2411608 - SAP Analytics Cloud SAML authentication configuration *** Collective KBA ***

• You want to configure your own Identity Provider (IdP) to use with SAP Analytics Cloud (SAC).
• Start here: SAP Analytics Cloud administration community topic page - Authentication.
• Locked out? See 2908073 - How to use the IdP Admin Tool to make changes to IdP Configuration in SAP Analytics Cloud when no access is available to the tenant.

• SAP Analytics Cloud
• SAML 2.0 Identity Provider

1. Understanding SAML.
2. Steps to configure SAML SSO.
3. How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services).
4. How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory.
5. Typical Mistakes.
6. Troubleshooting. See 2487567.
7. FAQ.

Understanding SAML

Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:

SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.

The good news is that SAML is the native method used. When you get your system URL and logon to SAP Analytics Cloud for first time, you are redirected to SAP Cloud Platform Identity Authentication service (https://cloudanalytics.accounts.ondemand.com). This is the default SAML Identity Provider (IDP).

Hints:

1. You can logon to the SAC default IDP profile page to review your information at the following URL:
   https://cloudanalytics.accounts.ondemand.com
2. You can check the user’s details, including the groups mapped, by accessing the following URL:
   https://<system_name>.authentication.<landscape_region>.hana.ondemand.com/config?action=who&details=true

Steps to configure SAML in SAP Analytics Cloud

To configure a custom SAML 2.0 Identity Provider (IDP) with SAP Analytics Cloud, you need to follow the self-service tool in the main menu:

System > Administration > Security (tab)

Follow the complete steps in the SAP Analytics Cloud Help, section Enabling SAML Single Sign-On (SSO).

If you want to follow a step-by-step process with Microsoft Active Directory Federation Services (ADFS / AD FS), see article 2487116.

How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

• For steps on how to configure SAP Analytics Cloud SAML SSO using AD FS see KBA 2487116. 

How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory

• For steps on how to configure SAP Analytics Cloud SAML SSO using Azure Active Directory see KBA 2571892.

Typical Mistakes

Modifying the SAP Analytics Cloud Metadata.

• You only need to import the XML file to your SAML Identity Provider.
• You may be tempted to manually modify the confusing entries like this to your own location:
  Location="https://authn.us1.hana.ondemand.com/saml2/sp/slo/baa999ddf/baa999ddf
• Do not change it.

Incorrect NameID tag returned.

• Your Identity Provider does not make the transformations as expected and returns something incorrect:
  <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">My phone number</NameID>
• The value returned has to match the attribute to map: User ID, e-mail etc.
• For more information, please see the KBA 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud

Verify Account button fails.

• The Verify Account step should be done in a completely new browsing session, we recommend using Incognito mode (Google Chrome) or InPrivate mode (Microsoft Edge) as this serves as a new browsing session.
• Please make sure an existing Incognito window is not already open and that the User has not already authenticated in SAC using a different logon token, as this may cause the Verify Account step to be successful even if SAML is not configured correctly.

Troubleshooting

• We recommend installing a SAML add-on/plug-in to examine SAML assertions (i.e. SAML Chrome Panel).
  • Additionally, you can use the Google Chrome Developer Tools Network trace, to look at encoded SAML Responses.
• See 2487567 which contains a step-by-step troubleshooting guide.

FAQ

• Q: Can I use the current SAP Cloud Identity used by SAP Analytics Cloud in any of the other SAP Cloud Applications?

A: No. You can purchase your own system of SAP Cloud Identity and use it to authenticate against all your applications.

• Q: Do I need a reverse proxy if my SAML IdP is not in the cloud and can only be accessed from my network?

A: No. As long as your browser can access both sites: SAC and IdP, everything should work as expected.

• Q: Can I use the same SAML IDP in HANA, S/4HANA and other SAP applications?

A: Yes, in fact you should. If you have S/4HANA Cloud edition, follow these steps to use the same SAP Cloud Identity in SAC. See 2518900.

