/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
After configuring your custome SAML Identity Provider with SAP Analytics Cloud, you receive the following error message:
HTTP Status 422 - Unable to verify login context
Environment
- SAP Analytics Cloud 2017
- Microsoft Active Directory Federation Services (AD FS)
Cause
There are no Claim Rules defined in AD FS and the SAML assertion is not returned the required:
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><Your Unique Identifier></NameID>
Where <Your Unique Identifier> is usually the User ID or the email.
or
The certificate in your SAP Analytics Cloud tenant has been renewed but it hasn't been updated in your SAML Identity Provider.
If this is the case, if you capture SAML assertions using SAML Chrome Panel as indicated in KBA 2487567 you will see an entry like this:
<ns2:Issuer>NAME_OF_YOUR_IDP</ns2:Issuer>
<Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
<StatusMessage>The digital signature of the received SAML2 message is invalid.</StatusMessage>
Resolution
Incorrect Claim Rule
Configure Claim Rules for the entry created in AD FS > Relying Party Trusts. Complete steps of the configuration of SAP Analytics Cloud and AD FS are detailed in KBA 2487116
Expired Certificate
If you renewed your certificate as indicated in KBA 2542839, you need to update the certificate used in your Identity Provider.
As an example, I am illustrating how to update the certificate if you use Active Directory Federation Services.
If you open AD FS and select Trust Relationships > Relying Party Trusts, you can see the entry that you need to update:
Right click on the entry for your SAP Analytics Cloud tenant and select Properties. You need to open the tab Signature:
Adding the new signature:
From the metadata.xml that was downloaded after renewing the certificate, you can extract the certificate following these steps:
- Open metadata.xml with a text editor
- Copy the line between the tags: <X509Certificate> and </X509Certificate>
- Save it in a new file with .cer or .crt extension
You can add this certificate to your Relying Party Trust.
See Also
- Help resources
- Help portal
- SAP Community ( Questions & Answers / Direct Link to Create Question / Blogs )
- SAP community wiki
- Ideaplace forum ( for enhancement requests & new features )
- Video tutorials
- Videos by topic areas: ( Overview, What's New, Models and Connections, Stories, SAP Digital Boardroom, Planning, Predictive, Collaboration, Administration )
- Training events
- Past event recordings
- New user handbook
- Roadmap
- How to connect to on-premise data
- 2487011 - What information do I need to provide when opening incidents with SAP Analytics Cloud
- Introducing SAP BusinessObjects Cloud: BI and Planning (SAP Press book)
Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
Thank you.
Keywords
EPM, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Hana Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, connecting, conecting, conectando, conexão, modelo, SBOC, SAC, SAP BusinessObjects Cloud, Business Objects , KBA , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , Problem
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)