Skip to Content

I’ve heard many questions from customers trying to implement different SAML Identity Providers with SAP Analytics Cloud.

First things first: what is SAML?

Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:

SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.

The good news is that this is the native method used. When you get your tenant URL and login for the very first time to SAP Analytics Cloud, you are redirected to SAP Cloud Platform Identity Authentication service. This is the SAML Identity Provider used by default.

How to configure your own SAML Identity Provider (IdP)?

You have a self-service tool in the menu:

System > Administration > Security (tab)

The product guide offers a section on the configuration: Enabling SAML Single Sign-On (SSO). As mentioned before, the product is already enabled for SAML SSO. This section should be named: Enabling your own SAML Identity Provider.

I will only clarify some steps that I have been asked multiple times.

Step 1: Download Service Provider Metadata

This XML file with the certificate for your SAP Analytics Cloud tenant. It has to be imported to your SAML Identity Provider (IdP).

You don’t need to change anything. It may look a bit confusing seeing that these tags go to different locations:

<KeyName>yourcompany.us1.businessobjects.cloud</KeyName

<ns3:AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authn.us1.hana.ondemand.com/saml2/sp/acs/aa10027b00/aa10027b00"/>

 

Simply request the IdP administrator to import that file. Some examples:

Active Directory Federation Service in Public KBA 2487116

SAP Cloud Platform Identity Authentication. In product documentation, section Configure a Trusted Service Provider.

 

Step 2: Upload Identity Provider Metadata

This is very simple, take the XML file that your IdP administrator gave you. Are you the IdP but don’t know where to find that file? Here are some examples:

Azure AD Federation Metadata: https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml

Active Directory Federation Services: https://yourserver.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml

SAP Cloud Platform Identity Authentication Service: Documented in section: Tenant SAML 2.0 Configuration

 

Step 3: Choose a user attribute to map to your identity provider

This is the step where it usually gets more complicated than it should for a couple of reasons:

  • It’s case sensitive
  • Transformations incorrectly configured in your IdP

The two main attributes you would like to use when mapping SAP Analytics Cloud users and your IdP users are: email or User ID.

The User ID is always using uppercase in SAP Analytics Cloud and may be different from your Corporate Identity Provider.

I received few questions related to the Name ID Attribute:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">JULIAN</NameID>

This is returned by the Identity Provider and returned back to the Service Provider (SAP Analytics Cloud). You won’t find it in any of the .xml files you used so far. If you want to see it, you need to use Web Development tools in Chrome. You can find complete details in this KBA 2487567.

In my example, what is returned is the value JULIAN. As you may suspect, in this case, I need to select User ID in my attribute mapping in SAP Analytics Cloud. It should work as that is my User ID in SAP Analytics Cloud. It would have failed if the attribute returned was Julian.

What happens if my company uses certificates, fingerprints…? Once you are authenticated, the SAML IdP can send the values from one of your attributes as a claim. For example, this is taken from AD FS:

Step 4: Verify your account with the Identity Provider

Few questions around this step:

  • Please, verify the Login Credentials displayed in the step before. If you see USER, that is the Name ID attribute expected to be returned from your IdP.
  • If your uppercase/lowercase don’t match completely, you can select email instead. You need to make sure that the Name ID attribute returned in the claim is also the email.
  • Incognito: why? You are already connected to SAP Analytics Cloud with your user, you are connecting again using a different SAML IdP.
To report this post you need to login first.

33 Comments

You must be Logged on to comment or reply to a post.

  1. Former Member

    Thanks for the article ! When I tried it, I used email in the Name ID attribute, but I always got ‘profile not configured for the system’ page after I log in through my custom idp. Could you shed some light on what might be the problem here?

    Thanks !

    (0) 
    1. Julian Jimenez Post author

      Hi Wei,

      I presume that the email that is returned doesn’t match any of the existing accounts in SAP Analytics Cloud.

      Check this KBA on how to capture the SAML assertions in Chrome so you can examine what is returned as NameID by your IdP:

      https://apps.support.sap.com/sap/support/knowledge/public/en/2487567

      Verify that the email returned exists (matching upper and lowercase) with one of the accounts in SAP Analytics Cloud.

      Regards,

      Julian

      (0) 
      1. Former Member

        Hi Julian,

        I checked the email address returned from my IdP, it matches with the current user’s email address. It  seems that the “mapping to an existing user” step did not happen. If I hard code my IdP to have it return the user’s SCI profile ID (Pxxxx) as the NameID, then it works.

         

        Thanks,

        Wei

        (0) 
        1. Julian Jimenez Post author

          Hi Wei,

          Just to clarify, the email address is returned in the <NameID> tag of the assertion or as email address tag?

          In order to use email address as your credentials, it has to return in <NameID>.

          <NameID Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified>your.email@company.com</NameID>

          Regards,

          Julian

          (0) 
          1. Former Member

            Thanks for your help Julian!

            I finally fount out that it is because my idp is returning the wrong Recipient in <SubjectConfirmation> . it works now !