• Q: Are there other options to have SSO in SAP Analytics Cloud?

A: Currently, you can only authenticate in SAP Analytics Cloud using SAML. However, you can have SSO to HANA using a Live Direct Connection (CORS) having two different authentication methods: SAML for SAC and another for HANA, as long as your browser supports both.

• Q: Can I use more than one Idp?

A: Currently, you can use one IdP with SAP Analytics Cloud at a time. i.e. When switching from the default Cloud IdP to a custom SSO IdP, it will only be possible to authenticate via your custom IdP until this option is changed to the default IdP.

• Q: Can I make changes to my IdP configuration even if I am locked out of my SAC tenant?

A: Yes! With the Identity Provider Administrator Tool, you can update metadata, and even revert back to the Default Cloud IdP as a System Owner, even when you are unable to log in to SAP Analytics Cloud. For more information, see 2908073 - How to revert the IdP used by SAP Analytics Cloud when no access is available to the tenant.

Note that SAP Product Support can only help you with product issues and defects related to SAP Analytics Cloud.
If your SAML IDP is not returning a correct assertion, contact your SAML IDP vendor to troubleshoot transformations and authorizations.

• See 2706322 - What is Support – What is Consulting: Cloud Solutions.

Other information

• If you are trying to set up SAML to authenticate your current SAP Analytics Cloud to SAP Cloud Platform and you are not interested in created your own Identity Provider, follow this blog: SAP Analytics Cloud: Live Data Connection to SAP HCP With SSO (Simple URLs).
• For specific steps configuring a reverse proxy with Apache, follow the steps indicated in the article 2358559 - Authenticating to SAP Analytics Cloud via SAP Cloud Identity breaks Apache Reverse Proxy.

• 2761068 - Error: Login fails with StatusCode in ResponseMessage != OK; please refer to the database trace for more information in SAP Analytics Cloud (SAC)
• SAP Analytics Cloud administration community topic page - Authentication.
• SAP Analytics Cloud administration community topic page
• 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud
• SAML authentication in SAP Analytics Cloud blog
• 2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)
• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
• Search for SAP Analytics Cloud content using Google or Bing:
• https://www.google.com/search?q=site%3Ahttps%3A%2F%2Fuserapps.support.sap.com+SAP+Analytics+Cloud
• https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fuserapps.support.sap.com+SAP+Analytics+Cloud
• Note: Add any relevant text, keywords, warning messages or error messages to the text search field to filter the results.
• SAP Analytics Cloud Connection Guide
• Getting Started with SAP Analytics Cloud Expert Community page
• SAP Analytics Cloud Get More Help and SAP Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

