SAP Analytics cloud SAML SSO with BTP Cloud Identity services – Identity Authentication End to End From SAP Analytics cloud to the Live BW system
I have been asked by many customer’s about an End to End blog or a document which explains step by step, how to configure SAML SSO between SAP Analytics cloud and an Identity Provider and also SAML SSO between same Identity provider and SAP BW or SAP S/4HANA .
I will try to explain in the blog:
SAP Analytics Cloud Customer’s would like to enable End to End SAML SSO between SAC, any Corporate Identity provider and the Live Data Sources like SAP BW, S/4HANA, BW4/HANA.
let’s do it in two phases.
1st Phase – SAML SSO between SAP Analytics cloud and BTP Cloud Identity Services- Identity Authentication (Formerly called as Identity Authentication Service IAS)
- Customer should use same Corporate identity provider to achieve seamless SAML SSO from SAP Analytics cloud to access the Live data sources SAP Analytics cloud Dashboard/reports.
- Corporate Identity Provider should be SAML SSO complaint.
- User who performs SAML SSO configuration in SAP Analytics cloud should be System Owner
- Corporate IDP Admin has to team up with SAP Analytics cloud System owner to perform the configurations together.
Configuration on SAP Analytics Cloud:
- From Menu, Navigate to System – Administration – Security – click on Edit button.
TIP: If the Edit button is greyed out, then your userid is not assigned with required System owner role.
- By default Authentication Method is SAP Cloud Identity, switch/select SAML Single Sign-On (SSO) .
- Download Metadata from SAP Analytics cloud
Tip: You should send this SAP Analytics cloud Metadata to corporate Identity Provider Admin colleague, who can upload it in IDP.
I will now switch to BTP Cloud Identity Services – Identity Authentication to create an application called SAC and upload the SAC Metadata, map the user attributes.
- From menu , navigate to applications – select create
2. Provide a name as Application Display name , select Application type as SAP Analytics cloud
3. To upload SAC metadata, please select SAML2.0 Configuration under trust from the application created.
4. Under Define from Metadata, select browse and choose the SAC metadata downloaded
5. Verify whether Assertion Consumer Service Endpoint, Single Logout Endpoint, Signing Certificate is already filled after metadata is uploaded.
6. Select the Signing Algorithm as SHA-256 or SHA-1, both are supported on SAC AWS environment.
7. Save .
8. I will now select Login Name as Subject Name Identifier, it’s the profile attribute that Identity Authentication sends to the application as Name Id in the SAML Assertions.. Then the SAC Application uses this attribute to identify the user.
Please note, I will use Userid/ Login Name to configure SAML SSO between SAC and Identity Authentication.
9. Click on Save .
10. Select Default Name ID Attribute as Unspecified.
11. Click on Save.
12. Configure User attributes sent to the application like displayname, firstname, lastname, email and other attributes.
The assertion attribute name must match the name that the application is expecting, refer to SAP Analytics cloud Help documentation
13. Click on Save.
Next step is to download Identity Authentication Metadata and upload into SAP Analytics cloud.
Navigate to Tenant Settings in Identity Authentication – click on SAML 2.0 Configuration
Click on Download Metadata File
It’s time to switch to SAP Analytics cloud to finish the SAML SSO Configuration.
Upload the Identity Authentication Metadata file, Step2 in SAP Analytics cloud
Click on Upload and select the metadata file downloaded from Identity Authentication
you can click on View Metadata Details to check if all the required fields are filled.
TIP: I have seen few Identity Authentication Providers like Google Suit doesn’t provide Single logout URL’s, in that cases, you have to modify Identity Provider’s Metadata and include the Single logout URL in the same format as Single Sign on URL and upload the metadata file into SAP Analytics cloud.. you cannot input these fields manually.
Step3, to select User attribute to verify account, in this case i will select Userid as explained
Step 4, Click on Verify account, check if the USERID is same/identical between SAP Analytics cloud and Identity Authentication providers..
please note USERID in SAP Analytics cloud is Upper case, incase if USERID in the identity providers are lower case or mixed case, Conversion rules needs to be applied in Identity Providers. Else the verification fails as the user attributes doesn’t match.
