2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

SAP Knowledge Base Articles - public

2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)


You want to use your Active Directory to authenticate uses in SAP Analytics Cloud


  • SAP Analytics Cloud
  • Windows Active Directory 2012


Warning: It is strongly recommended to discuss these steps with your AD administrators.

Follow the recommended steps that can help you configure your Active Directory Federation Services. Remember that only an Active Directory expert or Microsoft would be able to answer all your questions.

1. Download XML Service Provider Metadata:

You need to download the Service Provider metadata for your tenant.

  1. Log on to your SAP Analytics Cloud tenant using an admin account
  2. Go to the menu System > Administration > Security
  3. Click the pencil icon to edit
  4. Select SAML Single Sign-On (SSO)
  5. Click Download button that appears in menu Step 1: Download Service Provider metadata

2. Importing the information in AD FS

  1. Connect to your AD FS Management tool
  2. Select Trust Relationships > Relying Party Trust > Right click and select Add Relying Party Trust


You can select to Import data about the relying party from file:


After importing the file, you will be asked a couple of questions:


Select I do not want to configure multi-factor authentication settings for this relying party trust at this time.


Select Permit all users to access this relying party. For more information on these settings, you can read Microsoft's documentation.

3. Add Claim Rules for SAP Analytics Cloud

You will be prompted to add a Claim Rule. Transformation from Active Directory attribute to Claims:



This is an example of transformation, from the logon name in Active Directory to PPID, an intermediary claim, to allow me issuing the required Format along with the NameID Claim.


Now we need to add a transformation from this intermediary Claim to the claim required by SAP Analytics Cloud: Name ID.

Add New rule: Select Transform an Incoming Claim


Tranform the Incoming claim:


If we don't create this rule, ADFS claim will not contain the required format: <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID>

The logon process will work but you will get an error when you logout.

For example, a user MY_USER@example.com or EXAMPLE\MY_UYSER, will be transformed to the Name Identifier in the SAML assertion. This is what SAP Analytics Cloud will use, therefore we need to select the option USER ID when configuring SAML SSO in the product.

If we were using email, that should be the attribute selected rather than SAM-Account-Name.

Encryption used: in the newly created Relying party trust you need to change the default Secure hash algorithm to SHA-1:


4. Importing the Metadata.xml from AD FS

Your AD administrator knows how to get this file. It can be obtained going to the URL: https://YourADServer.YourDomain/FederationMetadata/2007-06/FederationMetadata.xml

Back in SAP Analytics Cloud, in the SAML SSO menu where we downloaded the Service Provider Metadata, we can now upload this file: Upload Identity Provider Metadata

In the step 3: Choose a user attribute to map to your identity provider, you need to select USER ID for this example:


When selected, your username should be populated. In this example, you see that it is Your_AD_User. The value entered has to match exactly the logon credentials in Active Directory (SAM-Account-Name).

What happens if you want them to match by e-mail or other attributes?

You need to go back to your Claim rules in AD FS and map accordingly.

5. Validating the account

Before we can save the configuration we need to validate the configuration.

You will copy the URL from the validate window and open an Incognito tab in your browser or open a browser in another machine.


See the KBA 2487567

See Also

Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
Thank you.


adfs, ad fs, activedirectory, ldap, sso, howto, how to, SAC, Analytics Cloud, saml, saml2, configuration , KBA , ad fs , adfs , ad , sso , sac , saml , LOD-ANA , SAP Analytics Cloud , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , How To


SAP Analytics Cloud 1.0