SAP Knowledge Base Article - Public

2922448 - SAML Attribute Mapping in SAP Analytics Cloud (SAC) & SAP Digital Boardroom Master KBA

Symptom

In SAP Analytics Cloud, you are able to map User Attributes, Roles and Teams based on the SAML Attributes provided by a SAML 2.0 Custom Identity Provider.

Requirements:

  • You are currently using a Custom SAML 2.0 SSO Identity Provider such has SAP IAS or Microsoft Azure AD, to authenticate users.

Environment

  • SAP Analytics Cloud (Enterprise)
  • Custom SAML 2.0 Identity Provider such as SAP Identity Authentication Services (SAP IAS) or Microsoft Azure AD

Resolution

User Attribute Mapping

In the Users page found at Menu > Security > Users, you can populate columns such as First Name, Last Name and Email based on the values with the SAML Attributes provided by your Custom IdP upon login, or user creation.

However, these steps will differ depending on the data centre where your SAP Analytics Cloud tenant is hosted. To determine this, please check the details below based on the region host in your SAC Tenant URL;

  • NEO (SAP Data Centre) – Region hosts with single digits eg. EU1 or US1
  • CF (Non-SAP Data Centre) – Region hosts with double digits eg. EU10 or US10

Example – sapcustomer.eu10.sapanalytics.cloud would follow the steps for CF below.

User Attribute Mapping for CF (Non-SAP Data Centre)

Step 1 - Configuring your SAML Attributes correctly on IdP

A prerequisite for SAML User Attribute Mapping on SAC tenants hosted on non-SAP Data Centres is that your IdP has been configured to provide SAML Attributes in the exact same naming convention of the whitelisted attributes that SAC supports below;

 Whitelisted Attributes.PNG

Important! - For SAML attributes to be recognised it is also important that the “Groups” attribute contains the value of “sac”.

If you are using the SAP Cloud Platform Identity Authentication Service (SAP IAS) as your IdP, map the Groups attribute under Default Attributes for your SAP Analytics Cloud application. The remaining attributes should be mapped under Assertion Attributes for your SAP Analytics Cloud application.

Example (Groups in IAS):

Groups in IAS.PNG

Example (Assertions in IAS):

Assertions in IAS.PNG

Your SAML attribute claims should now look like the following when logging in to SAP Analytics Cloud, through your Custom IdP. To troubleshoot this, please take a look at KBA 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud.

Result:

Correct SAML Attributes.PNG

Step 2 - Mapping User Attributes to SAML Attributes in the SAC Users Page

First, browse to Menu > Security > Users. Now, at the top right click the “Map SAML User Properties” icon and you will be presented with the Menu below;

Attributes.PNG

As you can see, our email, familyName and givenName SAML attributes from our Custom IdP are now displayed, ready to be mapped in this menu!

User Attribute Mapping for NEO (SAP Data Centre)

Step 1 - Enabling your NEO tenant for use with SAML User Attribute Mapping

If SAP Analytics Cloud is running on an SAP data center, you must submit an SAP Product Support Incident using the component LOD-ANA-ADM. In the support ticket, indicate that you want to set up user profiles and role assignment based on custom SAML attributes, and include your SAP Analytics Cloud tenant URL. From here, our Operations team will enable this for your specific tenant.

Important: Each time you change your SAML IdP, you must submit a support ticket if you wish to continue using User Profile and Role Assignment based on custom SAML attributes.

Step 2 - Mapping User Attributes to SAML Attributes in the SAC Users Page

First, browse to Menu > Security > Users. Now, at the top right click the “Map SAML User Properties” icon and you will be presented with the Menu below;

Attributes.PNG

Here, you can select a User Attribute from the Users page and map it to a SAML attribute that has been provided from your Custom IdP. For SAC tenants hosted on SAP Data Centres (NEO) there are no limitations to the names of the attributes that can be used here.

Roles and Team Mapping

Before continuing, these steps can only be achieved if you have successfully completed the steps above.

You can map Roles and Teams based on SAML Attribute and Value conditions. Teams and Roles will be assigned and revoked upon login, if the conditions necessary have been met.

Important: For CF SAC Tenants you will need to use the custom1, custom2, custom3, custom4 or custom5 SAML Attributes as per step 7 in the guide.

For more information please visit the Mapping Roles Using SAML Attributes Guide.

Dynamic User Creation

Please note that if you have selected the Dynamic User Creation option in step 11 of the guide, then if a User does not yet exist in the tenant, and has successfully been authenticated by your IdP, a new user will be dynamically created based on the attributes provided by your Custom IdP so it is important that the steps above have been configured correctly if you plan on using this in a productive environment.

Known Issues

2789431 - After enabling custom SAML SSO on the SAP Analytics Cloud system, e-mails are overwritten with @unknown.org or @this-default-was-not-configured.invalid domain

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC , KBA , saml idp master kba sac , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-ADM , SAC Administration , Problem

Product

SAP Analytics Cloud 1.0