SAP Knowledge Base Article - Public

2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

Symptom

You want to use your AD FS (Active Directory Federation Services) to authenticate users in SAP Analytics Cloud (SAC).

Environment

  • SAP Analytics Cloud
  • Windows Active Directory 2012

Resolution

Warning: It is strongly recommended to discuss these steps with your network (Active Directory / AD) administrators.

Follow the recommended steps below to help configure Active Directory Federation Services with SAC.

Remember that only an Active Directory expert or a Microsoft Authentication expert is able to answer all your specific questions.
Consulting and configuration is outside the scope of SAP Product Support. See 
2706322 - What is Support – What is Consulting: Cloud Solutions.

1. Download XML Service Provider Metadata:

You need to download the Service Provider metadata for your system (tenant URL).

  1. Log on to SAP Analytics Cloud using an administrator (admin) account.
  2. Go to the menu System > Administration > Security.
  3. Click the pencil icon to edit.
  4. Select SAML single sign-on (SSO).
  5. Click the Download button that appears in menu Step 1: Download Service Provider metadata

2. Importing the information into AD FS:

  1. Connect to your AD FS Management tool.
  2. Select Trust Relationships > Relying Party Trust > Right click and select Add Relying Party Trust.
    Add_Relying_Party_Trust.png
  3. Select "Import data about the relying party from a file".
    2_Add_Relying_Party_Trust.png
  4. After importing the file, you will be asked a couple of questions.
  5. Select "I do not want to configure multi-factor authentication settings for this relying party trust at this time".
    3_Add_Rely_2factor.png
  6. Select "Permit all users to access this relying party".

    4_Add_Rely_Permit.png

  7. For more information on these settings, read Microsoft's documentation.

3. Add Claim Rules for SAP Analytics Cloud:

You will be prompted to add Claim Rules.

5_Add_Rule.png

  • Transformation from Active Directory attribute to Claims

6_Send_Claim.png

    • Transformation from the logon name in Active Directory (LDAP Attribute: SAMAccountName ) to an intermediary claim.
      In this sample, we manually enter the custom claim type name called: my_intermediate_claim.

      claimrule.png

      • In this case, UPN(userPrincipalName)of your user (MY_USER@example.com or EXAMPLE\MY_UYSER) will be transformed to the Name ID(MY_UYSER) in the SAML assertion, which will be used to map the SAC user attribute.
        • If all users have UPN in upper case in ADFS, you can select the option USER ID when configuring SAML SSO in SAC (Step 3).
        • Othwise, if some users have UPN in lower case or mix case, you must select option Custom SAML User Mapping when configuring SAML SSO in SAC (Step 3).
      • If you want to configuring SAML SSO using Email in SAC (Step 3), please select LDAP attribute E-Mail-Addresses here.

    • Transformation from other attributes to white-listed SAML attributes (manually enter; case-sensitive; used to map SAC user attributes)
      SAC white-listed SAML attributes.png
      NOTE: SAML Attribute email is always recommended.
      See KBA 2789431 - After enabling custom SAML SSO on the SAP Analytics Cloud system, e-mails are overwritten with @unknown.org or @this-default-was-not-configured.invalid domain

  • Transformation from this intermediary Claim to Name ID, which is required by SAP Analytics Cloud.
    Incoming Claim.png

    transform rule.png
    • If this rule is not created (but transform SAMAccountName to Name ID directly in the previous step), the ADFS claim will not contain the required format:<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID>
      The logon process will work but you will get an error when you logout.  Please refer to more details in KBA 2601672.
    • If you want to configuring SAML SSO using Email in SAC (Step 3), please select Outgoing name ID format to Email.
  • Issue SAML Attribute Groups to return static value "SAC", which is required only when SAP Analytics Cloud is running on a non-SAP data center.

    Static Rule.png

    SAML_AWS_3.png
  • Encryption used: in the newly created Relying party trust you need to change the default Secure hash algorithm to SHA-1:

    SHA1_Encryption.png
    NOTE: SHA-256 hash algorithm is only supported on SAP Analytics Cloud systems running non-SAP Datacenter. Refer to KBA 2796605 and 2820521.

4. Importing the Metadata.xml from AD FS:

Your AD administrator knows how to get this file. It can be obtained by going to the URL: https://YourADServer.YourDomain/FederationMetadata/2007-06/FederationMetadata.xml

Back in SAP Analytics Cloud, in the SAML SSO menu where we downloaded the Service Provider Metadata, we can now upload this file: Upload Identity Provider Metadata

In Step 3: Choose a user attribute to map to your identity provider, you need to select USER ID for this example:

8_SAC_Mapping.png

When selected, your username should be populated. In this example, you see that it is Your_AD_User. The value entered has to match the logon credentials EXACTLY that are in Active Directory (SAM-Account-Name).

What happens if you want them to match by e-mail or other attributes?

You need to go back to your Claim rules in AD FS and map them accordingly.

5. Validating the account:

Before we can save the configuration we need to validate the configuration.

You will copy the URL from the validate window and open a Chrome browser Incognito tab or open a browser in another machine.

6. Troubleshooting:

  • See 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud.

7. IdP Initiated SSO:

Please note that SAP Analytics Cloud SAML SSO using the ADFS workflow only supports a Service Provider (SP) initiated SSO scenario. Currently the IdP initiated workflow is not supported due to limitations on the SAP Cloud Platform. More information regarding this can be found below:

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

adfs, ad fs, activedirectory, ldap, sso, howto, how to, SAC, Analytics Cloud, saml, saml2, configuration, email userid, , KBA , adfs , ad fs , ms ad , a d f s , logout , sso , sac , saml , ad , ad adfs , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predicitive , How To

Product

SAP Analytics Cloud 1.0