SAML authentication in SAP Analytics Cloud
I’ve heard many questions from customers trying to implement different SAML Identity Providers with SAP Analytics Cloud.
First things first: what is SAML?
Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:
SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.
The good news is that this is the native method used. When you get your tenant URL and login for the very first time to SAP Analytics Cloud, you are redirected to SAP Cloud Platform Identity Authentication service. This is the SAML Identity Provider used by default.
How to configure your own SAML Identity Provider (IdP)?
You have a self-service tool in the menu:
System > Administration > Security (tab)
The product guide offers a section on the configuration: Enabling SAML Single Sign-On (SSO). As mentioned before, the product is already enabled for SAML SSO. This section should be named: Enabling your own SAML Identity Provider.
I will only clarify some steps that I have been asked multiple times.
Step 1: Download Service Provider Metadata
This XML file with the certificate for your SAP Analytics Cloud tenant. It has to be imported to your SAML Identity Provider (IdP).
You don’t need to change anything. It may look a bit confusing seeing that these tags go to different locations:
<KeyName>yourcompany.us1.businessobjects.cloud</KeyName <ns3:AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authn.us1.hana.ondemand.com/saml2/sp/acs/aa10027b00/aa10027b00"/>
Simply request the IdP administrator to import that file. Some examples:
Active Directory Federation Service in Public KBA 2487116
SAP Cloud Platform Identity Authentication. In product documentation, section Configure a Trusted Service Provider.
Step 2: Upload Identity Provider Metadata
This is very simple, take the XML file that your IdP administrator gave you. Are you the IdP but don’t know where to find that file? Here are some examples:
Azure AD Federation Metadata: https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
Active Directory Federation Services: https://yourserver.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
SAP Cloud Platform Identity Authentication Service: Documented in section: Tenant SAML 2.0 Configuration
Step 3: Choose a user attribute to map to your identity provider
This is the step where it usually gets more complicated than it should for a couple of reasons:
- It’s case sensitive
- Transformations incorrectly configured in your IdP
The two main attributes you would like to use when mapping SAP Analytics Cloud users and your IdP users are: email or User ID.
The User ID is always using uppercase in SAP Analytics Cloud and may be different from your Corporate Identity Provider.
I received few questions related to the Name ID Attribute:
This is returned by the Identity Provider and returned back to the Service Provider (SAP Analytics Cloud). You won’t find it in any of the .xml files you used so far. If you want to see it, you need to use Web Development tools in Chrome. You can find complete details in this KBA 2487567.
In my example, what is returned is the value JULIAN. As you may suspect, in this case, I need to select User ID in my attribute mapping in SAP Analytics Cloud. It should work as that is my User ID in SAP Analytics Cloud. It would have failed if the attribute returned was Julian.
What happens if my company uses certificates, fingerprints…? Once you are authenticated, the SAML IdP can send the values from one of your attributes as a claim. For example, this is taken from AD FS:
Step 4: Verify your account with the Identity Provider
Few questions around this step:
- Please, verify the Login Credentials displayed in the step before. If you see USER, that is the Name ID attribute expected to be returned from your IdP.
- If your uppercase/lowercase don’t match completely, you can select email instead. You need to make sure that the Name ID attribute returned in the claim is also the email.
- Incognito: why? You are already connected to SAP Analytics Cloud with your user, you are connecting again using a different SAML IdP.