Skip to Content

In continuation with my earlier blog on SAML integration between SAP Analytics Cloud and ADFS.

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

In this blog, we will see how to integrate SAP Analytics Cloud (formerly known as SAP Business Objects Cloud) with Microsoft Azure Active Directory.

You get the following benefits when you integrate SAP Analytics Cloud with Azure AD:

  • In Azure AD, you can control who has access to SAP Analytic Cloud.
  • You can automatically sign in your users to SAP Analytics Cloud by using single sign-on and a user’s Azure AD account.
  • You can manage your accounts in one, central location, the Azure portal.The scenario outlined in this blog consists of two main building blocks:
    1. Add SAP Business Object Cloud from the gallery.
    2. Set up and test Azure AD single sign-on.

Let’s see step by step configuration.

We will start with Microsoft Azure portal configuration.

Microsoft Azure Portal Configuration

  1. Access and login into Azure portal
  2. Goto Azure Active Directory –> Enterprise Applications –> All Applications

  1. New Application – In the All Applications window, click on New Application

  1. New Application – SAP Analytics Cloud is available in gallery with name SAP BusinessObjects Cloud.

Goto Add from the gallery and search SAP, it will list all the SAP applications available in the gallery, select SAP BusinessObjects Cloud

  1. Add an Application – Provide application name and click on Add.

Ex- SAP Analytics Cloud

  1. Assign user – After adding the SAP Analytics Cloud it will be listed / available in All Applications.

Click on SAP Analytics Cloud  –> Users and groups – Add user

Assign the Azure directory user / Domain user to the application

  1. SAML configuration

Click on Single Sign-on and select SAML-base Sign-on from the drop down for Single Sign-  on Mode

Enter the information in SAP Analytics Cloud Domain and URLs

Select user.mail from User Identifier

Click on “Metadata.xml” and download it your local directory. This will be used later to upload to SAC

And save

SAP Analytics Cloud Configuration

Login into SAP Analytics Cloud and select SAML

Upload IDP (Azure portal metadata) into SAC

Under User Attribute, select Email in the drop down

Verify Account

    • Before we can save the configuration we need to validate the configuration.
    • You will copy the URL from the validate window and open an Incognito tab in your browser or open a new browser window.
    • For Verify your account with the identity provider, enter e-mail ID (First.Last@…….onmicrosoft.com) of the user created within Azure

Validation

Test Azure AD single sign-on configuration by using the access panel.

Goto user access portal using below URL and login

https://account.activedirectory.windowsazure.com/r#/applications

When you select the SAP Analytics Cloud tile in the access panel, you should be automatically signed in to your SAP Analytics Cloud application.

If all the configurations are correct and verification is successful, user will be logged into SAP Analytics Cloud using SAML.

Blog By

  • Paul Dhrubajyoti
  • Mohammed Ashraf
To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Martijn van Foeken

    Hi Mohammed,

    Nice blog! Have implemented this at a customer project as well along with SAML SSO to HANA.

    One thing I would like to add is that when you enable SAML SSO in SAP Analytics Cloud there is no secondary authentication method available. This means that if make changes in the Azure application that impact your metadata.xml file, make sure you first disable SAML SSO in SAP Analytics Cloud. Otherwise, all users will be locked out and you have to create an incident on the SAP Support Portal to have operations revert it. Even the Tenant Owner can’t log in anymore :-(.

    With kind regards,

    Martijn van Foeken | Interdobs

     

    (1) 
    1. Julian Jimenez

      Hi Martijn,

      There is an enhancement created for that requirement and developers are currently examining the alternatives so at least a System owner can login to repair it if the SAML IdP is not available.

      However, in this case, both are cloud products. I don’t know the SLAs for Azure AD but I presume that are far better than many internal IT departments. Repairing the authentication for your BI platform is not their first priority.

      In my experience in BI Platform, authentication methods such as AD were more problematic as:

      • As an administrator, you may be able to use Enterprise authentication, but your users can’t and the issue is not solved until they can keep using AD
      • There are more opportunities to delete groups, user accounts and change settings by mistake when you manage your AD.

      Regards,

      Julian

      (1) 

Leave a Reply