Skip to Content
Technical Articles
Author's profile photo Kirtee Andanigoudar

SAP Data Warehouse Cloud: SAML Configuration for User Access Provisioning with Azure as Identity Provider

Having wide experience in setting-up and configuring SAML for SAP Analytics Cloud (SAC), I decided to implement the same for SAP’s hottest and newest solution SAP DWC to automate the authentication process. SAML will enable the users to have a hassle-free authentication experience & reduce the manual efforts on user access creation from an SAP admin perspective.

I believe through this blog, SAP consultants can start their SAML journey with DWC or any cloud apps with the detailed step-by-step procedure.

Introduction: If you are wondering what SAML is (If you are new and not heard about SAML), then let me iterate some of the advantages of the Authentication process.

SAML or Security assertion markup language is a proven standard for single sign-on for cloud applications. It eliminates all passwords and instead uses digital signatures to establish trust between the identity provider and the cloud application

Advantages of SAML:

  1. Improved User Experience – Faster authentication process & no need to remember and enter the credentials.
  2. Increased Security, Reduced Costs for Service Providers — With SAML, you don’t have to maintain account information across multiple services.

Let us now quickly jump to configuration/setting up SAML for your Data Warehouse tenant.

Steps to Configure SAML

The user access provisioning is one of important steps in any SAP application and in this blog, we would like to provide an insight on the automatic user access provisioning in SAP DWC via SAML configuration

Here we will be using Azure as Identity provider.

An outline of the steps include:

  1. Request for an Enterprise application in Azure
  2. Perform the initial steps of updating the Entity URLs in the Enterprise application
  3. Download the metadata file from Azure and update in SAP DWC
  4. Select the authentication method as “SAML Single Sign-on” and user attribute as “User ID”
  5. Download the metadata file from SAP DWC and upload it in Azure
  6. Create User groups and associate the role in Azure
  7. Perform the SAML role mapping in DWC
  8. Once all the above steps are completed, test the SSO.

 

Step 1: Request for an Enterprise application in Azure

This is the first step where we need an Enterprise application in Azure to establish the SAML connection to our SAP DWC. It will be typically created and provided by Azure team.

A typical enterprise application will look as seen in the screen shot below:

Enterprise%20Application

Enterprise Application

 

Step 2: Perform the initial steps of updating the Entity URLs in the Enterprise application

In the Enterprise application, if you click on “Single sign-on”, you will be able to see all the different steps of Single Sign-on setup with SAML.

2.1 Basic SAML Configuration

Update the Identifier (Entity ID), here the URL of the SAC DWC tenant is updated.

The same URL is updated in all the places Identifier, Reply URL, Sign on URL as seen in the screen shot below. Please make sure the “Default” option is checked.

2.2 Attributes and Claims

The attributes and claims remain similar as mentioned in the screen shot below.

We have some standard attributes recommended by SAP, but you can decide based on your requirement.

If you want User ID in SAP DWC, the Unique User Identifier should be defined as “user.onpremiseaccountname”

2.3 SAML Signing Certificate

We need to download the metadata file as highlighted in the screen shot below and has to be uploaded in SAP DWC

Step 3: Download the metadata file from Azure and update in SAP DWC

To upload the metadata file, we need to go to SAP DW tenant and click on Analytics as highlighted in the screen shot below:

 

Once you upload the metadata file from Azure, the system will validate and update the details in “Current Identity Provider”

Step 4: Select the authentication method as “SAML Single Sign-on” and user attribute as “User ID”

Please select the attributes as highlighted in the screen shot below:

Step 5: Download the metadata file from SAP DWC and upload it in Azure

Step 6: Create User groups and associate the role in Azure

We need to add User groups and associate them to specific role for automatic User access provisioning.

The detailed process on these user groups setup and associating them to a role will be explained in the upcoming blogs

 

 

Step 7: Perform the SAML role mapping in DWC

Step 8: Once all the above steps are completed, test the SSO.

While testing you will be redirected to Home Page, if not please open a new window and login to the application.

Conclusion: It is lot of efforts to create user/assign roles in DWC every time a user requests for access so with this SAML setup we will be able to provide a seamless user authentication experience without any manual work.

As this is onetime setup, there is no need of any maintenance activities only in case of new role/team that needs access. We will have to still provide access to Space for the user post login which will take very less time compared to whole access.

Points to remember:

  1. The admins who are performing the above steps need to keep their SAP DWC tenant window active
  2. Once the initial testing is completed, please clear the cache and try to login to check if the SAML setup is working as expected.
  3. SAP DWC is best supported in Chrome
  4. The Space access in DWC has to be assigned manually after the user has logged in for the first time.

Please let me know if you have any questions or need any further information on the configuration.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rajasekher Thumma
      Rajasekher Thumma

      Nice one Kirtee

      Author's profile photo Arun Krishna
      Arun Krishna

      Good one!

      Author's profile photo Kent Dale
      Kent Dale

      Is there anyway to assign the space automatically?

      Author's profile photo Kirtee Andanigoudar
      Kirtee Andanigoudar

      Hello Kent,

      Currently it is not possible to assign the space automatically, it has to be manually assigned.

      Thanks,

      Kirtee

      Author's profile photo Ravi Condamoor
      Ravi Condamoor

      Hi Kirtee,

      Nice blog.  I got everything to work except the Dynamic User creation.

      My understanding is if the User is in AD but not in DWC, first time the User logs into DWC via AD, the user will get created in DWC. When I try accessing as a user in AD but not in DWC, I get this error....

      It seems that you don't have an active account
      Please contact your system administrator and ensure you have an active account on this system.

      Any ideas on what I am missing?

      Author's profile photo Kirtee Andanigoudar
      Kirtee Andanigoudar
      Blog Post Author

      Hello Ravi,

      Thank you so much.

      Can you please confirm that you have configured using Azure as IdP or you have used some other application?

      If it is Azure, then the user has to be present the Azure AD group (AAD) so when the user logs in to DWC, user will be created dynamically as per the configuration.

       

      Thanks,

      Kirtee