2506765 - HTTP Status 422 - Unable to verify login context in SAP Analytics Cloud

SAP Knowledge Base Article - Public

2506765 - HTTP Status 422 - Unable to verify login context in SAP Analytics Cloud

Symptom

After configuring your custome SAML Identity Provider with SAP Analytics Cloud, you receive the following error message:

HTTP Status 422 - Unable to verify login context

Environment

  • SAP Analytics Cloud 2017
  • Microsoft Active Directory Federation Services (AD FS)

Cause

There are no Claim Rules defined in AD FS and the SAML assertion is not returned the required:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><Your Unique Identifier></NameID>

Where <Your Unique Identifier> is usually the User ID or the email.

or

The certificate in your SAP Analytics Cloud tenant has been renewed but it hasn't been updated in your SAML Identity Provider.

If this is the case, if you capture SAML assertions using SAML Chrome Panel as indicated in KBA 2487567 you will see an entry like this:

<ns2:Issuer>NAME_OF_YOUR_IDP</ns2:Issuer>
<Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
<StatusMessage>The digital signature of the received SAML2 message is invalid.</StatusMessage>

Resolution

Incorrect Claim Rule

Configure Claim Rules for the entry created in AD FS > Relying Party Trusts. Complete steps of the configuration of SAP Analytics Cloud and AD FS are detailed in KBA 2487116

Expired Certificate

If you renewed your certificate as indicated in KBA 2542839, you need to update the certificate used in your Identity Provider.

As an example, I am illustrating how to update the certificate if you use Active Directory Federation Services.

If you open AD FS and select Trust Relationships > Relying Party Trusts, you can see the entry that you need to update:

ADFS_Update_RelyingPartyTrust.png

Right click on the entry for your SAP Analytics Cloud tenant and select Properties. You need to open the tab Signature:

ADFS_CertificateExpired.png

Adding the new signature:

From the metadata.xml that was downloaded after renewing the certificate, you can extract the certificate following these steps:

  1. Open metadata.xml with a text editor
  2. Copy the line between the tags: <X509Certificate> and </X509Certificate>
  3. Save it in a new file with .cer or .crt extension

Certificate_in_Metadata_XML.png

You can add this certificate to your Relying Party Trust.

See Also

Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
Thank you.

Keywords

EPM, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Hana Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, connecting, conecting, conectando, conexão, modelo, SBOC, SAC, SAP BusinessObjects Cloud, Business Objects , KBA , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , Problem

Product

SAP Analytics Cloud 1.0