SAP Knowledge Base Article - Public

2411608 - SAP Analytics Cloud SAML authentication *** Master KBA ***


You want to configure your own Identity Provider (IdP) to use it with SAP Analytics Cloud.


  • SAP Analytics Cloud
  • SAML 2.0 Identity Provider


  1. Understanding SAML
  2. Steps to configure SAML SSO
  3. How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)
  4. How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory
  5. Typical Mistakes
  6. Troubleshooting KBA 2487567
  7. FAQ

Understanding SAML

Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties. We can see the three parties involved and a very simplified exchange in the following picture:


SAP Analytics Cloud is the service provider. The browser will attempt to get access to the software and will be redirected to a third party Identity Provider that will be responsible to authenticate the user.

The good news is that SAML is the native method used. When you get your tenant URL and logon for the very first time to SAP Analytics Cloud, you are redirected to SAP Cloud Platform Identity Authentication service. This is the SAML Identity Provider used by default.

Steps to configure SAML in SAP Analytics Cloud

To configure your SAML 2.0 Identity Provider (IdP) with SAP Analytics Cloud, you only need to follow the self-service tool in the menu:

System > Administration > Security (tab)

You can follow the complete steps in the documentation of the product, section Enabling SAML Single Sign-On (SSO).

If you want to follow a step-by-step process with Active Directory Federation Services, you can use the KBA 2487116.

How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

  • For steps on how to configure SAP Analytics Cloud SAML SSO using AD FS please read the KBA 2487116 

How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory

  • For steps on how to configure SAP Analytics Cloud SAML SSO using Azure Active Directory please read the KBA 2571892

Typical Mistakes

Modifying the SAP Analytics Cloud Metadata. You only need to import the XML file to your SAML Identity Provider.

You may be tempted to manually modify the confusing entries like this:


to your own location. Don't change it.

Incorrect NameID tag returned.

Your Identity Provider doesn't make the transformations as expected and returns something incorrect:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">My phone number</NameID>

The value returned has to match the Attribute to map: User ID, email, etc.

How to troubleshoot?

We recommend you to install an SAML Add-on to examine only the SAML assertions. KBA 2487567 contains a step-by-step troubleshooting guide.


  • Can I use the current SAP Cloud Identity used by SAP Analytics Cloud in any of the other SAP Cloud Applications?

No. You can purchase your own tenant of SAP Cloud Identity and you can use it to authenticate all your applications.

  • Do I need reverse proxy if my SAML IdP is not in the cloud and can only be accessed from my network?

No. As long as your browser can access both sites: SAC and IdP, everything should be working as expected.

  • Can I use the same SAML IdP in HANA, S4/HANA and other SAP applications?

Yes, in fact you should. If you have S4/HANA Cloud edition, you can follow these steps to use the same SAP Cloud Identity in SAC: KBA 2518900

  • Are there other options to have SSO in SAP Analytics Cloud?

Currently, you can only authenticate in SAP Analytics Cloud using SAML. However, you can have SSO to HANA using Live Direct Connection (CORS) having two different authentication methods: SAML for SAC and other for HANA, as long as your browser supports both.

Please note that SAP Product Support can only help you with our product deffects. If your SAML IdP is not returning a correct assertion, you will need to contact your SAML IdP vendor to troubleshoot transformations and authorisations.

Other information

If you are trying to set up SAML to authenticate your current SAP BusinessObjects Cloud to SAP Cloud Platform and you are not interested in created your own Identity Provider,
you can follow this blog: SAP BusinessObjects Cloud: Live Data Connection to SAP HCP With SSO (Simple URLs).

For specific steps configuring reverse proxy with Apache, follow the steps indicated in the KBA 2358559 - Authenticating to SAP BusinessObjects Cloud via SAP Cloud Identity breaks Apache Reverse Proxy.

See Also

Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
Thank you.


SAML, SSO, IdP, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Hana Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud , KBA , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , Problem


SAP Analytics Cloud 1.0