You are configuring SAML SSO in SAP Analytics Cloud. When you validate the account you get an error message, pop-up window or a screen with this message:
- We've encountered an unexpected issue.
- Please try again later or contact your system administrator if the problem persists.
- SAP Analytics Cloud 2017
- SAML IdP Provider of your choice
Install a Chrome Extension
There are multiple tools and extensions that can help you read the SAML assertion. In this example, SAML Chrome panel is used.
Capture and display the SAML assertions by opening Chrome Developer Tools and select the new tab SAML after installing the extension.
Activate this extension in Incognito mode as well while validating the SAML configuration.
To do that go to: Chrome menu Extensions:
What to capture
- When you are offered to validate your configuration, open your incognito Window.
- Open the Chrome Web development tools (F12 or Option + Command + I in MacOS).
- Paste the URL from the validate windows.
- You should get redirected from SAP Analytics Cloud to your SAML IdP
- Type your username / password, after you should be redirected back to SAP Analytics Cloud.
In the last entry for the SAML Plugin, search for the content NameID, similar to:
Custom SAML logon to SAP Analytics Cloud is case-sensitive. Users can log on only if their SAML User Mapping that's entered into SAP Analytics Cloud is a case-sensitive match to the NameID that's sent by your SAML Identity Provider.
For example, if SAP Analytics Cloud is configured to use email address as the SAML User Mapping, and a user’s NameID returned by your SAML IdP is firstname.lastname@example.org (lower case), then logon will fail if their email address was entered into SAP Analytics Cloud as User@company.com (mixed case).
You can configure SAML authentication using one of three fields as the SAML User Mapping. In all cases, you need to enter values into SAP Analytics Cloud using the exact same case as will be sent by your SAML Identity Provider:
- Custom SAML User Mapping: This is the most flexible option, as it provides an additional column in the Security > Users page, where you can enter the values by which your Identity Provider will identify each user in the NameID attribute of their SAML assertion. This is commonly used when SAML identifiers are arbitrary upper-, lower-, or mixed-case strings rather than email addresses.
- Email: You can use this option if email addresses are regularly used as identifiers by your Identity Provider. But it is recommended only if you are certain that the Identity Provider uses upper/lower case in a consistent manner (e.g., always all-lowercase), so as to avoid the likelihood of values being entered with mismatches in SAP Analytics Cloud.
- USER ID: USER ID values in SAP Analytics Cloud are always uppercase, and are limited to alphanumeric characters. Use USERID as the SAML user mapping only when you are certain that the NameIDs from your IdP will always be uppercase and limited to the same characters.
- 2659735 - Troubleshooting CORS issues with SAP Analytics Cloud (SAC)
- How to find User Assistance for SAP Analytics Cloud?
- Ask a question on the SAP Community
- 2487011 - What information do I need to provide when opening incidents with SAP Analytics Cloud (Hint: Use component LOD-ANA*)
Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
SAML, SSO, authentication, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, SBOC, SAC , KBA , saml , adf , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , How To