SAP Knowledge Base Article - Public

2890729 - Intermittent error: Response doesn't have any valid assertion which would pass subject validation in SAP Analytics Cloud (SAC)

Symptom

  • After successfully configuring SAP Analytics Cloud to use Microsoft Azure IDP as a Custom SAML SSO Identity Provider for authentication with SAP Analytics Cloud tenant, after several days, the login will fail with error
    "Response doesn't have any valid assertion which would pass subject validation" 
  • When the error occurs in one client browser, the login will continue to fail with this error.
  • After cleaning browser cache the issue no longer persists but after some days, the same error may occur again.
  • Issue does not persist in Incognito Window (Private Mode)

Environment

  • SAP Analytics Cloud (Enterprise)

Cause

  • The authentication was rejected because there was too great a difference between the time the authentication was initiated (IssueInstant) and the time when the IDP last authenticated the user (AuthnInstant).
  • The default for maxAuthenticationAge in SAP Cloud Platform was 10 days. 
  • The issue only occurs, if an SAML2 IDP issues in an SAML2 Assertion an AuthnInstant time and current time+date differs more than 10 days eg;
AuthnInstant="2020-01-01T09:07:36.666Z" 
IssueInstant="2020-03-31T09:27:18.346Z" 

Difference = 90 days, which are longer than 10 days.

Resolution

In Microsoft Azure IDP side, configure authentication session management to make sure the session lifetime should be less than 10 days.
See Microsoft document: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC , KBA , ms edge not working for a specific user. , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , Problem

Product

SAP Analytics Cloud 1.0