Technical Articles

Yogananda Muthaiah

August 17, 2023 8 minute read

Troubleshooting Steps for Embedded Analytics Authentication and Authorization

Dear All,

Here are some common basic troubleshooting steps for embedded analytics authentication and authorization:

Check the authentication settings. Make sure that the authentication settings in the embedded analytics solution are correct. This includes the authentication method, the authentication server, and the authentication credentials.
Check the authorization settings. Make sure that the user has the appropriate permissions to access the embedded analytics solution. This includes the user’s role, the user’s group and the user’s permissions on the data sources.
Check the user’s login status. Make sure that the user is logged in to the embedded analytics solution. If the user is not logged in, they will not be able to access the solution.
Check the browser’s cookies. Make sure that the browser’s cookies are enabled. Cookies are used to store the user’s authentication credentials, so if cookies are disabled, the user will not be able to authenticate to the embedded analytics solution.
Check the firewall settings. Make sure that the firewall settings allow traffic to the embedded analytics solution. If the firewall is blocking traffic, the user will not be able to access the solution.
Check the network connectivity. Make sure that the user has a good network connection. If the network connection is poor, the user may experience authentication or authorization errors.

Follow all the below neccessary steps when Users faces any issues in Authentication and Authorization

What cookies are used in SAP Analytics Cloud (SAC)

Here are the available cookies set for SAC

Set By	Cookie	Purpose	When Set
Approuter	JSESSIONID	Single cookie placed on the users device so the server can identify the user.	Created as a browser session cookie whenever a new user visits SAC site. The value is not updated unless the current session ends, in which case a completely new JSESSIONID cookie is set.
Approuter	x-sap-boc-referer	Single cookie placed on the users device to track request referrer	Created as a browser session cookie when authenticating with SAC
HANA xsjs code**	x-sap-boc-pusher-count	Single cookie placed on the users device to track session state	Created as a browser session cookie after successfully authenticated in SAC
HANA	xsSecureId*	Single cookie placed on the users device so the backend hana server can identify the user.	Created as a browser session cookie after successfully authenticated in SAC
HANA	sapxslb	Single cookie placed on the users device to ensure sticky backend hana session	Created when client first time access the hana server.
Platform	BIGipServer*	Used for BIGIP to route traffic and ensure sticky session	Created when client first time access the server.
	JTENANTSESSION_<tenantid>	This cookie is issued along with the JSESSIONID cookie and is used for session consistency – if it is not send along with the JSESSIONID cookie then the session will be considered invalid	The cookie is issued after successful authentication by the application runtime.
	mdsourcrs*	Multi-Domain cookie which contains the URL and some additional information about the application that has triggered the authentication so that a redirect to this application is made after successful authentication.	The cookie is issued during authentication by the authentication login modules in regular platform domains scenario
	‘ouc*’	Realy state cookie which contains the URL and some additional information about application that has triggered the authentication.	The cookie is issued during authentication by the authentication login module in custom domains scenario

How do I allow third-party cookies in my web browser settings?

How to enable in your browser settings

To allow third-party cookies in the web browser please check the links provided below for the most popular browsers:

Google Chrome

In Chrome, go to the “customize” … menu and open the “settings” and search for “block”. Or open this URL: chrome://settings/cookies?search=block

Set the “General settings” to “Allow all cookies” as here.

Firefox

Firefox works out-of-the-box with the “Standard” security settings

Safari

Here´s the way to setup Safari (untested): Open “Settings” and click on “Preferences”. Then, select the “Privacy tab” and deselect the checkbox before the “Prevent cross-site tracking” option. Deselect the checkbox before the “Block all cookies” option. Then exit the popup.

Install Chrome Extension : SAML Tracer for Tracing /Troubleshooting with User Login

Here are the steps

Open the Chrome web browser.
https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch
Click on the “Add to Chrome” button.
Click on the “Add extension” button.
The SAML Tracer extension will be installed in your Chrome browser.

To use the SAML Tracer extension, you need to enable it. To do this, follow these steps:

Click on the three dots in the top right corner of the Chrome browser window.
Select “More tools” > “Extensions”.
Find the SAML Tracer extension and click on the toggle switch to enable it.

