SAP Knowledge Base Article - Public

2487116 - How to configure SAP Analytics Cloud SAML SSO using AD FS (Active Directory Federation Services)

Symptom

You want to use your AD FS (Active Directory Federation Services) to authenticate users in SAP Analytics Cloud (SAC).

Environment

  • SAP Analytics Cloud
  • Windows Active Directory 2012

Resolution

Warning: It is strongly recommended to discuss these steps with your network (Active Directory / AD) administrators.

Follow the recommended steps below to help configure Active Directory Federation Services with SAC.

Remember that only an Active Directory expert or a Microsoft Authentication expert is able to answer all your specific questions.
Consulting and configuration is outside the scope of SAP Product Support. See 
2706322 - What is Support – What is Consulting: Cloud Solutions.

1. Download XML Service Provider Metadata:

You need to download the Service Provider metadata for your system (tenant URL).

  1. Log on to SAP Analytics Cloud using an administrator (admin) account.
  2. Go to the menu System > Administration > Security.
  3. Click the pencil icon to edit.
  4. Select SAML single sign-on (SSO).
  5. Click the Download button that appears in menu Step 1: Download Service Provider metadata

2. Importing the information into AD FS:

  1. Connect to your AD FS Management tool.
  2. Select Trust Relationships > Relying Party Trust > Right click and select Add Relying Party Trust.
    Add_Relying_Party_Trust.png
  3. Select "Import data about the relying party from a file".
    2_Add_Relying_Party_Trust.png
  4. After importing the file, you will be asked a couple of questions.
  5. Select "I do not want to configure multi-factor authentication settings for this relying party trust at this time".
    3_Add_Rely_2factor.png
  6. Select "Permit all users to access this relying party".

    4_Add_Rely_Permit.png

  7. For more information on these settings, read Microsoft's documentation.

3. Add Claim Rules for SAP Analytics Cloud:

You will be prompted to add a Claim Rule. Transformation from Active Directory attribute to Claims:

5_Add_Rule.png

6_Send_Claim.png


This is an example of a transformation, from the logon name in Active Directory (LDAP Attribute: SAMAccountName ) to an intermediary claim (which you can select any claim type from the dropdown list, or provide any custom claim type name.  In this sample, we manually enter the custom claim type name called: my_intermediate_claim.

claimrule.png

Now add a transformation from this intermediary Claim to the claim required by SAP Analytics Cloud: Name ID.

Add New rule and Select Transform an Incoming Claim

transform rule.png

NOTE: If SAP Analytics Cloud is running on a non-SAP data center, for example Cloud Foundry (AWS), you must map your SAML attribute assertion to our white-listed attributes.
Map the assertion like below:

SAML_AWA_INTER2.png

SAML_AWS_INTER1.png

transform rule.png

SAML_AWS_3.png

If this rule is not created, the ADFS claim will not contain the required format:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID>

  • The logon process will work but you will get an error when you logout.  Please refer to more details in KBA 2601672.
    • For example, a user MY_USER@example.com or EXAMPLE\MY_UYSER, will be transformed to the Name Identifier in the SAML assertion. This is what SAP Analytics Cloud will use, therefore we need to select the option USER ID when configuring SAML SSO in the product.
    • If we were using e-mail, that should be the attribute selected rather than SAM-Account-Name.

Encryption used: in the newly created Relying party trust you need to change the default Secure hash algorithm to SHA-1:

SHA1_Encryption.png

NOTE: SHA-256 hash algorithm is only supported on SAP Analytics Cloud systems running non-SAP Datacenter. Refer to KBA 2796605 and 2820521.

4. Importing the Metadata.xml from AD FS:

Your AD administrator knows how to get this file. It can be obtained by going to the URL: https://YourADServer.YourDomain/FederationMetadata/2007-06/FederationMetadata.xml

Back in SAP Analytics Cloud, in the SAML SSO menu where we downloaded the Service Provider Metadata, we can now upload this file: Upload Identity Provider Metadata

In Step 3: Choose a user attribute to map to your identity provider, you need to select USER ID for this example:

8_SAC_Mapping.png

When selected, your username should be populated. In this example, you see that it is Your_AD_User. The value entered has to match the logon credentials EXACTLY that are in Active Directory (SAM-Account-Name).

What happens if you want them to match by e-mail or other attributes?

You need to go back to your Claim rules in AD FS and map them accordingly.

5. Validating the account:

Before we can save the configuration we need to validate the configuration.

You will copy the URL from the validate window and open a Chrome browser Incognito tab or open a browser in another machine.

6. Troubleshooting:

  • See 2487567 - Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud.

7. IdP Initiated SSO:

Please note that SAP Analytics Cloud SAML SSO using the ADFS workflow only supports a Service Provider (SP) initiated SSO scenario. Currently the IdP initiated workflow is not supported due to limitations on the SAP Cloud Platform. More information regarding this can be found below:

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

adfs, ad fs, activedirectory, ldap, sso, howto, how to, SAC, Analytics Cloud, saml, saml2, configuration, email userid, , KBA , adfs , ad fs , ad , sso , sac , saml , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning Functionality, Planning Models , LOD-ANA-BR , Digital Boardroom (DiBo) , LOD-ANA-PR , Predictive Scenarios, Smart Predict , How To

Product

SAP Analytics Cloud 1.0