In this blog post, I would like to share the process involved in configuring SAP Data Warehouse Cloud (DWC) with Azure Active Directory (AAD) as an Identity Provider. By default, SAP Data Warehouse Cloud comes provisioned with an SAP Identity Provider. However, if your organization is already using Azure Active Directory, you can easily configure it with SAP Data Warehouse Cloud and enable your users to login using their existing AD credentials.
For this blog post, I am using the trial instance of SAP DWC. You can register for one here and also get started with the free learning missions. Its important to understand that SAP DWC leverages SAP HANA Cloud as the underlying engine and uses SAP Analytics Cloud for visualization. Hence, if you have already configured Azure Active Directory with SAP Analytics Cloud, the steps are pretty much same.
When you login to SAP DWC, you will be able to manage users and role assignments using the “Security” menu.
However, if you need change Security settings, you will have to switch to the “Analytics” product using the product switcher icon in the top right-hand corner.
This will take you to the SAP Analytic Cloud section and here you will be able to use the System > Administration to configure system wide settings.
You can follow this tutorial posted in Microsoft as its pretty much still relevant for this task.
Enable SAML Single Sign-on and download the metadata file which will be used in Microsoft Azure.
For this demonstration, I have already setup my account in Microsoft Azure. In Azure Active Directory, look for “SAP Analytics Cloud” in Enterprise Applications.
Provide the name for your application. In the below example, I have given “DWC Trial”. For this task, we need to configure two sections – “Set up Single Sign on” and “Assign users and groups” to this application.
Let’s start with “Set up Single Sign on”. Navigate to SAML tile and click on the button “upload metadata file” to provide the file which was downloaded earlier from SAP Analytics Cloud. This would populate all the required fields. You would need to provide the “Sign on URL”.
In my example, I have used https://hcf137ab58dbe04d4cb6f.eu10.sapanalytics.cloud. Where “hcf137ab58dbe04d4cb6f” is the tenant name which you can obtain from the URL.
In the “User Attributes & Claims” section, edit the section and update the source attribute of nameidentifier to “user.email” as shown below.
The SAML Signing certificate was empty for me. If it’s the same for you, just create a “New Certificate” and accept the defaults for signing option “sign SAML assertion” and algorithm as “SHA-256”. Once you save your changes, you will be able to see the below screen and be able to download the Metadata XML.
Once the SAML setup is complete, navigate to “Users and Groups” and add the user for which you want to use Azure AD to authenticate.
Switch back to the SAP Analytic Cloud and in the Security section, upload the metadata file obtained from Azure Active Directory.
Set the user attribute to “Email” and in the confirm section put your email ID. This email ID need to be the Security Owner for this tenant. This email ID also needs to be a user for the configured application in Azure AD.
Clicking on “Verify Account” will give you a URL in a popup window. Copy the URL in a private window and provide your credentials for Azure AD.
If everything goes well, you will get a success message.
Close the private window and “Save” your changes. This will provide you with a confirmation popup to convert to SAML Single Sign-on.
After you have converted the configuration to use the new SAML setup, all new authentication requests to SAP DWC will take the users to Azure AD.
These are some of the key steps which are required while configuring SAML authentication with Azure AD. There are few other related topics like dynamic user creation and SAML attribute mappings which are documented in the SAP Help. If you do have any issues when configuring this process, please post a question in the forum.