Let's begin by listing all applications involved in this setup:

1. Access to SAP Analytics Cloud as System Owner.
2. Access to Cloud Identity Service as an Administrator.
3. Access to AZURE AD or contact person who have access to Azure AD.

Now let’s understand how the connection will be established among three applications.

1. Need to establish trust between Cloud Identity Service and Azure AD (Corporate Identity Provider) by exchanging metadata among themselves and registering one another at their platform.
2. Then, we will establish trust between Cloud Identity Service and SAP Analytics Cloud by exchanging metadata among themselves and registering one another at their platform.

From above 2 lines its clear that Cloud Identity Service acts as a proxy between SAP Analytics Cloud and Azure AD.

PART 1

Let’s begin by configuring trust between SAP Cloud Identity Service and AZURE AD

1. Login to your Cloud Identity Service Portal.

2. Go to “Application and Resources” and from drop down select “Tenant Settings.”

3. Click on “Single Sign-On” tab.

4. Click on “SAML 2.0 Configuration”.

5. Click on “Download Metadata File".

6. Once you have the metadata file downloaded as below. Ask your AZURE AD team to upload metadata and setup SSO for your Cloud identity service. Once the setup is done, they will share metadata which they will have post configuration.

7. Once you receive metadata file from AZURE AD team, go again to your Cloud Identity Service Portal and under “Identity Providers” drop down select “Corporate Identity Providers”.

8. Click on "Create" .

9. Provide the Display name as you want to and select “Microsoft ADFS/ AZURE AD (SAML 2.0)“.Then check on "Create".

10. Now you can see an entry under Corporate Identity Providers. Select “AZURE AD” which you have created in the last step.

11. Click on “SAML 2.0 Configuration” and click on “Browse” and upload the metadata file which you have received from Azure AD team post configuration of Cloud Identity service at their end.

12. After uploading metadata all fields will get populated automatically. Now click on "Save".

😎TRUST BETWEEN CLOUD IDENTITY SERVICE AND AZURE AD is Done 😎

PART 2

Now we will configure trust between SAP Cloud Identity Service and SAP Analytics Cloud

1. Login into you SAP Analytics Cloud Portal as SYSTEM_OWNER role and then click on “System” and Click on "Administration”.

2. Click on tab “Security".

3. Click on pencil icon to enable edit mode.

4. Switch the Authentication Method from "SAP Cloud Identity (default)" to "SAML Single Sign-On (SSO)".

5. Click on "Download". You will now have SAP Analytics Cloud metadata downloaded.

6. Click on the "Cancel" icon to discard the current changes and revert to "SAP Cloud Identity (default)" authentication for now.

7. Login into SAP Cloud Identity Service Portal, under “Applications and Resources” drop down click on “Applications”.

8. Click on Create.

9. Provide a Display name as per your convenience, select "SAML 2.0" radio button and click on Create.

10. Click on Application which we have added in last step.

11. Click on “SAML 2.0 Configuration” then click on Browse and upload the metadata file which you have downloaded from SAP Analytics Cloud. All details will get auto populated and then click on Save.

12. Click on “ Subject Name Identifier” and select basic attribute and fallback attribute , in our case we have selected email and User Id respectively , because we use email id as Name Identifier to authenticate from AZURE AD. Now click on Save.

13. Click on “Default Name Id Format” select “Email” radio button and click on Save.

14. Click on “Apply Function to Subject Name Identifier” in our case we have selected Lowercase because our user’s which are created in SAP Analytics Cloud have their email Id maintained ,all in lowercase. Click on Save.

Reference Snote : 2824009

15. Click on “Conditional Authentication” and under “Default Identity provider” drop down select the Idp which you have configured earlier under “Corporate Identity Provider” (Display name which you have provided will be visible). Click on Save.

16. Now Login into SAP Analytics Cloud portal as SYSTEM OWNER authorization.

17. Click on “System” and then Click on "Administration”.

18. Click on tab “Security”.

19. Click on pencil icon to enable edit mode.

20. Switch the Authentication Method from "SAP Cloud Identity (default)" to "SAML Single Sign-On (SSO)".

21. Click on ‘Upload’ to upload the metadata.xml file (which you have downloaded in Part 1 Step 5 of this document) of our Cloud Identity Service and click ‘OK’.

22. Under Step 3 select the user attribute to map to our IdP. Select ‘Email’ .

23. Under Step 4 provide an email id which exists in AZURE AD and click on verify account.

24. "Login URL" is displayed. Use the ‘Copy’ icon to select and copy the URL and paste it into a private browser session (incognito mode).

25. Once the private browser session displays the message below, the "SAML account verification was successfully".

26. Go to SAP Analytics Cloud Screen and click on “Check Verification”.

27. Click "Save" to save the configuration changes.

28. Click "Convert" to change the authentication method to SAML single sign-on.

Finally we have successfully configured SSO for SAP Analytics Cloud with AZURE AD via Cloud Identity Service.

You can now login into SAP Analytics Cloud using SSO with your corporate credentials.