             

            Thanks,

            Wei

             

            (1) 
            1. Matt Symes

              Hi Wei Li,

              I know it was a while ago, but can you remember how the IdP was set up incorrectly? We’re just going through setting up SSO for SAP Analytics Cloud against Microsoft Azure so trying to understand where the pitfalls may lie!

              Thanks,

              • Matt Symes
              (0) 
  2. Marcus Schiffer

    Hi Julian,

     

    thanks for the post. It workes fine for me.

    I have, however, one question.

    Can we configure more than one ID provider ?

    Or in different words: When the ID provider is not available, could we still log on with the original SAP analytics account ?

    (0) 
    1. Julian Jimenez Post author

      Hi Marcus,

      At the moment we only have a single IdP for SAP Analytics Cloud. You can have your own SAP Cloud Identity that allows multiple Corporate Identity providers. I believe that the SLAs for this produc is similar to SAP Analytics Cloud.

      I you want the option in the product to have multiple IdPs, I recommend you to request enhancements via Ideas Place: https://ideas.sap.com/boc

      If the IdP is not available, we don’t have yet a fallback method to allow the admin to log in. I will try to document something around this topic.

      Regards,
      Julian

      (0) 
      1. Matt Symes

        Hi Julian,

        We’re just going through the process of configuring SSO from SAC to Microsoft Azure AD. I’m experienced doing SSO from Azure AD to various applications and understand SAML2 protocol etc.

        We’re concerned that, if we make a mistake in the configuration, then there is a chance we will effectively lock ourselves out of SAC – since we won’t be able to SSO back into SAC to switch the config back to using SCI instead of Azure AD.

        Presumably, if we have an existing login session to SAC (as system owner), then that session will persist as we test SSO against Azure AD. So long as we don’t log out of that session we are ok. (And if we *do* log out or it times out – then we could be stuffed – and presumably would need to raise a ticket with  SAP to have them reset the SSO config back to SCI for us – am I right???)

        Regards,

        • Matt Symes
        (0) 
  3. M. van Foeken

    Hi Julian,

    I’m stuck getting SAML SSO to work with Azure AD. I get the following error message:

    HTTP Status 500 – Service Provider SLO endpoint received LogoutResponse from Identity Provider https://sts.windows.net/75b2f54b-feff-400d-8e0b-67102edb9a23/ that is not signed

    This occurs after I entered the verification URL. I checked SAML NameID which displays email also available in SAC.

    Do you have any idea?

    With kind regards,

    Martijn van Foeken | Interdobs

    (0) 
    1. Julian Jimenez Post author

      Hi Martijn,

      I haven’t seen this error before. Have you used the template that Azure AD provides for SAP Analytics Cloud (BusinessObjects Cloud) when creating this Service Provider?

       

      Thanks,

      Julian

      (0) 
      1. M. van Foeken

        Hi Mark,

        Yes, I misconfigured it together with our Azure AD team. All necessary information is located in your metadata.xml file.

        With kind regards,

        Martijn van Foeken | Interdobs

        (2) 
  4. Simen Huuse

    Hi Julian!

    Thanks for posting this blog, great stuff! Is there a relation between the IdP in Analytics Cloud and the IdP setting in the underlying SAP Cloud Platform account?

    We have a particular case where we want to expose analytics to a C4C mashup without changing the IdP for the entire Analytics Cloud account.

    All the best,

    Simen

    @simenhuuse

    (0) 
    1. Julian Jimenez Post author

      Hi Simen,

      SAP Cloud Platform account and SAP Analytics Cloud use different SAP Cloud IdPs unfortunately. The same technology but different systems.

      You will need to have your own SAML IdP as you will require to import the SAC metadata file (as SAML service provider). You will require to have your own tenant of SAP Cloud Identity. If you have SAP NetWeaver Identity Management, you can follow the steps to configure C4C to use this SAML IdP.

      https://blogs.sap.com/2017/01/30/configurations-for-sso-with-saml2.0-between-sap-cloud-for-customer-and-sap-identity-provider/

      Regards,

      Julian

      (1) 
  5. Michael Healy

    Hi Julian,

     

    Thanks for this very instructive document.

    Does the user have to physical exist in C4A for SSO to work. I believe this to be true for C4C, is it the same for C4A?

    Thanks,

    Michael

    (0) 
      1. Michael Healy

        Hi Julian,

         

        Another quick question, so is my understanding that if you use dynamic user creation, IPS wont be needed then if I am using ADFS? But if I am using IAS as the IDP, dynamic user creation does not work?

         

        cheers,

        Michael

        (0) 
        1. Julian Jimenez Post author

          Hi Michael,

          I am not sure if I understood the question. What is IPS in this context?

          If you use SAP IAS as IdP, you can also check that box. As long as the user exists in this IdP, it will be created in SAC.

          Regards,

          Julian

          (0) 
  6. Lutz Rottmann

    Hi Julian, very valuable information!

