SAP Data Warehouse Cloud: SAML Configuration for User Access Provisioning with Azure as Identity Provider
Having wide experience in setting-up and configuring SAML for SAP Analytics Cloud (SAC), I decided to implement the same for SAP’s hottest and newest solution SAP DWC to automate the authentication process. SAML will enable the users to have a hassle-free authentication experience & reduce the manual efforts on user access creation from an SAP admin perspective.
I believe through this blog, SAP consultants can start their SAML journey with DWC or any cloud apps with the detailed step-by-step procedure.
Introduction: If you are wondering what SAML is (If you are new and not heard about SAML), then let me iterate some of the advantages of the Authentication process.
SAML or Security assertion markup language is a proven standard for single sign-on for cloud applications. It eliminates all passwords and instead uses digital signatures to establish trust between the identity provider and the cloud application
Advantages of SAML:
- Improved User Experience – Faster authentication process & no need to remember and enter the credentials.
- Increased Security, Reduced Costs for Service Providers — With SAML, you don’t have to maintain account information across multiple services.
Let us now quickly jump to configuration/setting up SAML for your Data Warehouse tenant.
Steps to Configure SAML
The user access provisioning is one of important steps in any SAP application and in this blog, we would like to provide an insight on the automatic user access provisioning in SAP DWC via SAML configuration
Here we will be using Azure as Identity provider.
An outline of the steps include:
- Request for an Enterprise application in Azure
- Perform the initial steps of updating the Entity URLs in the Enterprise application
- Download the metadata file from Azure and update in SAP DWC
- Select the authentication method as “SAML Single Sign-on” and user attribute as “User ID”
- Download the metadata file from SAP DWC and upload it in Azure
- Create User groups and associate the role in Azure
- Perform the SAML role mapping in DWC
- Once all the above steps are completed, test the SSO.
Step 1: Request for an Enterprise application in Azure
This is the first step where we need an Enterprise application in Azure to establish the SAML connection to our SAP DWC. It will be typically created and provided by Azure team.
A typical enterprise application will look as seen in the screen shot below:
Step 2: Perform the initial steps of updating the Entity URLs in the Enterprise application
In the Enterprise application, if you click on “Single sign-on”, you will be able to see all the different steps of Single Sign-on setup with SAML.
2.1 Basic SAML Configuration
Update the Identifier (Entity ID), here the URL of the SAC DWC tenant is updated.
The same URL is updated in all the places Identifier, Reply URL, Sign on URL as seen in the screen shot below. Please make sure the “Default” option is checked.
2.2 Attributes and Claims
The attributes and claims remain similar as mentioned in the screen shot below.
We have some standard attributes recommended by SAP, but you can decide based on your requirement.
If you want User ID in SAP DWC, the Unique User Identifier should be defined as “user.onpremiseaccountname”
2.3 SAML Signing Certificate
We need to download the metadata file as highlighted in the screen shot below and has to be uploaded in SAP DWC
Step 3: Download the metadata file from Azure and update in SAP DWC
To upload the metadata file, we need to go to SAP DW tenant and click on Analytics as highlighted in the screen shot below:
Once you upload the metadata file from Azure, the system will validate and update the details in “Current Identity Provider”
Step 4: Select the authentication method as “SAML Single Sign-on” and user attribute as “User ID”
Please select the attributes as highlighted in the screen shot below:
Step 5: Download the metadata file from SAP DWC and upload it in Azure
Step 6: Create User groups and associate the role in Azure
We need to add User groups and associate them to specific role for automatic User access provisioning.
The detailed process on these user groups setup and associating them to a role will be explained in the upcoming blogs
Step 7: Perform the SAML role mapping in DWC
Step 8: Once all the above steps are completed, test the SSO.
While testing you will be redirected to Home Page, if not please open a new window and login to the application.
Conclusion: It is lot of efforts to create user/assign roles in DWC every time a user requests for access so with this SAML setup we will be able to provide a seamless user authentication experience without any manual work.
As this is onetime setup, there is no need of any maintenance activities only in case of new role/team that needs access. We will have to still provide access to Space for the user post login which will take very less time compared to whole access.
Points to remember:
- The admins who are performing the above steps need to keep their SAP DWC tenant window active
- Once the initial testing is completed, please clear the cache and try to login to check if the SAML setup is working as expected.
- SAP DWC is best supported in Chrome
- The Space access in DWC has to be assigned manually after the user has logged in for the first time.
Please let me know if you have any questions or need any further information on the configuration.
Nice one Kirtee
Is there anyway to assign the space automatically?
Currently it is not possible to assign the space automatically, it has to be manually assigned.
Nice blog. I got everything to work except the Dynamic User creation.
My understanding is if the User is in AD but not in DWC, first time the User logs into DWC via AD, the user will get created in DWC. When I try accessing as a user in AD but not in DWC, I get this error....
Any ideas on what I am missing?
Thank you so much.
Can you please confirm that you have configured using Azure as IdP or you have used some other application?
If it is Azure, then the user has to be present the Azure AD group (AAD) so when the user logs in to DWC, user will be created dynamically as per the configuration.