- You want to configure your own Identity Provider (IdP) to use with SAP Analytics Cloud (SAC).
- Start here: SAP Analytics Cloud > Learning > Guided Playlists > User Management With a SAML Identity Provider (IDP)
- SAP Analytics Cloud
- SAML 2.0 Identity Provider
- Understanding SAML.
- Steps to configure SAML SSO.
- How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services).
- How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory.
- Typical Mistakes.
- Troubleshooting. See 2487567.
Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:
SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.
The good news is that SAML is the native method used. When you get your system URL and logon to SAP Analytics Cloud for first time, you are redirected to SAP Cloud Platform Identity Authentication service (https://cloudanalytics.accounts.ondemand.com). This is the default SAML Identity Provider (IDP).
- You can logon to the SAC default IDP profile page to review your information at the following URL:
- You can check the user’s details, including the groups mapped, by accessing the following URL:
To configure a custom SAML 2.0 Identity Provider (IDP) with SAP Analytics Cloud, you need to follow the self-service tool in the main menu:
System > Administration > Security (tab)
Follow the complete steps in the SAP Analytics Cloud Help, section Enabling SAML Single Sign-On (SSO).
If you want to follow a step-by-step process with Microsoft Active Directory Federation Services (ADFS / AD FS), see article 2487116.
- For steps on how to configure SAP Analytics Cloud SAML SSO using AD FS please read the KBA 2487116
- For steps on how to configure SAP Analytics Cloud SAML SSO using Azure Active Directory please read the KBA 2571892
Modifying the SAP Analytics Cloud Metadata.
- You only need to import the XML file to your SAML Identity Provider.
- You may be tempted to manually modify the confusing entries like this to your own location:
- Do not change it.
Incorrect NameID tag returned.
- Your Identity Provider does not make the transformations as expected and returns something incorrect:
My phone number
- The value returned has to match the attribute to map: User ID, e-mail etc.
- For more information, please see the KBA 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud
Verify Account button fails.
- The Verify Account step should be done in a completely new browsing session, we recommend using Incognito mode (Google Chrome) or InPrivate mode (Microsoft Edge) as this serves as a new browsing session.
- Please make sure an existing Incognito window is not already open and that the User has not already authenticated in SAC using a different logon token, as this may cause the Verify Account step to be successful even if SAML is not configured correctly.
- We recommend installing a SAML Add-on to examine SAML assertions.
- Additionally, you can use the Google Chrome Developer Tools Network trace, to look at encoded SAML Responses.
- See 2487567 which contains a step-by-step troubleshooting guide.
- Q: Can I use the current SAP Cloud Identity used by SAP Analytics Cloud in any of the other SAP Cloud Applications?
A: No. You can purchase your own system of SAP Cloud Identity and use it to authenticate against all your applications.
- Q: Do I need a reverse proxy if my SAML IdP is not in the cloud and can only be accessed from my network?
A: No. As long as your browser can access both sites: SAC and IdP, everything should work as expected.
- Q: Can I use the same SAML IDP in HANA, S/4HANA and other SAP applications?
A: Yes, in fact you should. If you have S/4HANA Cloud edition, follow these steps to use the same SAP Cloud Identity in SAC. See 2518900.
- Q: Are there other options to have SSO in SAP Analytics Cloud?
A: Currently, you can only authenticate in SAP Analytics Cloud using SAML. However, you can have SSO to HANA using a Live Direct Connection (CORS) having two different authentication methods: SAML for SAC and another for HANA, as long as your browser supports both.
- Q: Can I use more than one Idp?
A: Currently, you can use one IdP with SAP Analytics Cloud at a time. Eg. When switching from the Default Cloud IdP to a Custom SSO IdP, it will only be possible to authenticate via your Custom IdP until this option is changed to the Default IdP.
- Q: Can I make changes to my IdP configuration even if I am locked out of my SAC tenant?
A: Yes! With the Identity Provider Administrator Tool, you can update metadata, and even revert back to the Default Cloud IdP as a System Owner, even when you are unable to log in to SAP Analytics Cloud. For more information please visit 2908073 - How to revert the IdP used by SAP Analytics Cloud when no access is available to the tenant
Note that SAP Product Support can only help you with product issues and defects related to SAP Analytics Cloud.
If your SAML IDP is not returning a correct assertion, you will need to contact your SAML IDP vendor to troubleshoot transformations and authorisations.
- If you are trying to set up SAML to authenticate your current SAP Analytics Cloud to SAP Cloud Platform and you are not interested in created your own Identity Provider, follow this blog: SAP Analytics Cloud: Live Data Connection to SAP HCP With SSO (Simple URLs).
- For specific steps configuring a reverse proxy with Apache, follow the steps indicated in the article 2358559 - Authenticating to SAP Analytics Cloud via SAP Cloud Identity breaks Apache Reverse Proxy.
- 2761068 - Error: Login fails with StatusCode in ResponseMessage != OK; please refer to the database trace for more information in SAP Analytics Cloud (SAC)
- SAP Analytics Cloud > Learning > Guided Playlists > User Management With a SAML Identity Provider (IDP)
- SAP Analytics Cloud administration community topic page
- 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud
- SAML authentication in SAP Analytics Cloud blog
- 2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)
- 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
- Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
- 2487011 - What information do I need to provide when opening an incident for SAP Analytics Cloud?
- Search for SAP Analytics Cloud content using Google or Bing:
- Note: Add relevant text or warning/error messages to the text search field to filter results.
- SAP Analytics Cloud > Learning > Data Connections
- SAP Analytics Cloud > Learning > Guided Playlists
- SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
- Need More Help? Contact Support or visit the solution finder today!
Your feedback is important to help us improve our knowledge base.
SAML, SSO, IdP, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, Verify account fails in SAC while configuring IdP, SAP Analytics cloud SSO - SAML issue, Error with SSO-SAML config, SAML login is not working, [AUT] SSO blocks logon, Changed SAML attribute assertion on SAC, Issue Setting up Single Sign-on with OKTA for SAP Analytics for Cloud, SapAnaliticsCloud [AUT] SSO/SAML for SAC using our corporate IDP, [AUT] ID is automatically switches to upper case and SAML authentication fails [AUT] SAML Mapping OR Condition Not Working, IDP reset, 'StatusCode in ResponseMessage != OK' when logging with SAML2, 'StatusCode in ResponseMessage != OK' when logging with SAML2, New IdP setup for SAP Analytic Cloud, SAC to IDPproblems, Unable to verify account, SAML Config: Switching currently setup User Attribute( Email to UserID), Login Error - Fail to login to SAP Analytics Cloud, sso, singlesignon signon, authenticate , KBA , sap analytical cloud live connection to , direct connection and saml sso , onprem hana database using , sso , locked out of sap analytics cloud , adfs ad fs , custom idp , install certificate sso sac kba , new idp setup for sap analytic cloud. , user id: user id values in sap analytics , sso account verification error , sso implementation halted , saml idp master kba sac , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , Problem