Copy the URL from the pop-up, use clipboard to copy
Very Important, open a new chrome Incognito or Edge in PrivateWindow and paste the verification URL
TIP: in your organisation if new incognito is blocked or doesn’t work, feel free to open a fresh alternate browser, if you are working in Edge for configuration, open chrome browser or vice versa for verification.
I will switch to Edge InPrivate Window to verify the account URL:
you can notice now, the logon page is different and it’s asking to login to Identity Authentication instead of SAP Analytics Cloud. Login with Identity Authentication userid and password.
Please note, you can enable Multi Factor Authentication if your Identity services supports it.
SAP Identity Authentication supports.
If the login credentials and user attributes defined are matching, you will login to Identity authentication and after successful handshake, it redirects to SAP Analytics cloud Home page where you are welcomed with Success Message.
Now you can close the web browser i.e new Inprivate window and go back to browser where SAP Analytics cloud configuration is open
Click on verification in the pop-up, you should notice the login credential field “userid” is highlighted in Green colour.
Now you are all set to save and convert the configuration!! Hurray, Congratulations!!
At the same time, please remember, once you save and converted, only the User’s exist in your Corporate IDP can access SAC.
I’ve seen cases where external partner’s user base might not exist in customer’s Corporate Identity services, in this case please refer to my colleague’s blog on how to setup Multiple Identity Providers for SAP Analytics cloud.
Now you will be automatically logged out from browser!! you can try to re-login and test/check if it works.
Tip: If you don’t want to create users in SAP Analytics cloud Manually and want to handover job to SAC, there is an option called “Dynamic User Creation”, you can enable it.
What happens then?
Your corporate Identity provider will be central user management, creation of users/user groups can be done once in Identity provider and control the Application level access at Identity providers, who can login/access to what application.. if a user or user group have access to SAP Analytics cloud, all the users belongs to that user group can login to SAP Analytics Cloud automatically without a user created in SAP Analytics cloud manually, with the initial logon, a user is created in SAC.
I would like to describe how the SAML Single Sign-on can be configured using same BTP identity Authentication service for SAP BW, SAPBW/HANA, SAPS/4HANA, SAP BW on HANA. it’s the same steps for any of the above systems or ABAP Stack.
First, let’s go to transaction SAML2, to configure SAML Single Sign-on in SAP BW system.
- once you login to SAML2 transaction, if the SAML2 is not enabled like in my system, please click on enable SAML2.0 Support.
2. Select create SAML2.0 Provider – Provider name – click next
3. Check Clock/Time skew Tolerance is fine, the default value is 120 seconds – Click Next
Tip: If the Time Skew between Identity Provider and Application doesn’t match, the time taken for SAML handshake might not be enough and it can lead to errors.
4. In the next screen, change the Identity Provider Discovery: Common Domain Cookie (CDC) selection mode to Automatic, leave all the other settings as default and click on Finish.
TIP: if you leave it to Manual as a default setting, the user needs to chose the IDP from the drop down list in the logon page.. it’s not good for seamless Integration.
5. SAML 2.0 Local Provider is enabled and configured.
6. Switch to Identity provider to add Metadata from IDP , you can browse to the IDP metadata file which you have downloaded from IDP during 1st phase and upload and click Next.
Note: Metadata file will remain same from IDP point of view for any applications.
7. Next step is to verify metadata, either you can ask your IDP admin to send the signing certificate or copy the code under signature from the metadata file, in Identity Authentication service, you can find under tenant settings – SAML2.0 Configuration – Signing Certificate – upload it and click on next.
copy that code to a text file with format as
TIP: I have wasted so much time to find the correct format, please don’t waste your time. Few ABAP sytem’s probably with higher version’s doesn’t ask for metadata verification, but it reads from metadata file itself.
8. If the certificate is valid and correct, in the next screen, you can see the Identity provider’s hostname and click next.
9. You can leave all the settings by default and click next, else you can feel free to change the Digest Algorithm to SHA-256 from SHA-1 and click next.
10. Click through Single Sign-on Endpoints, Single Logout Endpoints, Artifcat Endpoints, next, next, next, till you can select Finish..
you can see the IDP is now available part of Identity trusted providers.
11. Click on Edit and under Identity Federation, click Add, select Unspecified, Userid Mapping Mode as Login ID.
12. Click on Enable and confirm OK in the pop-up window .
The IDP part of trusted providers should be in active state.
