SAML integration between Microsoft Azure Portal and SAP Analytics Cloud
In continuation with my earlier blog on SAML integration between SAP Analytics Cloud and ADFS.
In this blog, we will see how to integrate SAP Analytics Cloud (formerly known as SAP Business Objects Cloud) with Microsoft Azure Active Directory.
You get the following benefits when you integrate SAP Analytics Cloud with Azure AD:
- In Azure AD, you can control who has access to SAP Analytic Cloud.
- You can automatically sign in your users to SAP Analytics Cloud by using single sign-on and a user’s Azure AD account.
- You can manage your accounts in one, central location, the Azure portal.The scenario outlined in this blog consists of two main building blocks:
- Add SAP Business Object Cloud from the gallery.
- Set up and test Azure AD single sign-on.
Let’s see step by step configuration.
We will start with Microsoft Azure portal configuration.
Microsoft Azure Portal Configuration
- Access and login into Azure portal
- Goto Azure Active Directory –> Enterprise Applications –> All Applications
- New Application – In the All Applications window, click on New Application
- New Application – SAP Analytics Cloud is available in gallery with name SAP BusinessObjects Cloud.
Goto Add from the gallery and search SAP, it will list all the SAP applications available in the gallery, select SAP BusinessObjects Cloud
- Add an Application – Provide application name and click on Add.
Ex- SAP Analytics Cloud
- Assign user – After adding the SAP Analytics Cloud it will be listed / available in All Applications.
Click on SAP Analytics Cloud –> Users and groups – Add user
Assign the Azure directory user / Domain user to the application
- SAML configuration
Click on Single Sign-on and select SAML-base Sign-on from the drop down for Single Sign- on Mode
Enter the information in SAP Analytics Cloud Domain and URLs
Select user.mail from User Identifier
Click on “Metadata.xml” and download it your local directory. This will be used later to upload to SAC
SAP Analytics Cloud Configuration
Login into SAP Analytics Cloud and select SAML
Upload IDP (Azure portal metadata) into SAC
Under User Attribute, select Email in the drop down
- Before we can save the configuration we need to validate the configuration.
- You will copy the URL from the validate window and open an Incognito tab in your browser or open a new browser window.
- For Verify your account with the identity provider, enter e-mail ID (First.Last@…….onmicrosoft.com) of the user created within Azure
Test Azure AD single sign-on configuration by using the access panel.
Goto user access portal using below URL and login
When you select the SAP Analytics Cloud tile in the access panel, you should be automatically signed in to your SAP Analytics Cloud application.
If all the configurations are correct and verification is successful, user will be logged into SAP Analytics Cloud using SAML.
- Paul Dhrubajyoti
- Mohammed Ashraf
Nice blog! Have implemented this at a customer project as well along with SAML SSO to HANA.
One thing I would like to add is that when you enable SAML SSO in SAP Analytics Cloud there is no secondary authentication method available. This means that if make changes in the Azure application that impact your metadata.xml file, make sure you first disable SAML SSO in SAP Analytics Cloud. Otherwise, all users will be locked out and you have to create an incident on the SAP Support Portal to have operations revert it. Even the Tenant Owner can't log in anymore :-(.
With kind regards,
Martijn van Foeken | Interdobs
There is an enhancement created for that requirement and developers are currently examining the alternatives so at least a System owner can login to repair it if the SAML IdP is not available.
However, in this case, both are cloud products. I don't know the SLAs for Azure AD but I presume that are far better than many internal IT departments. Repairing the authentication for your BI platform is not their first priority.
In my experience in BI Platform, authentication methods such as AD were more problematic as: