Integrate SAP Data Warehouse Cloud with Azure Active Directory
In this blog post, I would like to share the process involved in configuring SAP Data Warehouse Cloud (DWC) with Azure Active Directory (AAD) as an Identity Provider. By default, SAP Data Warehouse Cloud comes provisioned with an SAP Identity Provider. However, if your organization is already using Azure Active Directory, you can easily configure it with SAP Data Warehouse Cloud and enable your users to login using their existing AD credentials.
For this blog post, I am using the trial instance of SAP DWC. You can register for one here and also get started with the free learning missions. Its important to understand that SAP DWC leverages SAP HANA Cloud as the underlying engine and uses SAP Analytics Cloud for visualization. Hence, if you have already configured Azure Active Directory with SAP Analytics Cloud, the steps are pretty much same.
When you login to SAP DWC, you will be able to manage users and role assignments using the “Security” menu.
However, if you need change Security settings, you will have to switch to the “Analytics” product using the product switcher icon in the top right-hand corner.
This will take you to the SAP Analytic Cloud section and here you will be able to use the System > Administration to configure system wide settings.
You can follow this tutorial posted in Microsoft as its pretty much still relevant for this task.
Enable SAML Single Sign-on and download the metadata file which will be used in Microsoft Azure.
For this demonstration, I have already setup my account in Microsoft Azure. In Azure Active Directory, look for “SAP Analytics Cloud” in Enterprise Applications.
Provide the name for your application. In the below example, I have given “DWC Trial”. For this task, we need to configure two sections – “Set up Single Sign on” and “Assign users and groups” to this application.
Let’s start with “Set up Single Sign on”. Navigate to SAML tile and click on the button “upload metadata file” to provide the file which was downloaded earlier from SAP Analytics Cloud. This would populate all the required fields. You would need to provide the “Sign on URL”.
In my example, I have used https://hcf137ab58dbe04d4cb6f.eu10.sapanalytics.cloud. Where “hcf137ab58dbe04d4cb6f” is the tenant name which you can obtain from the URL.
In the “User Attributes & Claims” section, edit the section and update the source attribute of nameidentifier to “user.email” as shown below.
The SAML Signing certificate was empty for me. If it’s the same for you, just create a “New Certificate” and accept the defaults for signing option “sign SAML assertion” and algorithm as “SHA-256”. Once you save your changes, you will be able to see the below screen and be able to download the Metadata XML.
Once the SAML setup is complete, navigate to “Users and Groups” and add the user for which you want to use Azure AD to authenticate.
Switch back to the SAP Analytic Cloud and in the Security section, upload the metadata file obtained from Azure Active Directory.
Set the user attribute to “Email” and in the confirm section put your email ID. This email ID need to be the Security Owner for this tenant. This email ID also needs to be a user for the configured application in Azure AD.
Clicking on “Verify Account” will give you a URL in a popup window. Copy the URL in a private window and provide your credentials for Azure AD.
If everything goes well, you will get a success message.
Close the private window and “Save” your changes. This will provide you with a confirmation popup to convert to SAML Single Sign-on.
After you have converted the configuration to use the new SAML setup, all new authentication requests to SAP DWC will take the users to Azure AD.
These are some of the key steps which are required while configuring SAML authentication with Azure AD. There are few other related topics like dynamic user creation and SAML attribute mappings which are documented in the SAP Help. If you do have any issues when configuring this process, please post a question in the forum.
Thanks Murali Shanmugham will add this to my list of tutorials and missions - appreciate the step by step guide.
In case someone gets the same issue as me, here is some more information that hopefully will help.
Murali documented the setup as per the state of 2020. In January, 2022 when we are trying to build exactly the same configuration during the user validation step (Verify Account) I can see in the SAML traces that I get "correct" SAML2 assertion from Azure, this one is sent to the correct endpoint on DWC tenant side, however when I finally re-directed (HTTP 302) to /dwc-core/ resource I get a 401 error. As result the user validation fails since the final DWC authentication step did not go well.
Checked again the documentation pages to see if I was missing something.
Finally I came up to SAP Note 3108777, which explains that the "Groups" claim must be maintained on Azure (or whatever custom IDP you need to use) the same way as for SAP Analytics Cloud, that is:
More information here: Step 7.
Without this with the correct setup described by Murali upstairs is still not going to work fine. I hope that SAP are going to properly update their documentation at some time.
Technically this is exactly the same setup one needs to do for SAP Analytics Cloud as well.
Hope this will save time and efforts for someone ...
The Groups = 'sac" saved me hours of debugging.
Nice blog. I got everything to work except the Dynamic User creation.
My understanding is if the User is in AD but not in DWC, first time the User logs into DWC via AD, the user will get created in DWC. When I try accessing as a user in AD but not in DWC, I get this error....
Any ideas on what I am missing?
For BW Bridge Users -- follow the instructions in this note if you use some attribute other than email ID for IdP integration: https://launchpad.support.sap.com/#/notes/3156000