In one of my previous blogs, I explained how easy it is to simplify user administration in SAP Analytics Cloud. A key step is to enable single sign-on to your tenant by using your custom identity provider. But there was always a pain point: what if my SAML configuration in my identity provider becomes invalid? Am I locked out forever? It was not that bad, but if something was misconfigured you had to raise an incident via https://support.sap.com to revert back to SAP Cloud Identity and start all over again. And maybe the worst thing besides users being locked out: If you would switchback, each user would receive a ‘Welcome to SAP Analytics Cloud’ email…
In wave 2020.02, SAP has introduced the Identity Provider Administration Tool that you can use to repair your SAML IdP configuration when you have trouble logging in. In this blog, I will briefly show you the possibilities of this tool.
Identity Provider Administration
Besides the possibility to repair your SAML IdP configuration, the tool allows system owners to manage the custom identity provider configured with SAP Analytics Cloud. Through the tool, the system owner can choose to upload new metadata for the current custom identity provider or revert to using the default identity provider.
You can access ‘Identity Provider Administration’ via the following URL pattern:
To be able to log in there are two pre-requisites:
- You have already configured a custom identity provider. So, you still follow the instruction provided in my blog (or SAP Help) for the initial configuration.
- You must be the system owner. It’s quite easy to switch system ownership. Please refer to my blog on how you can do this.
Once you login you will get an overview of the SAP Analytics Cloud systems that you are an owner of in that data-center. Don’t panic if it’s not listed. You are either not the system owner, your missing system is hosted in a different data-center or you have disconnected the system from this functionality.
Click on one of the systems to open the details.
From here you select to revert to the default IdP or to upload IdP metadata. Furthermore, you can download the ‘Service Provider Metadata’ that you need for any new configurations.
Steps 2 and 3 are quite simple. You either confirm you want to revert to the default IdP. Once that operation is complete you need to reconfigure your custom IdP again from within SAP Analytics Cloud or you upload a new metadata file.
It’s as simple as that ?.
Disconnect from Identity Provider Administration
If you don’t want to use the Identity Provider Administration tool you can either select a system and click on ‘Disconnect IdP Admin from system’ or go to ‘System’ – ‘Administration’ – ‘Security’ and scroll to ‘Optional: Configure Identity Administration Tool’.
For more information please visit Identity Provider Administration.