SAML, SSO, IdP, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, Verify account fails in SAC while configuring IdP, SAP Analytics cloud SSO - SAML issue, Error with SSO-SAML config, SAML login is not working, [AUT] SSO blocks logon, Changed SAML attribute assertion on SAC, Issue Setting up Single Sign-on with OKTA for SAP Analytics for Cloud, SapAnaliticsCloud [AUT] SSO/SAML for SAC using our corporate IDP, [AUT] ID is automatically switches to upper case and SAML authentication fails [AUT] SAML Mapping OR Condition Not Working, IDP reset, 'StatusCode in ResponseMessage != OK' when logging with SAML2, 'StatusCode in ResponseMessage != OK' when logging with SAML2, New IdP setup for SAP Analytic Cloud, SAC to IDPproblems, Unable to verify account, SAML Config: Switching currently setup User Attribute( Email to UserID), Login Error - Fail to login to SAP Analytics Cloud, sso, singlesignon signon, authenticate, sac, ua, help, analytics help, support, c4a, boc, analyticscloud, case, troubleshooting, faq, sac faq, sac help, sap analytics cloud documentation, guides, sac support, sap analytics cloud support, ac, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, ヘルプ, Hilfe zu, Ayuda para, Ajuda para, sap sac, sac, sap analytics cloud planning, sap analytics cloud training, sap analytics cloud tutorial, user assistance, ua, helpdocs, help information, "sac online help", sap analytics cloud help, sap analytics cloud user guide pdf, sap analytics cloud architecture, sap analytics cloud tutorial, sap analytics cloud connections, sap analytics cloud architecture pdf, learning sap analytics cloud pdf, More accessible documentation on your products and more community resources, What does SAP recommend you do before you access SAP Analytics Cloud for the first time?, What are the three main components pillars of SAP Analytics Cloud?, How do I access SAP Analytics Cloud, How do I use SAP Analytics Cloud?, What is the use of SAP analytics Cloud?, What are the main components of SAP Analytics Cloud? predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software, data analysis, data analytics, financial planning, EPM, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, connecting, conecting, conectando, conexão, modelo, SBOC, SAC, troubleshooting, overview, sap sac, sac, sap analytics cloud planning, sap analytics cloud training, sap analytics cloud tutorial, sac, ua, help, analytics help, support, c4a, boc, analyticscloud, case, troubleshooting, faq, sac faq, sac help, sap analytics cloud documentation, guides, sac support, sap analytics cloud support, ac, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, ヘルプ, Hilfe zu, Ayuda para, Ajuda para, sap sac, sac, sap analytics cloud planning, sap analytics cloud training, sap analytics cloud tutorial, planning, sac, Analytics Cloud Onpremis install, SAP analytics cloud, SAP BW, stories, geo, story, Analytics designer, sap analyst cloud, https://hcs.cloud.sap, https://hanacloudservices.cloud.sap, https://cloudanalytics.accounts.ondemand.com, https://hanacloudservices-us.accounts.ondemand.com, https://www.sap.com, https://help.sap.com, sap analytics cloud, analytics cloud, cloud analytics, analytics, sac, sap analytics cloud for planning, fp&a, collaborative planning, enterprise planning, extended planning, xP&A, extended planning and analysis, financial planning and analysis, connected planning, integrated planning, workforce planning, headcount planning, allocations, value driver tree, VDT, data action, predictive forecasting, smart predict, planning applications, planning model, advanced formulas, strategic planning, Profit and Loss Planning, P&L planning, bottom-up planning, top-down planning, currency conversion, version management, fp&a, predictive analytics, operational plan(s)(ning), financial planning and analysis, planning tools, integrated business planning, xp&a, integrated planning, collaborative planning, planning model (s), connected planning, enterprise planning, budgeting and forecasting software, enterprise planning, planning and forecasting, planning budgeting and forecasting, planning and analysis, enterprise planning software, financial planning and forecasting, sap analytics cloud planning, predictive planning, driver based models, what if planning, enterprise planning cloud, cloud fp&a, Enterprise Planning, Planning, analysis, budgeting, and prediction in one solution, Embedded business intelligence and predictive analytics, Integration with SAP S/4HANA, what if planning, enterprise planning cloud, cloud fp&a, Enterprise Planning, Planning, analysis, budgeting, and prediction in one solution, Embedded business intelligence and predictive analytics, Integration with SAP S/4HANA, How long does it take to learn SAP Analytics Cloud?, How do I connect SAP Analytics Cloud to Hana?, How do you plan in SAP Analytics Cloud?, What is SAP Cloud analytics? sachelp sachelp sac help sap, sac getting started kba trainings , KBA , custom idp , install certificate sso sac kba , sso account verification error , sso implementation halted , saml idp master kba sac , single sign on not working - certificate , certificate needs applied , single sign on not working sac kba , system is not accessible , where to? , sso configuration needs a reset , production down- sso configuration needs , sac is not accessible , sap analytical cloud live connection to , onprem hana database using , sso , new idp setup for sap analytic cloud. , user id: user id values in sap analytics , saml sso not working on sac , sso not working after configuration , not working , authentication sac tenant not working , direct connection and saml sso , locked out of sap analytics cloud , adfs ad fs , below the url to configure sso, not work , ac tenant - not accessible - saml error , locked out , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , Problem