2518900 - How do I connect SAP Analytics Cloud (SAC) to SAP Business Technology Platform (BTP) Identity Authentication Services (IAS) Identity Provider?

You want to enable SAML SSO connection between SAP Business Technology Platform (BTP) Identity Authentication Services (IAS) and SAP Analytics Cloud (SAC)

• SAP Analytics Cloud
• SAP S/4HANA Cloud
• SAP Business Technology Platform (BTP) Identity Authentication Services (IAS)

Mapping attributes may not match, e.g. in SAC it may expect to receive e-mail as NameID but IAS might be mapped to use User Login or something else

DISCLAIMER: This is a How-To KBA that involves 2 SAP Products: SAC And IAS, please check before opening a Support Ticket in which product assistance is needed

1) Connect to the Administration Console of your SAP Business Technology Platform (BTP) Identity Authentication Services (IAS)

1.1) Navigate to "Tenant Settings -> SAML 2.0 Configuration" and download the metadata file "metadata.xml"

2) Connect to your SAP Analytics Cloud tenant in a separate browser window as the System Owner.

2.1) Select Main Menu > System > Administration and click the Security tab.
2.2) Click the pencil symbol in the top right to Edit the settings.
2.3) Select SAML Single Sign-On (SSO) under Authentication Method
2.4) Click Download under "Step 1: Download Service Provider metadata" to download metadata.xml File (this will be known as the SAC Metadata)
2.5) Click Upload... under "Step 2: Upload Identity Provider metadata" to upload "metadata.xml" from your SAP Business Technology Platform (BTP) Identity Authentication Services (IAS)
2.6) Under Step 3: Choose a user attribute to map to your identity provider select "Custom SAML User Mapping"

3) Return to the SAP Business Technology Platform (BTP) Identity Authentication Services (IAS) Identity Provider and open "Applications".

3.1) Add a new application for SAP Analytics Cloud
3.2) Under this new application select "SAML 2.0 Configuration" on the "Trust" tab
3.3) Click "Upload" under "Define from Metadata" to upload the "sacmetadata.xml" file that you downloaded from SAP Analytics Cloud.
3.4) Change "Subject Name Identifier" on the "Trust" tab to "e-mail" If your mapping is configured to use "e-mail"* see Enable a Custom SAML Identity Provider, to map different attribute...
3.5) Click "Save"

4) In the  SAP Business Technology Platform (BTP) Identity Authentication Services (IAS) Identity Provider open "User Management"

4.1) Search for the user that you want to map to your existing SAP Analytics Cloud account and note the email *^{or Login Name, or attribute, etc...  you would like to map (needs to match step 3.4)}

5) Return to the SAP Analytics Cloud tenant to verify that all settings are correct.

5.1) Under System / Security in SAC, get to the fourth Step:
"Step 4: Confirm that the mapping is working" and enter your SAP BTP IAS email into "Login Credential (Custom SAML User Mapping)"*^{or Login Name, or attribute, etc...  that is being mapped (needs to match steps 3.4 and 4.1 of this KBA)}

5.2) Click "Verify Account"

6) Copy the URL from the popup into a new browser session and logon to the SAP Business Technology Platform (BTP) Identity Authentication Services (IAS) to confirm that you get logged on with the SAML_VERIFY user.

7) Return to the SAP Analytics Cloud tenant, under "Security" settings page to confirm a message that your account has been verified.

7.1) Click "Save"

8) Return to the popup and click "Convert" to confirm.

• After several minutes your SAP Analytics Cloud tenant will be connected to the SAP Business Technology Platform (BTP) Identity Authentication Services (IAS) Identity Provider.
• The SAML user mapping for your user that carried out the conversion was already changed.

9) Return to the  SAP Business Technology Platform (BTP) Identity Authentication Services (IAS)  and confirm you have created Users for all SAP Analytics Cloud Users

10) Return to the SAP Analytics Cloud tenant and select "Security > Users" from the "Main Menu"

10.1) In the column SAML User Mapping enter the corresponding Login Name from the  SAP Cloud Platform Identity Authentication Cloud Identity Provider for all users.

10.2) Click "Save"

• Integration with SAP BusinessObjects Cloud (BOC)
• Help resources
• Help portal
• SAP Community ( Questions & Answers / Direct Link to ask question / Blogs )
• SAP community wiki
• Ideaplace forum ( for enhancement requests & new features )
• Video tutorials 
• Videos by topic areas: ( Overview, What's New, Models and Connections, Stories, SAP Digital Boardroom, Planning, Predictive, Collaboration, Administration )
• Training events
• Past event recordings
• New user handbook
• Roadmap
• How to connect to on-premise data
• 2487011 - What information do I need to provide when opening incidents with SAP Analytics Cloud
• Introducing SAP BusinessObjects Cloud: BI and Planning (SAP Press book)

Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
Thank you.

SCI, Hybris, S4HANA, S4/HANA, S/4 , SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Hana Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics,  HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, SBOC, SAC, SAP BusinessObjects Cloud, Business Objects, SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, S/4, S4, IDP, Auth, identity, SSO, SAML , KBA , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , How To