SAP Analytics Cloud SAML connection using ADFS (Active Directory Federation Services) as an Identity Provider

Configuring ADFS with SAP Analytics Cloud

What is Idp ?

An Identity Provider (Idp), sometimes called an Identity Service Provider, an identity provider is a trusted provider that lets you use single sign on (SSO) to access other websites, authenticates users on the internet by means of security tokens, one of which is SAML.

What is ADFS ?

Active Directory Federation Services (AD FS) is a feature from Windows Server 2003 R2 operating systems and higher that supports Web single-sign-on (SSO) technologies to authenticate a user to multiple web applications, ADFS integrates with Active Directory Domain Services, using it as an identity provider.

Features in ADFS
-Web single sign on (SSO)
-Web Services interoperability
-Extensible architecture

Prerequisite

ADFS is successfully installed and configured.

To verify the ADFS functionality, log in to windows machine using Ad user and open the IE and type.

https://adfs.adatum.com/federationmetadata/2007-06/federationmetadata.xml and then verify that the file loads successfully.

Please Note: If you are getting page cannot be displayed, please try and disable your proxy settings in your VM

ADFS Configuration

1.Download the Service Provider metadata from SAP Analytics Cloud

Go to Menu -> System -> Administration -> Security

2.Import the Service Provider metadata file in ADFS

3.After importing file, click on next

4.Specify Display name and click on next

5.Select I do not want to configure multi-factor authentication settings for this relying party trust at this time.

6.Issuance Authorization Rules, select Permit all users to access this relying party

7.Click on next and finish

8.Add Claim Rule for SAP Analytics Cloud

Select Send LDAP Attribute as Claims and click on next

9.Enter Claim Rule name

SAP Analytics Cloud from AD login to Name ID

10.Select attribute store – Active Directory and mapping of LDAP attributes

This is a transformation example, from Login name in active directory to Name ID that can be used in SAP Analytics Cloud

SAML configuration in SAC

1.Login into SAP Analytics Cloud

2.Goto Administration – > Security and Select SAML Single Sign On (SSO)

3.Importing the metadata.xml from ADFS

We can upload this file in Upload Identity Provider Metadata

4.Choose a user attribute to map to your identity provider

5.Verify Account

6.In another browser, log on to the URL provided in the verify account.

7.It redirects to Idp authentication, enter your domain users details to be mapped with SAC user account.

8.If the configuration is correct and mapping is successful and if you can login successfully, you will get a verification successful and the SAML setup is correct.

9.Close this browser windows and go back to earlier browser check verification window and click on     check verification

10.Once verification is successful, you will get an account verified message

This completes the configuration.

Users will be able to use SAML to login into SAP Analytics Cloud.

Blog By

• Paul Dhrubajyoti
• Mohammed Ashraf