SAP Knowledge Base Article - Public

2587606 - Connection between SAP Analytics Cloud and SAP Marketing Cloud (S/4HANA Cloud / Hybris) retrieves Failed to connect to system with OAuth 2 SAML Bearer Assertion method

Symptom

  • The connection between SAP Analytics Cloud and SAP Marketing Cloud (a.k.a. Hybris Marketing Cloud, yMkt) cannot be established using the OAuth 2.0 SAML Bearer Assertion authentication method.
  • "Failed to connect to system" error message appears when creating the connection in SAP Analytics Cloud.
  • The following error statements are being generated in the Chrome Developer Tool logs:
    • Internal Server Error, 500
    • Error Code: 3100, Error Message: Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not retrieve OAuth 2.0 access token for user <USERID_IN_IDP>, Public URL: https:\\/\\/<SAC_SYSTEM_URL>, Path: \\/s4hcremotes\\/<CONNECTION_NAME>\\/sap\\/bw\\/ina\\/GetServerInfo
    • Cannot return OAuth 2.0 SAML Bearer Assertion because could not retrieve OAuth 2.0 access token.

Environment

  • SAP Analytics Cloud
  • SAP Marketing Cloud

Reproducing the Issue

  1. Follow the instructions to connect SAP Analytics Cloud to SAP Hybris Marketing system as per Integration with SAP Analytics Cloud (1SO) 
  2. In SAP Analytics Cloud, add a new Live Data Connection > SAP S/4HANA > S/4HANA Cloud
  3. Fill in the necessary information for OAuth (Token Service User, Token Service Password and OAuth Scope).
  4. Click OK and the error message appears.

Cause

  • The user with ID "<USERID_IN_IDP>" does not exist in the SAP Marketing Cloud (Hybris) system as a business user, therefore the connection cannot be set and no token is retreived.
  • Secret or a password for technical user is not properly given during the setup.

Resolution

#1: SSO and user names must match

  • Make sure that you have set up SSO on SAP Analytics Cloud and maintained the ID of the business user: "<USERID_IN_IDP>" in the Custom SAML Mapping column under Security > Users.
  • The ID above should be equal with the attribute, for which the name ID in the Identity Provider has been set up.

#2: Setup again from scratch per Integration with SAP Analytics Cloud (1SO) 

  • Remove previously created Communication Arrangement and Communication System, then start over by creating new Arrangement, new System and even a new Technical user for the connection.
  • Pay attention to note down all the passwords and secrets during the setup.

#3: Unlock the technical user

  • Ensure that the Token Service User is not locked.

It can be unlocked via the following steps:

  1. Browse to and log on to https://<mytenant>.s4hana.ondemand.com.
  2. Search in Apps for User.
  3. Click the Display Technical Users tile.
  4. Search for your Token Service User.
  5. Check the check box for the Token Service Technical User.
  6. Click "Unlock".

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, connecting, conecting, conectando, conexão, modelo, SBOC, SAC, SAP BusinessObjects Cloud, Business Objects, SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,s/4, hana, cloud, marketing, integration, locked, unlock, SAML Bearer, oauth, live, s/4hana, s4hana, connection, fails, unable, authenticate, failing, fails, user, password, credentials, secret, token, tenant, system, arrangement, communication , KBA , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , Problem

Product

SAP Analytics Cloud 1.0