SAP Knowledge Base Article - Public

2411608 - SAP Analytics Cloud SAML authentication *** Master KBA ***

Symptom

Environment

  • SAP Analytics Cloud
  • SAML 2.0 Identity Provider

Resolution

  1. Understanding SAML.
  2. Steps to configure SAML SSO.
  3. How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services).
  4. How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory.
  5. Typical Mistakes.
  6. Troubleshooting. See 2487567.
  7. FAQ.

Understanding SAML

Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:

SAML_Simplified.png

SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.

The good news is that SAML is the native method used. When you get your system URL and logon to SAP Analytics Cloud for first time, you are redirected to SAP Cloud Platform Identity Authentication service (https://cloudanalytics.accounts.ondemand.com). This is the default SAML Identity Provider (IDP).

Hints:

  1. You can logon to the SAC default IDP profile page to review your information at the following URL:
    https://cloudanalytics.accounts.ondemand.com
  2. You can check the user’s details, including the groups mapped, by accessing the following URL:
    https://<system_name>.authentication.<landscape_region>.hana.ondemand.com/config?action=who&details=true

Steps to configure SAML in SAP Analytics Cloud

To configure a custom SAML 2.0 Identity Provider (IDP) with SAP Analytics Cloud, you need to follow the self-service tool in the main menu:

System > Administration > Security (tab)

Follow the complete steps in the SAP Analytics Cloud Help, section Enabling SAML Single Sign-On (SSO).

If you want to follow a step-by-step process with Microsoft Active Directory Federation Services (ADFS / AD FS), see article 2487116.

How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

  • For steps on how to configure SAP Analytics Cloud SAML SSO using AD FS please read the KBA 2487116 

How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory

  • For steps on how to configure SAP Analytics Cloud SAML SSO using Azure Active Directory please read the KBA 2571892

Typical Mistakes

Modifying the SAP Analytics Cloud Metadata.

  • You only need to import the XML file to your SAML Identity Provider.
  • You may be tempted to manually modify the confusing entries like this to your own location:
    Location="https://authn.us1.hana.ondemand.com/saml2/sp/slo/baa999ddf/baa999ddf
  • Do not change it.

Incorrect NameID tag returned.

Verify Account button fails.

  • The Verify Account step should be done in a completely new browsing session, we recommend using Incognito mode (Google Chrome) or InPrivate mode (Microsoft Edge) as this serves as a new browsing session.
  • Please make sure an existing Incognito window is not already open and that the User has not already authenticated in SAC using a different logon token, as this may cause the Verify Account step to be successful even if SAML is not configured correctly.

How to troubleshoot?

  • We recommend installing a SAML Add-on to examine SAML assertions.
    • Additionally, you can use the Google Chrome Developer Tools Network trace, to look at encoded SAML Responses.
  • See 2487567 which contains a step-by-step troubleshooting guide.

FAQ

  • Q: Can I use the current SAP Cloud Identity used by SAP Analytics Cloud in any of the other SAP Cloud Applications?

A: No. You can purchase your own system of SAP Cloud Identity and use it to authenticate against all your applications.

  • Q: Do I need a reverse proxy if my SAML IdP is not in the cloud and can only be accessed from my network?

A: No. As long as your browser can access both sites: SAC and IdP, everything should work as expected.

  • Q: Can I use the same SAML IDP in HANA, S/4HANA and other SAP applications?

A: Yes, in fact you should. If you have S/4HANA Cloud edition, follow these steps to use the same SAP Cloud Identity in SAC. See 2518900.

  • Q: Are there other options to have SSO in SAP Analytics Cloud?

A: Currently, you can only authenticate in SAP Analytics Cloud using SAML. However, you can have SSO to HANA using a Live Direct Connection (CORS) having two different authentication methods: SAML for SAC and another for HANA, as long as your browser supports both.

Note that SAP Product Support can only help you with product issues and defects related to SAP Analytics Cloud.
If your SAML IDP is not returning a correct assertion, you will need to contact your SAML IDP vendor to troubleshoot transformations and authorisations.

Other information

  • If you are trying to set up SAML to authenticate your current SAP Analytics Cloud to SAP Cloud Platform and you are not interested in created your own Identity Provider, follow this blog: SAP Analytics Cloud: Live Data Connection to SAP HCP With SSO (Simple URLs).
  • For specific steps configuring a reverse proxy with Apache, follow the steps indicated in the article 2358559 - Authenticating to SAP Analytics Cloud via SAP Cloud Identity breaks Apache Reverse Proxy.

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAML, SSO, IdP, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, Verify account fails in SAC while configuring IdP, SAP Analytics cloud SSO - SAML issue, Error with SSO-SAML config, SAML login is not working, [AUT] SSO blocks logon, Changed SAML attribute assertion on SAC, Issue Setting up Single Sign-on with OKTA for SAP Analytics for Cloud, SapAnaliticsCloud [AUT] SSO/SAML for SAC using our corporate IDP, [AUT] ID is automatically switches to upper case and SAML authentication fails [AUT] SAML Mapping OR Condition Not Working, IDP reset, 'StatusCode in ResponseMessage != OK' when logging with SAML2, 'StatusCode in ResponseMessage != OK' when logging with SAML2, New IdP setup for SAP Analytic Cloud, SAC to IDPproblems, Unable to verify account, SAML Config: Switching currently setup User Attribute( Email to UserID), Login Error - Fail to login to SAP Analytics Cloud , KBA , adfs ad fs , new idp setup for sap analytic cloud. , custom idp , install certificate sso sac kba , locked out of sap analytics cloud , direct connection and saml sso , sap analytical cloud live connection to , onprem hana database using , sso , user id: user id values in sap analytics , sso account verification error , sso implementation halted , saml idp master kba sac , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predicitive , Problem

Product

SAP Analytics Cloud 1.0