Skip to Content
Technical Articles

Integrating SAP Analytics Cloud with Azure AD SAML

Introduction

I have been working as a consultant implementing the SAP BI Platform and its predecessors for nearly 15 years at various customer sites. A common requirement for most of the customers I deal with for SAP BI Platform 4.x deployments is the ability for users to login with Windows Active Directory (AD) Single Sign-On (SSO).

SAC by default uses the SAP Cloud Platform Identity Authentication as the Identity Provider (IdP). Like with SAP BI Platform, you can integrate with your own IdP such as Microsoft ADFS or Azure AD. The customer I implemented this at used Azure AD which was linked to their on-premise Windows AD domain, allowing seamless SSO in SAC using a standard domain account.

The key difference with between SSO with SAP BI Platform and SAC is that SAP BI Platform uses Kerberos while SAC uses SAML.

This article will go through the process of setting up Azure AD as the IdP.

It should be noted that this topic has been covered before by Mohammed Ashraf in this post: https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-cloud/. However I think some aspects may have changed since 2018, e.g. Microsoft now actually call SAC SAP Analytics Cloud rather than BusinessObjects Cloud. Also you can export a metadata file from SAC and upload into Azure rather than manually typing Cloud domain URLs.

Pre-Reqs

The following is needed in order to complete Azure AD integration:

  1. A SAC tenant which your organisation will have already have. If you are studying this yourself, I believe you will need to purchase a tenant rather than use the trial version. You can purchase a 1 user license for a year (minimum subscription term). This will give you a license for 1 admin account and 1 user in a single tenant. If you only want it for a year, remember to turn off auto-renew subscription. I paid around £240 for 1 year. Check out https://www.sap.com/uk/products/cloud-analytics.html if you want purchase a tenant.
  2. Microsoft Azure subscription which again your organisation should have. If not, you can get your own free subscription for 12 months access. Check out https://azure.microsoft.com/en-gb/free/ to setup an account.
  3. A PC with Google Chrome
  4. The SAML Chrome Panel for Google Chrome. A good tool for helping to troubleshoot SAML issues. https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en
  5. You need to perform the set up using an account which has been set as the “System_Owner” in the SAC tenant. It is vital that the account/email address you wish to link to does not already exist in your SAC tenant. If it does you will not be able to perform the final conversion step.

Setup Process

Step 1: SAC – Download Service Provider Metadata

  • Login to SAC Tenant (https://<tenantname>.eu10.sapanalytics.cloud/) as the user with “System_Owner” privileges (Note: <tenant name> should be replaced with the name of your tenant and eu10 denotes the data centre the tenant is in. Your tenant could have a different number and different region).
  • Click on Menu > System > Administration

  • Go to Security Tab
  • Click the pencil icon
  • Change Authentication Method to SAML Single Sign-On (SSO)
  • Under “Step 1 Download Service Provider Metadata” click the download button.
    • Save “saml-<tenantname>-sp.xml” locally

Step 2: Azure – Create Azure Enterprise Application

  • Select “Enterprise applications”

  • Click “New Application”

  • Search for and select “SAP Analytics Cloud”

  • Name the application e.g. “SAP Analytics Cloud Eval” and click Add.

  • You have now created the Application

 

Step 3: Azure – Enable Single Sign-On

  • In the SAP Analytics Cloud Trial Overview screen, click Single Sign-On

  • Select “SAML”

  • Click “Upload metadata file”

This will fill out the “Identifier (Entity ID)” and “Reply URL (Assertion Consumer Service URL)” fields under the Basic SAML Configuration Section. However, the “Sign on URL” field will still need to be entered manually.

  • Click the edit icon under basic SAML

  • Enter https://<tenantname>.eu10.sapanalytics.cloud into the “Sign on URL” field. Click Save

The link between the Azure IdP and SAC will be done by email adress. By default, Azure passess a different pincipal to SAC which will cause SAC to fail.

  • Under User Attributes & Claims, click the edit icon

  • Click the edit icon for Name identifier value

  • Change Source attribtute to user.mail and then click save

  • Under SAML Signing Certificate, download the Federation Metadata XML file. The file will have a default name of your application e.g. SAP Analytics Cloud Eval.xml.

Step 4: SAC – Convert Tenant to SAML

  • Login to SAP Analytics Cloud Tenant as the user with “System_Owner” privileges
  • Click on Menu > System > Administration

  • Go to Security Tab
  • Click the pencil icon
  • Change Authentication Method to SAML Single Sign-On (SSO)
  • Under “Step 2: Upload Identity Provider Metadata” click the Upload… button.
    • Select “SAP Analytics Cloud Eval.xml”

  • Under “Step 3: Choose a user attribute to map to your identity provider”
    • User Attribute: Email
    • Dynamic User Creation: Checked

  • Under “Step 4: Verify your account with the identity provider”
    • Login Credential (Email): <youremailaddress> e.g. captainamerica@hotmail.com
    • Click Verify Account

  • Copy the Login URL and open in a separate browser. E.g. if using Microsoft Edge, test in Google Chrome. Follow Microsoft Azure login instructions as test User.

  • You will then be presented with a verification successful screen.

  • Once completed, click “Check Verification”
  • Click Save icon
  • Click Convert

Note: The System_Owner’s email address will be changed to the email address used for verification. If an existing account already has this email address, the conversion will fail.

Troubleshooting

If you have issues, you can use the SAML Chrome Panel.

  • Hit F12 on your keyboard and go to the SAML section
  • Try to login to SAC
  • You will see entries appear, check the one that has your SAC Tenant URL
  • Search for subject and verify it is your email address that is being passed as highlighted in yellow.

One thing that caught me out was that the case not matching.  SAML is case sensitive.  If you are manually creating users in your SAC tenant, make sure the subject, in this case email, has exactly same case. e.g. CaptainAmerica@Hotmail.com will not work if Azure is passing a SAML ticket with captainamerica@hotmail.com

Conclusion

Following the set up of Azure AD integration, all subsequent attempts to login to your SAC tenant will by via Azure AD.  Access to SAC will now be controlled by Azure AD with users being dynamically created in SAC when they first login.  It should be noted that this guide only sets up authentication to SAC but not security within SAC.

You can now set up features such as 2-factor authentication or restrict access to SAC to devices that are attached to your corporate domain using conditional access in Azure AD

I hope you will find this guide useful.

I will look into making future blogs on technical aspects on areas that I work on which is mainly SAP BI Platform, SAP Analytics Cloud and possibly SAP HANA.

Andrew

4 Comments
You must be Logged on to comment or reply to a post.