SAP Knowledge Base Article - Public

2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud (SAC)

Symptom

You are configuring SAML SSO in SAP Analytics Cloud (SAC).
When you validate the account you get an error message, pop-up window or a screen with this message:

  • We've encountered an unexpected issue.
  • Please try again later or contact your system administrator if the problem persists.
  • It seems your profile is not configured for this system.

Environment

  • SAP Analytics Cloud
  • SAML identity provider (IDP) (Note: must support SAML 2.0)

Resolution

Option 1 : Install a Chrome Extension

There are multiple tools and extensions that can help read SAML assertions. In this example, the SAML Chrome panel is used.

  1. Install the SAML Chrome panel extension.
  2. Capture and display SAML assertions by opening Chrome Developer Tools (CTRL+Shift+I / F12) and selecting the SAML tab.

1_Chrome_Plugin_fixed.png

Activate this extension in Chrome Incognito mode as well while validating the SAML configuration.

To do that go to: Chrome menu Extensions:

2_Incognito.png

What to capture

  1. When you are offered to validate your configuration, open your incognito Window.
  2. Open the Chrome Web development tools (F12 or Option + Command + I in MacOS).
  3. Paste the URL from the validate windows.
  4. You should get redirected from SAP Analytics Cloud to your SAML IdP
  5. Type your username / password, after you should be redirected back to SAP Analytics Cloud.

In the last entry for the SAML Plugin, search for the content NameID, similar to:

<Subject>
            <NameID>username</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData
                InResponseTo="Sca4e6250-4899-4885-9f8d-3b7ceb21ca59-YtIF1X5MFKLMDLYJ8J2Zfju1bZXoUQ9Zr8UDbXK.C4w"
                NotOnOrAfter="2017-06-09T21:08:20.858Z"
                Recipient="https://authn.hana.ondemand.com/saml2/sp/acs/a14f33c4c/axxxx"/></SubjectConfirmation>
</Subject>

NOTE:

If the NameID or other user attributes do not apper in the SAML tool, the SAML assertions may be encrypted.
This applies if  "<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">" is visible in the SAML traces.
In this case, encryption should be disabled until troubleshooting is complete.

Option 2: Using the Google Chrome Developer Tools "Network" Trace

If you are unable to install an additional Google Chrome Extension, you can troubleshoot SAML Responses using the Network tab in the Google Chrome Developer Tools by following the steps below;

  1. When you are offered to validate your configuration, open your Incognito Window.
  2. Open the Chrome Web Developer Tools (F12 or Option + Command + I in MacOS) and navigate to the Network tab.
  3. Complete the Verify Account workflow with the Network tab open
  4. Look for the call with the HTTP Status Code "302" in the format of https://<tenant name>.authentication.eu10.hana.ondemand.com/saml/SSO/alias/<tenant name>.aws-live-eu10
  5. Open this call and navigate to the "Header" tab
  6. Scroll down and look for "SAMLResponse"
  7. Copy and Paste this encoded response into your chosen SAML decoder and search for the NameID

Case Sensitivity

Custom SAML logon to SAP Analytics Cloud is case-sensitive. Users can log on only if their SAML User Mapping that's entered into SAP Analytics Cloud is a case-sensitive match to the NameID that's sent by your SAML Identity Provider.

Example:

In Step 3, you will be asked to choose a User Attribute to map to your identity provider, which can be either Email, USER ID, or Custom SAML User Mapping. In this example, Custom SAML User Mapping is used. Here, the credential "user@company" is provided, as this is the expected SAML NameID from the IdP. Please see the expected results below;

1.PNG

Successful "Verify Account" NameID: <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user@company.com</NameID>

Unsuccessful "Verify Account" NameID: <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">User@company.com</NameID>

You can configure SAML authentication using one of three fields as the SAML User Mapping. In all cases, you need to enter values into SAP Analytics Cloud using the exact same case as will be sent by your SAML Identity Provider:

  • Custom SAML User Mapping: This is the most flexible option, as it provides an additional column in the Security > Users page, where you can enter the values by which your Identity Provider will identify each user in the NameID attribute of their SAML assertion. This is commonly used when SAML identifiers are arbitrary upper-, lower-, or mixed-case strings rather than email addresses.
  • Email: You can use this option if email addresses are regularly used as identifiers by your Identity Provider. But it is recommended only if you are certain that the Identity Provider uses upper/lower case in a consistent manner (e.g., always all-lowercase), so as to avoid the likelihood of values being entered with mismatches in SAP Analytics Cloud.
  • USER ID: USER ID values in SAP Analytics Cloud are always uppercase, and are limited to alphanumeric characters. Use USERID as the SAML user mapping only when you are certain that the NameIDs from your IdP will always be uppercase and limited to the same characters.

TIP: Check the values (Name, Userid, email etc.) stored in the IDP to see that they match.

For example SAP IAS (Identity Authentication Services) will use https://<>.accounts.ondemand.com/ui/protected/profilemanagement

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAML, SSO, authentication, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, SBOC, SAC, It seems your profile is not configured for this system,e-mail , KBA , use the saml chrome dev tools panel. , to see the id which is synced with sac u , sac kba saml devtools panel , sac kba saml dev tools panel , sso implementation halted , sso account verification error , saml , adf , LOD-ANA-ADM , SAC Administration , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , How To

Product

SAP Analytics Cloud 1.0