Skip to Content
Technical Articles

Setup SSO between Cloud for Customer and SAP Analytic Cloud

1. Introduction

The purpose of this blog is to provide step by step instructions on setting up SSO between C4C and SAC. The high-level steps are as below.

  • Step 1: Get your Custom SAML Identity Provider (IDP) provisioned
  • Step 2: Enable your Custom SAML IdP for your SAP Analytics Cloud (SAC) Tenant

In IDPTENANT App: Download IDP metadata and create users
In SACDEMO App: Download SAC metadata and upload IDP metadata
In IDPTENANT App: Upload SAC metadata and set user mappings
In SACDEMO App: Test authentication against IDP into SAC

  • Step 3: Enable your Custom SAML IdP for your SAP Cloud for Customer (C4C) tenant

In IDPTENANT App: Edit profiles with C4C login names
In C4CDEMO App: Download C4C metadata and upload IDP metadata
In IDPTENANT App: Upload C4C metadata and set user mappings
In C4CDEMO App: Test authentication against IDP into C4C

In this walk through, we will use the following short names for the various tenants:

Name Short Name Fictitious business user
Custom SAML Identity Provider IDPTENANT Michael Johnes
SAP Analytics Cloud Tenant DEMO SACDEMO
SAP Cloud for Customer Tenant DEMO C4CDEMO

 

2. Set SSO security for the SAC and C4C tenants

Step 1: Get your Custom SAML Identity Provider (IDP) provisioned

Get your own Custom SAML Identity Provider IDPTENANT provisioned on SAP Cloud Platform via SAP IT Services.

Step 2: Enable your Custom SAML IdP for your SAP Analytics Cloud (SAC) Tenant

Reference SAC SSO external documentation: Enabling a Custom SAML Identity Provider

In IDPTENANT App: Download IDP metadata and create users

In this section, you will:

  • Connect to IDPTENANT as Administrator
  • Download xml SAML 2.0 file
  • Create user Michael Johnes on the IDPTENANT
  1. Connect to IDPTENANT as Administrator
  2. Go to Applications & Resources > Tenant Settings Click on SAML 2.0 Configuration­

3. Click on Download Metadata File. Rename the resulting XML file to IDPTENANT_metadata.xml

4. Create users (Users & Authorizations > User Management) Make sure the E-Mail addresses are the same as the E-Mail addresses you will later create in the SACDEMO app

5. Click on Add User. As an example, create user Michael Johnes as fictitious US employee responsible for Sales operations

6. After you click on Save, Michael Johnes receives an email to activate his account on IDPTENANT.

Michael Johnes is then asked to set a password for himself on IDPTENANT, then he clicks on Save to successfully launch the IDPTENANT Profile screen.

In SACDEMO App: Download SAC metadata and upload IDP metadata

In this section, you will:

  • Connect to SACDEMO App as System Owner.
  • Download SACDEMO_metadata.xml SAML 2.0 file
  • Upload IDPTENANT_metadata.xml SAML 2.0 file
  • Choose a user attribute to map to the IDPTENANT identity provider
  1. Connect to SACDEMO as System Owner, go to System > Administration, and click on the Edit button. Set the Authentication Method to SAML Single Sign-On (SSO)

2. Download Service Provider SACDEMO metadata as xml file and name it SACDEMO_metadata.xml

3. Upload Identity Provider metadata file IDPTENANT_metadata.xml created via IDPTENANT App below

4. Choose a user attribute to map to your identity provider IDPTENANT. Select Email to map your SACDEMO and IDPTENANT users via their Email attribute. Verify your account with the identity provider and Save your settings

In IDPTENANT App: Upload SAC metadata and set user mappings

In this section, you will:

  • Connect to IDPTENANT App as Administrator.
  • Add a new application “SACDEMO”
  • Upload xml SAML 2.0 file.
  • Set user mapping attributes for SACDEMO App
  • 1. Connect to IDPTENANT as Administrator. Under Applications & Resources > Applications, add a new application “SACDEMO”.
  1. Connect to IDPTENANT as Administrator. Under Applications & Resources > Applications, add a new application “SACDEMO”.

2. SAML 2.0 Configuration: upload application trust metadata in xml format

Upload Service Provider metadata file SACDEMO_metadata.xml created via SACDEMO App above.

3. Make sure you set the Name ID Attribute and Default Name ID format to E-Mail as displayed above. This will ensure the SACDEMO users and the IDPTENANT users are mapped via their assigned E-Mail attribute.

 

In SACDEMO App: Test authentication against IDP into SAC

In this section, you will:

  • Connect to SACDEMO App as Administrator.
  • Create user Michael Johnes on SACDEMO App
  • Test that Michael Johnes authenticates to IDPTENANT to log onto SACDEMO1.