Download BW Metadata from Local Provider and click on Metadata
It’s time to switch to IDP:
Within BTP Identity Authentication service, it’s the same flow again, creating application for SAP BW system, exchanging Metadata files, defining NameID attribute, finally testing the getserverinfo service.
let’s get started:
- From menu, navigate to applications – select create
2. Provide Application Display Name, select Application Type as “SAP on-premise Solution”, click on save.
3. Upload BW Metadata into the BWDEV application created and click on save.
4. Go to subject name identifier, select Login Name
5. Default name id format is Unspecified by default so no need to make any changes.
it’s time to test the https://host:port/sap/bw/ina/GetServerInfo?sap-client=<client number>
Please make sure the Optional SSO settings have been already configured, refer to SAC Connections Live BW SSO Help documentation. I will not cover DIRECT Cors configuration in this blog.
- go to https://host:port/sap/bw/ina/GetServerInfo?sap-client=<client number>
- you could notice the login page is now redirected to IDP Login page
- please provide your IDP user credentials and it should display a JSON response line below.
TIP: please do check getserverinfo in Chrome or Edge.
Technically, the End to End SAML SSO has been now configured successfully.
it’s time to test a SAC story based on Live SAP BW connection with SAML Authentication works??
- Login to SAP Analytics cloud, Create a SAP BW Live connection where you have enabled SAML SSO and chose SAML Single Sign-on as Authentication method
2. Click ok, the connection should be created without any error message.
3. create Live data model using the newly created SAP BW connection, select a query, save it.
4. Create a SAC Story on top of the newly created Model and save it.
5. Share the story with user’s through customised link
Copy the Link and open a new incognito window to test the End to End workflow, yes you will only login to SAC using Identity provider credentials and the BW live story should automatically displays data without asking user credentials again..
Congratulations!! the End to End SAML SSO has been now configured using BTP Cloud Identity Services.
Different use cases:
What if you would like to use Email id, instead of Userid as Name ID identifier?? i will just mention what needs to be done in SAP Analytics cloud, Identity Authentication and in SAP BW.
In Identity Authentication, change the Default Name Id format to Email Id, instead of Unspecified.
Change the Subject Name Identifier to Email as well.
save the changes.
In SAP Analytics cloud, you have to select User attribute as Email and verify account, copy the URL and verify it in new incognito window, after it’s a success, save and covert.
In BW, saml2 transaction, you should add Email in supported NameId formats and User ID Mapping mode as Email.
with the above configuration, you should be able to login to SAP Analytics cloud using Email id as Name Id.
Please note: in the BW system, all the userid’s should have email id maintained and it should be same across IDP and SAP Analytics cloud. it’s a case sensitive too.
Hope you have enjoyed reading and apply the tips during SAML SSO configurations.
Refer to the blog CUSTOM SAML Mapping use case.
Dear Shailendar Anugu ,
Nicely complied !
I have query regarding SSO in my usecase. For SSO to SAC We will be using IAS which pass through all authentication to azure AD. For backend SSO we plan to have ADFS since bw4hana and adfs as both are on-premise. Is this setup possible , please advise ?
As SAP guide states that both SSO to be with same idp and you mentioned the same as well.
Apart from SAC we have other cloud apps as well.
Hi Selvarasan Subramanian i think this article by Kevin Li might be helpful for you https://blogs.sap.com/2021/06/14/setup-multiple-identity-providers-for-sap-analytics-cloud
However i'll let Shailendar Anugu reply further. Cheers, H
Thanks Henry !
Hi Selvarasan Subramanian ,
Thank you very much.
Technically you can do it, SAC SSO using IAS proxied to Azure AD and for backend sso ADFS.. but from Single Sign on seamless user experience point of view, it doesn't makes sense right? because the end users will get a user credential prompt when they open the live SAC report based on the Live BW4HANA system.
ideally, you should be following the same setup like you do for SAC and other cloud apps for all the backend systems, i.e with IAS as proxied through Azure AD or ADFS.
Thank you Shailendar Anugu ,
Understand! That helps for me and will check internally and proceed further.
As far as my understanding for end-to-end sso setup, you need to have same service provider through out the configuration.
You may check similar setup explained here