Deep Dive: Setting Up Single Sign-On SAP Analytics Cloud Webcast Recap
This was an SAP webcast the other week. You can watch the replay here. The Q&A is in-depth below.
Figure 1: Source: SAP
Agenda is shown above.
Figure 2: Source: SAP
What is SAML? Helps exchange authorization between parties
Diagram on the right – 3 parties – principal, IDP, service provider
SAC is a service provider
Identity provider – whatever you are using ADFS, etc.
SAC uses SAML SSO
Step 1 – call from a user to SAC
Step 2 – SAC goes to browser, directs it to IDP (SAP cloud ID default)
Step 3 – confirms that this user is a valid user
Step 4 – sends it back
Figure 3: Source: SAP
Active Directory Federation Services with tenant
Do not modify XML; only change claim rules
User ID is case sensitive
Figure 4: Source: SAP
Attribute to map – email ID, user ID or customer SAML mapping
Figure 5: Source: SAP
How to capture/troubleshoot – use incognito mode
Question & Answer
Q: I have looked into connection SAP Analytics Cloud to S/4 HANA Cloud. In this case, the Service Provider is S/4 HANA Cloud. Can you describe why this would the case? Why wouldn’t we use Cloud Platform?
A: S/4HANA is a NetWeaver based system and as such acts as a service provider similar to other NetWeaver based systems.
Q: In case of integration with SuccessFactors and Ariba, does the same architecture hold good?
A: Import Data Connection to SuccessFactors uses the SuccessFactors OData API and OAuth2 authentication per https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/73a865af45f94d3cb93a309d6ef8c7e9.html so the architecture
is different. Ariba is not yet available as an SAP Analytics Cloud data source.
Q: I need to make a SSO between BW on HANA and SAC, It’s posible?
A: Yes this is possible using a Live Connection per https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/2f61936f350b423ca6b813da1d5a102f.html
Q: Is there a step by step manual for this procedure in AD FS?
A: Please see this SAP Knowledge Base Article: https://apps.support.sap.com/sap/support/knowledge/public/en/2487116
Q: Can we do SAC integration with S/4 HANA on premise
A: Please see https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/d2a1edf7cda74315a2c5052de8a3a4eb.html
Q: When is the SAP Cloud Connector used?
A: When Importing data into SAP Analytics Cloud per https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/5339a2395ccd4befb047c625a15f8481.html
Q: Does it support connectivity with on premise SAP solutions
A: Yes, SAP Analytics Cloud supports Live and Import connections to a number of On Premise solutions per https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/bdf055159cbb4f36b26c93ccb0c56066.html
Q: Reanswer, Is posible make SSO between BW on HANA and SAC using PATH connection ?
A: It is not recommended as PATH connections get extremely complicated. The recommendation if a Reverse Proxy is required for a scenario such as access from outside the firewall to on premise data is to use the Direct connection and
route only the requests to the on premise BW through the reverse proxy. Please see https://apps.support.sap.com/sap/support/knowledge/public/en/2675321
Q: With one SSO login can we go to different applications like SAP Analytics cloud, SAP success factors if we configure SAP success factors also
A: Yes with a central identity provider such as SAP Cloud Identity
Q: Is there any documentation for implementing SSO for custom application in CF. Specially in case of custom UI5 application.
A: There is some information here: https://help.sap.com/viewer/f4204795aea64e909c53dc85a8030fdc/Cloud/en-US/0f617257db8a41dda47813fd33c7e238.html I recommend visiting the SAP Cloud Platform community at
Q: We have implemented SSO between SAC and our BW System using SSO. SAC and BW system are connected with a Reverse Proxy. Also we have stories with BW BEx queries with live connection. With Google Chrome we have no problems to open those
stories, but with the “Analytics” app we are not able to open those same stories (SPNego problem). why google chrome open stories OK and the iOS app does not? It would be good to comment on the scope of this SSO may not work well for the
application “Analytics” connected to some live data sources
A: iOS app has strict certificate requirements in that the certificate authority must be approved by Apple and there are limitation in the app currently per https://apps.support.sap.com/sap/support/knowledge/public/en/2603851 Additional
information in these links: https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/11b4e5ff76eb4747bc255d7037be1f01.html#loio11b4e5ff76eb4747bc255d7037be1f01__p_mobile