Skip to Content

I’ve heard many questions from customers trying to implement different SAML Identity Providers with SAP Analytics Cloud.

First things first: what is SAML?

Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:

SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.

The good news is that this is the native method used. When you get your tenant URL and login for the very first time to SAP Analytics Cloud, you are redirected to SAP Cloud Platform Identity Authentication service. This is the SAML Identity Provider used by default.

How to configure your own SAML Identity Provider (IdP)?

You have a self-service tool in the menu:

System > Administration > Security (tab)

The product guide offers a section on the configuration: Enabling SAML Single Sign-On (SSO). As mentioned before, the product is already enabled for SAML SSO. This section should be named: Enabling your own SAML Identity Provider.

I will only clarify some steps that I have been asked multiple times.

Step 1: Download Service Provider Metadata

This XML file with the certificate for your SAP Analytics Cloud tenant. It has to be imported to your SAML Identity Provider (IdP).

You don’t need to change anything. It may look a bit confusing seeing that these tags go to different locations:

<KeyName>yourcompany.us1.businessobjects.cloud</KeyName

<ns3:AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authn.us1.hana.ondemand.com/saml2/sp/acs/aa10027b00/aa10027b00"/>

 

Simply request the IdP administrator to import that file. Some examples:

Active Directory Federation Service in Public KBA 2487116

SAP Cloud Platform Identity Authentication. In product documentation, section Configure a Trusted Service Provider.

 

Step 2: Upload Identity Provider Metadata

This is very simple, take the XML file that your IdP administrator gave you. Are you the IdP but don’t know where to find that file? Here are some examples:

Azure AD Federation Metadata: https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml

Active Directory Federation Services: https://yourserver.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml

SAP Cloud Platform Identity Authentication Service: Documented in section: Tenant SAML 2.0 Configuration

 

Step 3: Choose a user attribute to map to your identity provider

This is the step where it usually gets more complicated than it should for a couple of reasons:

  • It’s case sensitive
  • Transformations incorrectly configured in your IdP

The two main attributes you would like to use when mapping SAP Analytics Cloud users and your IdP users are: email or User ID.

The User ID is always using uppercase in SAP Analytics Cloud and may be different from your Corporate Identity Provider.

I received few questions related to the Name ID Attribute:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">JULIAN</NameID>

This is returned by the Identity Provider and returned back to the Service Provider (SAP Analytics Cloud). You won’t find it in any of the .xml files you used so far. If you want to see it, you need to use Web Development tools in Chrome. You can find complete details in this KBA 2487567.

In my example, what is returned is the value JULIAN. As you may suspect, in this case, I need to select User ID in my attribute mapping in SAP Analytics Cloud. It should work as that is my User ID in SAP Analytics Cloud. It would have failed if the attribute returned was Julian.

What happens if my company uses certificates, fingerprints…? Once you are authenticated, the SAML IdP can send the values from one of your attributes as a claim. For example, this is taken from AD FS:

Step 4: Verify your account with the Identity Provider

Few questions around this step:

  • Please, verify the Login Credentials displayed in the step before. If you see USER, that is the Name ID attribute expected to be returned from your IdP.
  • If your uppercase/lowercase don’t match completely, you can select email instead. You need to make sure that the Name ID attribute returned in the claim is also the email.
  • Incognito: why? You are already connected to SAP Analytics Cloud with your user, you are connecting again using a different SAML IdP.
To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Wei Li

    Thanks for the article ! When I tried it, I used email in the Name ID attribute, but I always got ‘profile not configured for the system’ page after I log in through my custom idp. Could you shed some light on what might be the problem here?

    Thanks !

    (0) 
    1. Julian Jimenez Post author

      Hi Wei,

      I presume that the email that is returned doesn’t match any of the existing accounts in SAP Analytics Cloud.

      Check this KBA on how to capture the SAML assertions in Chrome so you can examine what is returned as NameID by your IdP:

      https://apps.support.sap.com/sap/support/knowledge/public/en/2487567

      Verify that the email returned exists (matching upper and lowercase) with one of the accounts in SAP Analytics Cloud.

      Regards,

      Julian

      (0) 
      1. Wei Li

        Hi Julian,

        I checked the email address returned from my IdP, it matches with the current user’s email address. It  seems that the “mapping to an existing user” step did not happen. If I hard code my IdP to have it return the user’s SCI profile ID (Pxxxx) as the NameID, then it works.

         

        Thanks,

        Wei

        (0) 
        1. Julian Jimenez Post author

          Hi Wei,

          Just to clarify, the email address is returned in the <NameID> tag of the assertion or as email address tag?

          In order to use email address as your credentials, it has to return in <NameID>.

          <NameID Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified>your.email@company.com</NameID>

          Regards,

          Julian

          (0) 
          1. Wei Li

            Thanks for your help Julian!

            I finally fount out that it is because my idp is returning the wrong Recipient in <SubjectConfirmation> . it works now !

             

            Thanks,

            Wei

             

            (1) 
  2. Marcus Schiffer

    Hi Julian,

     

    thanks for the post. It workes fine for me.

    I have, however, one question.

    Can we configure more than one ID provider ?

    Or in different words: When the ID provider is not available, could we still log on with the original SAP analytics account ?

    (0) 
    1. Julian Jimenez Post author

      Hi Marcus,

      At the moment we only have a single IdP for SAP Analytics Cloud. You can have your own SAP Cloud Identity that allows multiple Corporate Identity providers. I believe that the SLAs for this produc is similar to SAP Analytics Cloud.

      I you want the option in the product to have multiple IdPs, I recommend you to request enhancements via Ideas Place: https://ideas.sap.com/boc

      If the IdP is not available, we don’t have yet a fallback method to allow the admin to log in. I will try to document something around this topic.

      Regards,
      Julian

      (0) 
  3. M. van Foeken

    Hi Julian,

    I’m stuck getting SAML SSO to work with Azure AD. I get the following error message:

    HTTP Status 500 – Service Provider SLO endpoint received LogoutResponse from Identity Provider https://sts.windows.net/75b2f54b-feff-400d-8e0b-67102edb9a23/ that is not signed

    This occurs after I entered the verification URL. I checked SAML NameID which displays email also available in SAC.

    Do you have any idea?

    With kind regards,

    Martijn van Foeken | Interdobs

    (0) 
    1. Julian Jimenez Post author

      Hi Martijn,

      I haven’t seen this error before. Have you used the template that Azure AD provides for SAP Analytics Cloud (BusinessObjects Cloud) when creating this Service Provider?

       

      Thanks,

      Julian

      (0) 
  4. Simen Huuse

    Hi Julian!

    Thanks for posting this blog, great stuff! Is there a relation between the IdP in Analytics Cloud and the IdP setting in the underlying SAP Cloud Platform account?

    We have a particular case where we want to expose analytics to a C4C mashup without changing the IdP for the entire Analytics Cloud account.

    All the best,

    Simen

    @simenhuuse

    (0) 
    1. Julian Jimenez Post author

      Hi Simen,

      SAP Cloud Platform account and SAP Analytics Cloud use different SAP Cloud IdPs unfortunately. The same technology but different systems.

      You will need to have your own SAML IdP as you will require to import the SAC metadata file (as SAML service provider). You will require to have your own tenant of SAP Cloud Identity. If you have SAP NetWeaver Identity Management, you can follow the steps to configure C4C to use this SAML IdP.

      https://blogs.sap.com/2017/01/30/configurations-for-sso-with-saml2.0-between-sap-cloud-for-customer-and-sap-identity-provider/

      Regards,

      Julian

      (1) 

Leave a Reply