SAML authentication in SAP Analytics Cloud
I’ve heard many questions from customers trying to implement different SAML Identity Providers with SAP Analytics Cloud.
First things first: what is SAML?
Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:
SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.
The good news is that this is the native method used. When you get your tenant URL and login for the very first time to SAP Analytics Cloud, you are redirected to SAP Cloud Platform Identity Authentication service. This is the SAML Identity Provider used by default.
How to configure your own SAML Identity Provider (IdP)?
You have a self-service tool in the menu:
System > Administration > Security (tab)
The product guide offers a section on the configuration: Enabling SAML Single Sign-On (SSO). As mentioned before, the product is already enabled for SAML SSO. This section should be named: Enabling your own SAML Identity Provider.
I will only clarify some steps that I have been asked multiple times.
Step 1: Download Service Provider Metadata
This XML file with the certificate for your SAP Analytics Cloud tenant. It has to be imported to your SAML Identity Provider (IdP).
You don’t need to change anything. It may look a bit confusing seeing that these tags go to different locations:
<KeyName>yourcompany.us1.businessobjects.cloud</KeyName <ns3:AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authn.us1.hana.ondemand.com/saml2/sp/acs/aa10027b00/aa10027b00"/>
Simply request the IdP administrator to import that file. Some examples:
Active Directory Federation Service in Public KBA 2487116
SAP Cloud Platform Identity Authentication. In product documentation, section Configure a Trusted Service Provider.
Step 2: Upload Identity Provider Metadata
This is very simple, take the XML file that your IdP administrator gave you. Are you the IdP but don’t know where to find that file? Here are some examples:
Azure AD Federation Metadata: https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
Active Directory Federation Services: https://yourserver.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
SAP Cloud Platform Identity Authentication Service: Documented in section: Tenant SAML 2.0 Configuration
Step 3: Choose a user attribute to map to your identity provider
This is the step where it usually gets more complicated than it should for a couple of reasons:
- It’s case sensitive
- Transformations incorrectly configured in your IdP
The two main attributes you would like to use when mapping SAP Analytics Cloud users and your IdP users are: email or User ID.
The User ID is always using uppercase in SAP Analytics Cloud and may be different from your Corporate Identity Provider.
I received few questions related to the Name ID Attribute:
This is returned by the Identity Provider and returned back to the Service Provider (SAP Analytics Cloud). You won’t find it in any of the .xml files you used so far. If you want to see it, you need to use Web Development tools in Chrome. You can find complete details in this KBA 2487567.
In my example, what is returned is the value JULIAN. As you may suspect, in this case, I need to select User ID in my attribute mapping in SAP Analytics Cloud. It should work as that is my User ID in SAP Analytics Cloud. It would have failed if the attribute returned was Julian.
What happens if my company uses certificates, fingerprints…? Once you are authenticated, the SAML IdP can send the values from one of your attributes as a claim. For example, this is taken from AD FS:
Step 4: Verify your account with the Identity Provider
Few questions around this step:
- Please, verify the Login Credentials displayed in the step before. If you see USER, that is the Name ID attribute expected to be returned from your IdP.
- If your uppercase/lowercase don’t match completely, you can select email instead. You need to make sure that the Name ID attribute returned in the claim is also the email.
- Incognito: why? You are already connected to SAP Analytics Cloud with your user, you are connecting again using a different SAML IdP.
Thanks for the article ! When I tried it, I used email in the Name ID attribute, but I always got 'profile not configured for the system' page after I log in through my custom idp. Could you shed some light on what might be the problem here?
I presume that the email that is returned doesn't match any of the existing accounts in SAP Analytics Cloud.
Check this KBA on how to capture the SAML assertions in Chrome so you can examine what is returned as NameID by your IdP:
Verify that the email returned exists (matching upper and lowercase) with one of the accounts in SAP Analytics Cloud.
I checked the email address returned from my IdP, it matches with the current user's email address. It seems that the "mapping to an existing user" step did not happen. If I hard code my IdP to have it return the user's SCI profile ID (Pxxxx) as the NameID, then it works.