1. Connect to SACDEMO App as Administrator. Go to Security > Users, and click on the New button to create a user in SACDEMO App for employee Michael Johnes.

2. Michael Johnes receives an activation email. He clicks on Log In and is redirected to the IDPTENANT logon screen.

 

3. He enters his newly created IDPTENANT E-Mail/Password and is logged into the SACDEMO App.

Step 3: Enable your Custom SAML IdP for your SAP Cloud for Customer (C4C) tenant

Reference C4C SSO internal wiki: Default Settings for the SSO/Certificate Login

Reference C4C SSO external video: SSO Default Settings

Reference C4C SSO external white paper: How to Configure Single Sign-On (SSO) for SAP Cloud for Customer Using SAP Cloud Identity Service

In IDPTENANT App: Edit profiles with C4C login names

In this section, you will:

  • Connect to IDPTENANT as Administrator
  • Edit the profile of user Michael Johnes on IDPTENANT

Connect to IDPTENANT as an administrator. Go to Users & Authorizations > User Management. Click on user Michael Johnes to edit his profile. Enter “USSALESOPS” as Login Name for Michael Johnes. Click on Save. This will ensure this employee can later be mapped against his attached C4C user “USSALESOPS”.

In C4CDEMO App: Download C4C metadata and upload IDP metadata

In this section, you will:

  • Connect to C4CDEMO App as Administrator.
  • Download xml SAML 2.0 file
  • Upload xml SAML 2.0 file

Create/Edit the profile of user Michael Johnes on C4CDEMO App.

  1. Connect to C4CDEMO as an administrator, click on profile and launch the HTML5 interface

2. Click on on the Administrator tab and select Configure Single Sign-On in the Common Tasks subtab.

3. Click on “SP Metadata” to download Service Provider C4CDEMO metadata as xml file and rename the file to C4CDEMO_metadata.xml

4. Click on the Identity Provider tab and select New Identity Provider to add the SAP Cloud Identity system as the Identity Provider for the SAP Cloud for Customer system. Browse and open Identity Provider metadata file IDPTENANT_metadata.xml created via IDPTENANT App in Step 2

5. Notice that the new Identity Provider is now listed and active.

6. Click on Activate Single Sign-On, and OK to the displayed message: we will explain later how to map C4CDEMO users to IDPTENANT users via their Login Name attribute.

Finally click on Save to save your configuration.

7. Go back to the My System tab. Notice that the SSO URL field shows the URL which should be used, if Single Sign-On via SAP Cloud Identity to SAP Cloud for Customer system is wanted.

8. We will now explain how to specify the Email address of a C4CDEMO user. In the Administrator tab, select General Settings subtab. Select Employees in the Users section.

9. Search for the employee name for which you need to set the proper Email attribute. In our case “Michael Johnes”.

10. Click on Edit. The Maintain Employee dialog is displayed. Notice that employee Michael Johnes is mapped to business user USSALESOPS. Enter the proper email address for Michael Johnes.

Click on Save and Close.

In IDPTENANT App: Upload C4C metadata and set user mappings

In this section, you will:

  • Connect to IDPTENANT App as Administrator.
  • Add a new application “C4CDEMO”
  • Upload the xml SAML 2.0 file.
  • Set mapping attributes for C4CDEMO App

Reference documentation: Configure the Name ID Attribute Sent to the Application

  1. Connect to IDPTENANT as Administrator. Under Applications & Resources > Applications, add a new application “C4CDEMO”.

2. SAML 2.0 Configuration: upload application trust metadata in xml format. Upload Service Provider metadata file C4CDEMO_metadata.xml created via C4CDEMO App above.

3. Make sure you set the Name ID Attribute to Login Name and the Default Name ID format to Unspecified. This will ensure the C4CDEMO users and the IDPTENANT users are mapped via their assigned Login Name attribute.

In C4CDEMO App: Test authentication against IDP into C4C

In this section, you will:

Test that Michael Johnes authenticates to IDPTENANT to log onto C4CDEMO.

  1. Log onto C4CDEMO on its SSO URL address. Select IDPTENANT for authentication. You get forwarded to the IDPTENANT logon screen. Enter the Email address and password you have set for Michael Johnes on IDPTENANT.

2. Notice that you are logged onto C4CDEMO as expected, as employee Michael Johnes.

Conclusion

So to summarize, we were able configure SSO between C4C and SAC. We provisioned custom SAML Identity provider, enable your Custom SAML IdP for your SAP Analytics Cloud (SAC) Tenant and finally enable your Custom SAML IdP for your SAP Cloud for Customer (C4C) tenant.

Please leave a comment or ask question below.

 

 

2 Comments
You must be Logged on to comment or reply to a post.