Once the SAML Tracer extension is enabled, it will start capturing all SAML requests and responses that are sent and received by your browser. You can view these requests and responses by opening the SAML Tracer extension window. To do this, follow these steps:

Click on clear and ask User to login which capture the logs
Select the row which shows SAML in yellow and analyze from SAML/Summary tab
Select the next row which shows SAML in yellow and analyze again to determine what is passing from Idp to Application userName ( This will be in your NameId Subject)

How to troubleshoot with SAML Logs for a User and analyze what is happening on each SAML Trace

Here are the steps to perform with User having issues to login through Identity Provider

Gather the SAML logs. The SAML logs are the files that contain the details of all SAML requests and responses that have been sent and received. These logs can be found in the SAML server or in the application that is using SAML for authentication.
Identify the user who is having the problem. The first step is to identify the user who is having the problem. This can be done by looking at the SAML logs for the user’s login attempt.
Analyze the SAML trace for the user. The SAML trace is a detailed record of the SAML request and response for the user’s login attempt. This trace can be used to see what is happening at each step of the authentication process.
Identify the problem. Once you have analyzed the SAML trace, you should be able to identify the problem that is causing the authentication failure. This could be a problem with the user’s field mapping, Subject NameId, Attributes been sent from Idp, a problem with the SAML configuration, or a problem with the application.
Fix the problem. Once you have identified the problem, either IDP Admin or IAS Admin need to fix it. This could involve updating the user loginName according to IDP and Embedded Analytics userId, changing the SAML configuration, or fixing the application.

Here are some additional things to keep in mind when troubleshooting SAML logs:

The SAML logs can be large and complex when you export and share it with Support team, so it is important to be patient and methodical when analyzing them.
It is helpful to have a good understanding of the SAML protocol in order to interpret the SAML logs.
If you are not able to identify the problem yourself, you should contact the SAP Technical Support team of the SAML solution for help.
It needs to be tested with several times with a User and requires a lot of patience to test till it sucessfully works.

How to check if user is in Embedded Analytics or SAC ?

As you know, it’s too dificult to get into Admin side of it to check and validate the Users in User Administration…

After you login into SAC or EA, you will go to SCIM API URL for Users to find and validate

URL should look like this : https://<SAC URL>/api/v1/scim/Users/<P0000001>

How to check SAC or EA SCIM APIs versions and where it is used for User Sync?

SCIM API versions 1 and 2 are available and latest is api/v1/scim2 which got Introduced on April 2023

SAP Analytics Cloud: User and Team Provisioning API

Managing Users and Teams → api/v1/scim

Managing Users and Teams → api/v1/scim2

This API uses SCIM 2.0. For more information, see SCIM Core Schema.

sac.api.version

Handles the version of SAP Analytics Cloud SCIM API.

Possible values:

1 – Indicates that SAP Analytics Cloud SCIM API version 1 is used.
2 – Indicates that SAP Analytics Cloud SCIM API version 2 is used.

Default value: 1

Identity Provisioning – Properties Settings

How to check if User is assigned to proper Embedded Analytics User Group in IAS ?

The Authorization user groups that are available for SAP Commissions are as follows:

APP_SCAN	Embedded Analytics	Group for SCA Application
ADMINISTRATOR_COMM-SCAN	Embedded Analytics	Group for SCA administrator
AUTHOR_COMM-SCAN	Embedded Analytics	Group for SCA author
AUTHENTICATED_COMM-SCAN	Embedded Analytics	Group for SCA viewer

Go to IAS Admin Console and User Management – Validate the User has got all required User groups are assigned
When SAP Identity Provisioning Service ( IPS) sync the User to SAC or EA, below transformation logic will set the approriate role based on User Group assigned in IAS User Management for the particular User.In the above illustration, its shown for SAP Commissions Product, so you can consume the right user groups for other SAP Products.

Bonus : Tips & Tricks to solve your Performance Issues on SAC / Embedded Analytics for Users

here are the steps to have one around of check

Check if the issue can be reproduced after closing all other browser windows, tabs, and applications
Check if the issue can be reproduced when not teleconferencing, screensharing, screen recording, or playing video or audio
Check if the issue can be reproduced when using a physical computer, rather than a virtual machine, if applicable
Benchmark your client’s score, as well as the latency and bandwidth to your SAP Analytics Cloud service: Analyze System Performance and SAP Analytics Cloud Performance Benchmark
Check if the third-party proxy is forcing the browser to use HTTP 1.1 instead of HTTP/2: 3056467 – Slow performance when accessing / consuming content in SAP Analytics Cloud (SAC)
Verify that your system meets the appropriate system requirements: System Requirements and Technical Prerequisites
Enable the “High Performance” power plan on the desktop that is accessing SAP Analytics Cloud: 2327454 – Low performance occurs in tables / grid and other areas of SAP Analytics Cloud
Generate an HTTP archive (HAR) file to help troubleshoot system errors and performance issues in SAP Analytics Cloud: 2280022 – How to collect a HTTP archive (HAR) file (Chrome developer tools network trace) in SAP Analytics Cloud
Analyze the performance of a Chrome page using Chrome DevTools: Performance features reference
Review and apply best practices on SAP Community: https://community.sap.com/topics/cloud-analytics/best-practices-troubleshooting

2 Comments

You must be Logged on to comment or reply to a post.

Supriya Saini

August 18, 2023 at 8:06 am

Very informative blog!