You want to use your AD FS (Active Directory Federation Services) to authenticate users in SAP Analytics Cloud (SAC).
- SAP Analytics Cloud
- Windows Active Directory 2012
Warning: It is strongly recommended to discuss these steps with your network (Active Directory / AD) administrators.
Follow the recommended steps below to help configure Active Directory Federation Services with SAC.
Remember that only an Active Directory expert or a Microsoft Authentication expert is able to answer all your specific questions.
Consulting and configuration is outside the scope of SAP Product Support. See 2706322 - What is Support – What is Consulting: Cloud Solutions.
1. Download XML Service Provider Metadata:
You need to download the Service Provider metadata for your system (tenant URL).
- Log on to SAP Analytics Cloud using an administrator (admin) account.
- Go to the menu System > Administration > Security.
- Click the pencil icon to edit.
- Select SAML single sign-on (SSO).
- Click the Download button that appears in menu Step 1: Download Service Provider metadata
2. Importing the information into AD FS:
- Connect to your AD FS Management tool.
- Select Trust Relationships > Relying Party Trust > Right click and select Add Relying Party Trust.
- Select "Import data about the relying party from a file".
- After importing the file, you will be asked a couple of questions.
- Select "I do not want to configure multi-factor authentication settings for this relying party trust at this time".
Select "Permit all users to access this relying party".
- For more information on these settings, read Microsoft's documentation.
3. Add Claim Rules for SAP Analytics Cloud:
You will be prompted to add a Claim Rule. Transformation from Active Directory attribute to Claims:
This is an example of a transformation, from the logon name in Active Directory (LDAP Attribute: SAMAccountName ) to an intermediary claim (which you can select any claim type from the dropdown list, or provide any custom claim type name. In this sample, we manually enter the custom claim type name called: my_intermediate_claim.
Now add a transformation from this intermediary Claim to the claim required by SAP Analytics Cloud: Name ID.
Add New rule and Select Transform an Incoming Claim
NOTE: If SAP Analytics Cloud is running on a non-SAP data center, for example Cloud Foundry (AWS), you must map your SAML attribute assertion to our white-listed attributes.
Map the assertion like below:
NOTE: SAML Attribute email is needed, see KBA 2789431 - After enabling custom SAML SSO on the SAP Analytics Cloud system, e-mails are overwritten with @unknown.org or @this-default-was-not-configured.invalid domain
If this rule is not created, the ADFS claim will not contain the required format:
- The logon process will work but you will get an error when you logout. Please refer to more details in KBA 2601672.
- For example, a user MY_USER@example.com or EXAMPLE\MY_UYSER, will be transformed to the Name Identifier in the SAML assertion. This is what SAP Analytics Cloud will use, therefore we need to select the option USER ID when configuring SAML SSO in the product.
- If we were using e-mail, that should be the attribute selected rather than SAM-Account-Name.
Encryption used: in the newly created Relying party trust you need to change the default Secure hash algorithm to SHA-1:
4. Importing the Metadata.xml from AD FS:
Your AD administrator knows how to get this file. It can be obtained by going to the URL: https://YourADServer.YourDomain/FederationMetadata/2007-06/FederationMetadata.xml
Back in SAP Analytics Cloud, in the SAML SSO menu where we downloaded the Service Provider Metadata, we can now upload this file: Upload Identity Provider Metadata
In Step 3: Choose a user attribute to map to your identity provider, you need to select USER ID for this example:
When selected, your username should be populated. In this example, you see that it is Your_AD_User. The value entered has to match the logon credentials EXACTLY that are in Active Directory (SAM-Account-Name).
What happens if you want them to match by e-mail or other attributes?
You need to go back to your Claim rules in AD FS and map them accordingly.
5. Validating the account:
Before we can save the configuration we need to validate the configuration.
You will copy the URL from the validate window and open a Chrome browser Incognito tab or open a browser in another machine.
- See 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud.
7. IdP Initiated SSO:
Please note that SAP Analytics Cloud SAML SSO using the ADFS workflow only supports a Service Provider (SP) initiated SSO scenario. Currently the IdP initiated workflow is not supported due to limitations on the SAP Cloud Platform. More information regarding this can be found below:
- 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
- Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
- 2487011 - What information do I need to provide when opening an incident for SAP Analytics Cloud?
- SAP Analytics Cloud > Learning > Guided Playlists
- SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
- Need More Help? Contact Support or visit the solution finder today!
Your feedback is important to help us improve our knowledge base.
adfs, ad fs, activedirectory, ldap, sso, howto, how to, SAC, Analytics Cloud, saml, saml2, configuration, email userid, , KBA , adfs , ad fs , ms ad , a d f s , logout , sso , sac , saml , ad , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predicitive , How To