Just to clarify, the email address is returned in the <NameID> tag of the assertion or as email address tag?
In order to use email address as your credentials, it has to return in <NameID>.
Thanks for your help Julian!
I finally fount out that it is because my idp is returning the wrong Recipient in <SubjectConfirmation> . it works now !
Hi Wei Li,
I know it was a while ago, but can you remember how the IdP was set up incorrectly? We're just going through setting up SSO for SAP Analytics Cloud against Microsoft Azure so trying to understand where the pitfalls may lie!
thanks for the post. It workes fine for me.
I have, however, one question.
Can we configure more than one ID provider ?
Or in different words: When the ID provider is not available, could we still log on with the original SAP analytics account ?
At the moment we only have a single IdP for SAP Analytics Cloud. You can have your own SAP Cloud Identity that allows multiple Corporate Identity providers. I believe that the SLAs for this produc is similar to SAP Analytics Cloud.
I you want the option in the product to have multiple IdPs, I recommend you to request enhancements via Ideas Place: https://ideas.sap.com/boc
If the IdP is not available, we don't have yet a fallback method to allow the admin to log in. I will try to document something around this topic.
We're just going through the process of configuring SSO from SAC to Microsoft Azure AD. I'm experienced doing SSO from Azure AD to various applications and understand SAML2 protocol etc.
We're concerned that, if we make a mistake in the configuration, then there is a chance we will effectively lock ourselves out of SAC - since we won't be able to SSO back into SAC to switch the config back to using SCI instead of Azure AD.
Presumably, if we have an existing login session to SAC (as system owner), then that session will persist as we test SSO against Azure AD. So long as we don't log out of that session we are ok. (And if we *do* log out or it times out - then we could be stuffed - and presumably would need to raise a ticket with SAP to have them reset the SSO config back to SCI for us - am I right???)
I'm stuck getting SAML SSO to work with Azure AD. I get the following error message:
HTTP Status 500 - Service Provider SLO endpoint received LogoutResponse from Identity Provider https://sts.windows.net/75b2f54b-feff-400d-8e0b-67102edb9a23/ that is not signed
This occurs after I entered the verification URL. I checked SAML NameID which displays email also available in SAC.
Do you have any idea?
With kind regards,
Martijn van Foeken | Interdobs
I haven't seen this error before. Have you used the template that Azure AD provides for SAP Analytics Cloud (BusinessObjects Cloud) when creating this Service Provider?
Having the same issue. Did you figure this out?
Yes, I misconfigured it together with our Azure AD team. All necessary information is located in your metadata.xml file.
With kind regards,
Martijn van Foeken | Interdobs
Thanks for posting this blog, great stuff! Is there a relation between the IdP in Analytics Cloud and the IdP setting in the underlying SAP Cloud Platform account?
We have a particular case where we want to expose analytics to a C4C mashup without changing the IdP for the entire Analytics Cloud account.
All the best,
SAP Cloud Platform account and SAP Analytics Cloud use different SAP Cloud IdPs unfortunately. The same technology but different systems.
You will need to have your own SAML IdP as you will require to import the SAC metadata file (as SAML service provider). You will require to have your own tenant of SAP Cloud Identity. If you have SAP NetWeaver Identity Management, you can follow the steps to configure C4C to use this SAML IdP.
Thanks for this very instructive document.
Does the user have to physical exist in C4A for SSO to work. I believe this to be true for C4C, is it the same for C4A?
Yes, the user need to exist in SAC.
However, if you are using a custom SAML IdP for SAC, then you can select the option “dynamic user creation” and the user will be created in SAC after a simple login:
This option will create the user in SAC on the fly.
Thanks Julian 🙂
Another quick question, so is my understanding that if you use dynamic user creation, IPS wont be needed then if I am using ADFS? But if I am using IAS as the IDP, dynamic user creation does not work?
I am not sure if I understood the question. What is IPS in this context?
If you use SAP IAS as IdP, you can also check that box. As long as the user exists in this IdP, it will be created in SAC.