    Question:

    What happens when I misconfigure SAML2 authentication or SAML2 authentication breaks due to e.g. expired certificates?

    How will I be able to login as an administrator to fix it?

    Thanks, Lutz

    (0) 
    1. Julian Jimenez Post author

      Hi Lutz,

      Very good question. There are currently two scenarios:

      •  Service Provider renewal (SAP Analytics Cloud). You get warning and the certificate (metadata.xml) ahead of time so you can renew in your IdP.
      • IdP expiration: bad news for now as you locked yourself out. The only workflow available now is to send us the new metadata.xml from your IdP via Incident with Product Support. We requested development to have another authentication method so customers can resolve this problem themselves but it’s still in evaluation.

      Regards,

      Julian

      (0) 
  7. Former Member

    Hi Julian,

     

    If  the name ID or email case in Azure AD doesn’t match the case defined in Analytics cloud, how else can the user attribute be mapped? Have you come across any such scenario?

    In our case, user ids are defined as <FIRSTNAMEFIRSTLETTER><Lastname> and email is defined as <FIRSTNAMEFIRSTLETTER><Lastname>@<DOMAIN>.COM in Azure AD. However in Analytics cloud, username is all uppercase <FIRSTNAMEFIRSTLETTER><LASTNAME> while the email is all lower case <firstnamefirstletter><lastname>@<domain>.com. I am trying to come up with a way on how the user can be mapped between IDP & SAC. Any suggestions?

     

    Regards,

    Sid

    (0) 
    1. Julian Jimenez Post author

      Hi Sid,

      You can always select Custom SAML User Mapping. There are three methods to map your users: USER ID, email and “SAML User Mapping”. That will open a new column in your Security > Users that will allow you to type whatever you want. You can type whatever you need to match the “Name ID” claim returned by Azure AD.

      Cheers,

      Julian

      (0) 
  8. Fernando Satorra

    Hi guys,

    Nice post and comments. I did the setup to use “Custom SAML User Mapping” and everything looked fine.

    But… when I tried to login through ADFS I got the error “Bad Request”.

    I captured the SAML message sent to “https://authn.us2.hana.ondemand.com/saml2/sp/acs/…” and it says in the user id part:

    <Subject>
    <NameID>ext-fangio</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

    I verified in SAC that in the column “SAML USER MAPPING” also says “ext-fangio” for this user.

    Am I doing right? What could be the cause for the “Bad Request”?

    Thank you and best regards,

    Fernando

    (0) 
    1. Julian Jimenez Post author

      Hi Fernando,

      You can post this question directly to the SAC area: https://www.sap.com/community/tag.html?id=67838200100800006884

      For specific questions on ADFS, I would recommend this KBA: https://apps.support.sap.com/sap/support/knowledge/public/en/2487116

      Have you tested with other users?

      I have tenants working correctly using only <NameID> but you will have problems with the logout. The Name ID should have this format:

      <NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>

      Thanks,

      Julian

      (1) 
  9. Former Member

    Hello!

    I’m trying to use help & your blog, but it looks strange. I cannot upload xml back to SAC

    I can see some values in XML

    <ns3:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https://authn.hanatrial.ondemand.com/saml2/sp/slo/i335953trial/i335953trial”/><ns3:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://authn.hanatrial.ondemand.com/saml2/sp/slo/i335953trial/i335953trial”/

    But it seems SAC cannot parse it correctly…

    Does trial account in SCP allows to use IdP for SAC?

    (0) 
      1. Julian Jimenez Post author

        You seem to be trying to import HANA trial that is a Service Provider as SAML Identity Provider.

        You need the metadata of an Identity Provider: ADFS, Okta, SAP AIS, etc.

        Regards,
        Julian

        (1) 
  10. Sachin Goyal

    Hi Julian,

    We are trying to integrate CA SiteMinder as IDP and SAP Analytics as SP with SAML 2.0 protocol and getting issues while importing the metadata. It is not recognizing SSO & SLO Urls and there is no option even to add manually as well. Can you pls suggest if there is any additional setting needs to be done for SAML integration of CA SiteMinder with SAP Analytics.

     

     

    Any help in this would be highly appreciated.

    Regards,

    Sachin

     

    (1) 
    1. Julian Jimenez Post author

      Hi Sachin,

      You should ask that question to your SAML IdP vendor. The metadata from your IdP must be incorrect. You can test it with a different SAML service provider to confirm that it’s incorrect.

      Thanks,

      Julian

      (1) 
  11. Matt Harding

    Hi Julian,

    Good simple to follow doco here, but if you can influence the backlog for SAC – just wanted to raise a +1 (if you are keeping track) for a customer who really needs a case insensitive option going forward (or at least an SAC API to update the aliases) since both email and SAM Account Names are manually maintained and never consistently capitalised!

    FYI – I noted the SMP Note mentioning that this is being investigated as to whether it will be done.

    Cheers,

    Matt

    (0) 

Leave a Reply