Skip to Content
Technical Articles

Mapping SAML attributes when SAP Analytics Cloud uses custom IdP for SAML Sign-On authentication

This blog describes How to map SAML user assertions attributes when SAP Analytics Cloud uses custom IdP ex – ADFS for SAML Sign-On authorization

You can map existing SAML user attributes to SAP Analytics Cloud user profiles

In summary, the configuration provided in this document have been executed on the below mentioned platform

  • Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
  • SAP Analytics Cloud as Service Provider

Prerequisite

  • SAML needs to be enabled in SAP Analytics Cloud
  • Follow below blog to configure SAML for SAP Analytics Cloud using ADFS Identity Provider

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

  • Your custom SAML Identity Provider (IdP) must be configured and you should be able to login to your tenant without problems

Context

To ensure that SAP Analytics Cloud user profiles  are updated with the latest information from your SAML IdP, you can map SAML user attributes to the following fields in SAP Analytics Cloud:

  • First Name
  • Last Name
  • Display Name
  • E-Mail
  • Functional Area
  • Language
  • Custom1, Custom 2, and so on

Each time a user logs on to SAP Analytics Cloud, the latest information is read from their SAML assertion and updated in their SAP Analytics Cloud user profile.

Configuring ADFS

We need to configure ADFS to return one or more SAML user attributes in the SAML assertions that are issued to authenticated SAML users.

    1. Open ADFS Management
    2. Right-click on relying party which is used for configuring SAML for SAP Analytics Cloud and select Edit
    3. NOTE: If SAP Analytics Cloud is running on a non-SAP data center, for example Cloud Foundry (AWS), you must map your SAML attribute assertion to our white-listed attributes.
      Map the assertion like below:

Note – LDAP Attribute: SAM-Account-Name to an intermediary claim (you can select any claim type from dropdown list, or provide any custom claim type name. In this sample, we manually enter the custom claim type name called my_intermediate_claim

  1. Now add a transformation from this intermediary claim to the claim required by SAP Analytics Cloud – Name ID
  2. Click Ok

Configuring SAP Analytics Cloud

Map SAML Attributes in SAP Analytics Cloud

  1. Logon to SAP Analytics Cloud and verify the passed SAML attributes, using the SAML add-on for google dev tools
    Press F12 and select SAML tab before logging in
    Log in and notice that the attribute match to the ones defined on ADFS side.
  2. Go to Security -> Users
  3. Select Map SAML User Properties
  4. Map SAML attributes can be mapped to SAP Analytics Cloud user properties by selecting the appropriate SAML attribute for each target property
    In our case we map following SAML attributes to target property

Note – if you notice that only “1 Attributes found”, the number of attributes found is only one but in the SAML response ADFS side attributes are visible, then check out the below note

https://apps.support.sap.com/sap/support/knowledge/public/en/2559605

Verification

  • To verify if configuration and mapping is correct, change one of the user attributes ex – FirstName in the ADFS user property
  • Login to SAP Analytics Cloud using the user whose FirstName attribute has been changed
  • Go to Security -> Users

Verify the latest information is read from the SAML assertion and updated in the SAP Analytics Cloud user profile

References

For more information, refer SAP Analytics Cloud help

https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/5e917dc3fc8f42828d4dfa850e78c913.html

Learn More:

https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-cloud/

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-intelligence-platform/

Be the first to leave a comment
You must be Logged on to comment or reply to a post.