud-agent/

6.   Single-Sign-on (SSO)

The following are some of the advantages you can have with SSO:

• Users need only a single username/password pair to access multiple services. Thus, they do not have the issue of remembering multiple username/password pairs.
• Users are authenticated only once at the identity provider and then they are automatically logged into all services within that "trust-domain".
• This process is more convenient to users since they do not have to provide their username/password at every service provider.
• Service providers do not have the overhead of managing user identities, which is more convenient for them.
• User identities are managed at a central point. This is more secure, less complex and easily manageable.

SAP Analytics Cloud fully supports the SAML 2.0 web browser-based SSO. SAP Cloud Identity is delivered by default and can act as the identity provider of a single sign on system with minimal configurations.

6.1. What is SAML 2?

SAML 2 (Security Assertion Markup Language) is an Oasis standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider and a web service provider (SAP Analytics Cloud). SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO). General information relating to SAML2 is located in PDF form at http://docs.oasis-open.org/security/saml/v2.0/

6.2. SAP Analytics Cloud Single-Sign-on

SAML 2 federation involves two parties:

1. An identity provider (IdP): authenticates users and provides to Service Providers an Authentication Assertion if successful; As Identity Provider, SAP Analytics Cloud provides SAP Cloud Identity by default. Customer can set their own SAML 2 based identity provider.
2. A service provider (SP): relies on the Identity Provider to authenticate users. SAP Analytics Cloud but also back-end data sources (HANA, BW, S4/HANA or Universe) could rely on the same Identity Provider to authenticate.

Figure 9 : SAML 2 process flow between SAP Analytics Cloud and Identity Provider

Description of process flow:

1. The user tries to log in to SAP Analytics Cloud from a Chrome browser.
2. SAP Analytics Cloud responds by generating a SAML request.
3. The browser redirects the user to Identity Provider.
4. Identity Provider parses the SAML request, verifies if user is already authenticated.
5. Ask for authentication. if the user is already authenticated on identity provider, this step will be skipped and IDP directly generates a SAML response.
6. Identity Provider returns the encoded SAML response to the browser.
7. The browser sends the SAML response to SAP Analytics Cloud for verification.
8. If the verification is successful, the user will be logged in to SAP Analytics Cloud and granted access to all the various resources.

6.2.1.     Some remarks

SAML2 uses claim attribute to map Identity between Identity Provider and Service Provider(s). It can be User ID, email address or any custom field. Mapping attribute is case sensitive. SAP analytics Cloud only supports uppercase for User Id.

SAML2 process flow is strictly dependent of time.  SAML2 process flow must be executed within a very short period of time period specified by the optional NotBefore and NotOnOrAfter attributes. Please, check server Identity Provider clock and/or Data Sources server clock.

6.2.2.     Settings principles

We have seen above, there are basically two roles; Service Providers and Identity Providers (IP). The important characteristic of a single sign on system is the pre-defined trust relation between the service providers and the identity provider; Service providers trust the assertions issued by the identity providers and the identity providers issue assertions based on the results of authentication and authorization of principles which access services at service providers.

If you decide to use SAP Cloud Identity, you do not need any settings. It is configured by default. Otherwise, you will have to follow this process:

• Get SAP Analytics Cloud Service Provider metadata (with certificate)
• Configure Service Provider into Identity Provider based on SAP Analytics Cloud Service Provider metadata.
• Get Identity Provider Metadata.
• Upload Identity Provider metadata into SAP Analytics Cloud
• Indicate Mapping attribute (User Id, Email address or any customer field)
• Test before saving configuration, and apply change.

6.3. Identity Providers 

SAP Analytics Cloud supports SAML 2 Identity Providers based on OASiS specification. https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

We have already experienced the following product:

• SAP Cloud Identity (Default)
• Active Directory Federation Services
• Azure Active DIrectory SSO
• Okta
• WSO2 Identity Server
• F5 Identity Provider

6.3.1.     Third party Identity Providers location and network settings

Based on your Identity Provider location please, ensure that browser is able to access it.

Figure 10 : Different Identity Provider Locations

6.4. User & role management

When custom Identity Provider is set, you have to map users between your Identity Provider and SAP Analytics Cloud. The login credential depends on the User Attribute you selected when you set Identity Provider. If you have selected custom SAML User the login credential should be the user Id of your account on your SAML Identity Provider.

If Email is selected, the login credential should be the email address of your account on your SAML Identity Provider. If User is selected, Login Credential is set to your SAP Analytics Cloud user name by default.

At the beginning, it is very important to have an alignment between Identity Provider and Service Provider (SAC) user list. You can manually enter user, but, mapping attribute is case sensitive… It exists two options to simplify and ensure simple user deployment:

• You can upload and map User list into SAP Analytics Cloud. You can choose between CSV file or Active Directory upload. As soon as, Mapping attribute is case sensitive, then, by uploading User list, you ensure a smooth and fast deployment.

• You can select Dynamic User creation in SAP Analytics Cloud. When dynamic user creation is enabled, new users will be automatically created using the default role and will be able to use SAML SSO to log onto SAP Analytics Cloud. To ensure mapping SAML attributes to users, and mapping roles using SAML attributes, works with dynamic user creation, you must submit an SAP Product Support Incident at the following link: https://launchpad.support.sap.com/#incident/solution using the component LOD-ANA-BI. In the support ticket, indicate that you want to set up user profiles and role assignment based on custom SAML attributes, and include your SAP Analytics Cloud tenant URL.

You can also create a SAML role mapping to automatically assign roles to users based on their SAML attributes. Please read: https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/8cef38224562457fa87069a6d8e596ab.html

6.5. Back-end Single Sign-on

To enable an end to end Live Connection SSO scenario, SAP Analytics Cloud supports SAML2 SSO to connect Data Sources:

6.6. Setting Steps

6.7. Further Reading

• Enabling a Custom SAML Identity Provider
  https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/3651184dad944aa2b361ad029a7a8cae.html
  
  
• SAML authentication in SAP Analytics Cloud – Julian Jimenez
  https://blogs.sap.com/2017/07/13/saml-authentication-in-sap-analytics-cloud/
  
  
• SAP Note: How to configure SAP Analytics Cloud SAML SSO using ADFS
  2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)
  
  
• Tutorial: Azure Active Directory integration with SAP Analytics Cloud
  https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-sapboc-tutorial
  
  
• SAP Note: Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud
  2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud
  

• What is SAML2? by Tarun Telang
  https://blogs.sap.com/2013/05/31/what-is-saml2/

• SSO Setup for SAP Analytics Cloud using okta as an Identity Provider – by Jagdeesh Neelakantan
  https://blogs.sap.com/2017/07/24/sso-setup-for-sap-analytics-cloud-using-okta-as-an-identity-provider/
  
  
• Embedding SAP Analytics Cloud Story with URL API and SAML2 SSO based on WSO2 Identity Server – by Thierry Pierre
  https://blogs.sap.com/2017/09/30/embedding-sap-analytics-cloud-story-with-url-api-and-saml2-sso-based-on-wso2-identity-server/
  
  
• Dong Pans excellent blogs on SSO and Data Access with SAP Analytics Cloud
  
  
• Greg Wcisclos blogs for an example of using ADFS with SAP Analytics Cloud