IPS (Identity Provisioning Service) is used to create the user in the target system, and this case, SAC.
So, I wouldn't need the user to already exist in the SAC system, I could use either IAS or ADFS to get this user created on the fly in SAC via SSO?
Hi Julian, very valuable information!
What happens when I misconfigure SAML2 authentication or SAML2 authentication breaks due to e.g. expired certificates?
How will I be able to login as an administrator to fix it?
Very good question. There are currently two scenarios:
If the name ID or email case in Azure AD doesn't match the case defined in Analytics cloud, how else can the user attribute be mapped? Have you come across any such scenario?
In our case, user ids are defined as <FIRSTNAMEFIRSTLETTER><Lastname> and email is defined as <FIRSTNAMEFIRSTLETTER><Lastname>@<DOMAIN>.COM in Azure AD. However in Analytics cloud, username is all uppercase <FIRSTNAMEFIRSTLETTER><LASTNAME> while the email is all lower case <firstnamefirstletter><lastname>@<domain>.com. I am trying to come up with a way on how the user can be mapped between IDP & SAC. Any suggestions?
You can always select Custom SAML User Mapping. There are three methods to map your users: USER ID, email and "SAML User Mapping". That will open a new column in your Security > Users that will allow you to type whatever you want. You can type whatever you need to match the "Name ID" claim returned by Azure AD.
Nice post and comments. I did the setup to use "Custom SAML User Mapping" and everything looked fine.
But... when I tried to login through ADFS I got the error "Bad Request".
I captured the SAML message sent to "https://authn.us2.hana.ondemand.com/saml2/sp/acs/..." and it says in the user id part:
I verified in SAC that in the column "SAML USER MAPPING" also says "ext-fangio" for this user.
Am I doing right? What could be the cause for the "Bad Request"?
Thank you and best regards,
You can post this question directly to the SAC area: https://www.sap.com/community/tag.html?id=67838200100800006884
For specific questions on ADFS, I would recommend this KBA: https://apps.support.sap.com/sap/support/knowledge/public/en/2487116
Have you tested with other users?
I have tenants working correctly using only <NameID> but you will have problems with the logout. The Name ID should have this format:
I'm trying to use help & your blog, but it looks strange. I cannot upload xml back to SAC
I can see some values in XML
But it seems SAC cannot parse it correctly...
Does trial account in SCP allows to use IdP for SAC?
You seem to be trying to import HANA trial that is a Service Provider as SAML Identity Provider.
You need the metadata of an Identity Provider: ADFS, Okta, SAP AIS, etc.
We are trying to integrate CA SiteMinder as IDP and SAP Analytics as SP with SAML 2.0 protocol and getting issues while importing the metadata. It is not recognizing SSO & SLO Urls and there is no option even to add manually as well. Can you pls suggest if there is any additional setting needs to be done for SAML integration of CA SiteMinder with SAP Analytics.
Any help in this would be highly appreciated.
You should ask that question to your SAML IdP vendor. The metadata from your IdP must be incorrect. You can test it with a different SAML service provider to confirm that it's incorrect.
I get the error in the attached screenshot when I do the saml2 sso configuration steps according to the document below;
Error message : “we have encountered an error durinh the account verification setup. please check that your login credential is not used by another user and try again”
Could you please help me?
Good simple to follow doco here, but if you can influence the backlog for SAC - just wanted to raise a +1 (if you are keeping track) for a customer who really needs a case insensitive option going forward (or at least an SAC API to update the aliases) since both email and SAM Account Names are manually maintained and never consistently capitalised!
FYI - I noted the SMP Note mentioning that this is being investigated as to whether it will be done.
is there any chance to bypass SAML SSO on SAC once it has been configured? Like in netweaver giving a parameter in the url such as saml2=disable ? Any chance to do so?
thx in advance
I have the same question than Sascha Jaekel
"How bypass SAML on SAC ?"
Hi Hervé Couteau / Sascha Jaekel , that's not supported yet.
I can log in, but I get this message.
Could you please help me
How does the service provider send the logout response to the identity provider proxy?