SAP Knowledge Base Article - Public

2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

Symptom

You want to use your Active Directory (AD) to authenticate users in SAP Analytics Cloud

Environment

  • SAP Analytics Cloud
  • Windows Active Directory 2012

Resolution

Warning: It is strongly recommended to discuss these steps with your AD administrators.

Follow the recommended steps that can help you configure your Active Directory Federation Services.

Remember that only an Active Directory expert or a Microsoft Authentication expert is able to answer all your specific questions.

1. Download XML Service Provider Metadata:

You need to download the Service Provider metadata for your tenant.

  1. Log on to your SAP Analytics Cloud tenant using an admin account.
  2. Go to the menu System > Administration > Security.
  3. Click the pencil icon to edit.
  4. Select SAML Single Sign-On (SSO).
  5. Click the Download button that appears in menu Step 1: Download Service Provider metadata

2. Importing the information into AD FS

  1. Connect to your AD FS Management tool.
  2. Select Trust Relationships > Relying Party Trust > Right click and select Add Relying Party Trust.
    Add_Relying_Party_Trust.png
  3. Select "Import data about the relying party from a file".
    2_Add_Relying_Party_Trust.png
  4. After importing the file, you will be asked a couple of questions.
  5. Select "I do not want to configure multi-factor authentication settings for this relying party trust at this time".
    3_Add_Rely_2factor.png
  6. Select "Permit all users to access this relying party".

    4_Add_Rely_Permit.png

  7. For more information on these settings, read Microsoft's documentation.

3. Add Claim Rules for SAP Analytics Cloud

You will be prompted to add a Claim Rule. Transformation from Active Directory attribute to Claims:

5_Add_Rule.png

6_Send_Claim.png


This is an example of a transformation, from the logon name in Active Directory (LDAP Attribute: SAMAccountName ) to an intermediary claim (which you can select any claim type from the dropdown list, or provide any custom claim type name.  In this sample, we manually enter the custom claim type name called: my_intermediate_claim.

claimrule.png

Now add a transformation from this intermediary Claim to the claim required by SAP Analytics Cloud: Name ID.

Add New rule and Select Transform an Incoming Claim

transform rule.png


If this rule is not created, the ADFS claim will not contain the required format: <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID>

The logon process will work but you will get an error when you logout.  Please refer to more details in KBA 2601672

For example, a user MY_USER@example.com or EXAMPLE\MY_UYSER, will be transformed to the Name Identifier in the SAML assertion. This is what SAP Analytics Cloud will use, therefore we need to select the option USER ID when configuring SAML SSO in the product.

If we were using email, that should be the attribute selected rather than SAM-Account-Name.

Encryption used: in the newly created Relying party trust you need to change the default Secure hash algorithm to SHA-1:

SHA1_Encryption.png

4. Importing the Metadata.xml from AD FS

Your AD administrator knows how to get this file. It can be obtained by going to the URL: https://YourADServer.YourDomain/FederationMetadata/2007-06/FederationMetadata.xml

Back in SAP Analytics Cloud, in the SAML SSO menu where we downloaded the Service Provider Metadata, we can now upload this file: Upload Identity Provider Metadata

In Step 3: Choose a user attribute to map to your identity provider, you need to select USER ID for this example:

8_SAC_Mapping.png

When selected, your username should be populated. In this example, you see that it is Your_AD_User. The value entered has to match the logon credentials EXACTLY that are in Active Directory (SAM-Account-Name).

What happens if you want them to match by e-mail or other attributes?

You need to go back to your Claim rules in AD FS and map them accordingly.

5. Validating the account

Before we can save the configuration we need to validate the configuration.

You will copy the URL from the validate window and open a Chrome browser Incognito tab or open a browser in another machine.

6. Troubleshooting?

See 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud.

7. IdP Initated SSO

Please note that SAP Analytics Cloud SAML SSO using ADFS workflow only supports the Service Provider initiated SSO scenario. Currently the IdP Initiated workflow is not supported due to limitations on the SAP Cloud Platform. More information regarding this can be found below;

2590755 - Is IdP-initiated SSO method supported in SAP Analytics Cloud?

See Also

Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
Thank you.

Keywords

adfs, ad fs, activedirectory, ldap, sso, howto, how to, SAC, Analytics Cloud, saml, saml2, configuration , KBA , ad fs , adfs , ad , sso , sac , saml , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , How To

Product

SAP Analytics Cloud 1.0