- The connection between SAP Analytics Cloud and SAP Marketing Cloud (a.k.a. Hybris Marketing Cloud, yMkt) cannot be established using the OAuth 2.0 SAML Bearer Assertion authentication method.
- "Failed to connect to system" error message appears when creating the connection in SAP Analytics Cloud.
- The following error statements are being generated in the Chrome Developer Tool logs:
- Internal Server Error, 500
- Error Code: 3100, Error Message: Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not retrieve OAuth 2.0 access token for user <USERID_IN_IDP>, Public URL: https:\\/\\/<SAC_SYSTEM_URL>, Path: \\/s4hcremotes\\/<CONNECTION_NAME>\\/sap\\/bw\\/ina\\/GetServerInfo
- Cannot return OAuth 2.0 SAML Bearer Assertion because could not retrieve OAuth 2.0 access token.
- SAP Analytics Cloud
- SAP Marketing Cloud
Reproducing the Issue
- Follow the instructions to connect SAP Analytics Cloud to SAP Hybris Marketing system as per Integration with SAP Analytics Cloud (1SO)
- In SAP Analytics Cloud, add a new Live Data Connection > SAP S/4HANA > S/4HANA Cloud
- Fill in the necessary information for OAuth (Token Service User, Token Service Password and OAuth Scope).
- Click OK and the error message appears.
- The user with ID "<USERID_IN_IDP>" does not exist in the SAP Marketing Cloud (Hybris) system as a business user, therefore the connection cannot be set and no token is retreived.
- Secret or a password for technical user is not properly given during the setup.
#1: SSO and user names must match
- Make sure that you have set up SSO on SAP Analytics Cloud and maintained the ID of the business user: "<USERID_IN_IDP>" in the Custom SAML Mapping column under Security > Users.
- The ID above should be equal with the attribute, for which the name ID in the Identity Provider has been set up.
#2: Setup again from scratch per Integration with SAP Analytics Cloud (1SO)
- Remove previously created Communication Arrangement and Communication System, then start over by creating new Arrangement, new System and even a new Technical user for the connection.
- Pay attention to note down all the passwords and secrets during the setup.
#3: Unlock the technical user
- Ensure that the Token Service User is not locked.
It can be unlocked via the following steps:
- Browse to and log on to https://<mytenant>.s4hana.ondemand.com.
- Search in Apps for User.
- Click the Display Technical Users tile.
- Search for your Token Service User.
- Check the check box for the Token Service Technical User.
- Click "Unlock".
- SAML authentication in SAP Analytics Cloud
- 2411608 - SAP Analytics Cloud SAML authentication *** Master KBA ***
- 2559605 - Attributes are not visible when mapping SAML attributes after SSO configuration in SAP Analytics Cloud
- How to find User Assistance for SAP Analytics Cloud?
- Ask a question on the SAP Community!
- 2487011 - What information do I need to provide when opening incidents with SAP Analytics Cloud (Hint: Use component LOD-ANA*)
- SAP Analytics Cloud > Learning > Guided Playlists
Your feedback is important to help us improve our knowledge base.
BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, connecting, conecting, conectando, conexão, modelo, SBOC, SAC, SAP BusinessObjects Cloud, Business Objects, SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,s/4, hana, cloud, marketing, integration, locked, unlock, SAML Bearer, oauth, live, s/4hana, s4hana, connection, fails, unable, authenticate, failing, fails, user, password, credentials, secret, token, tenant, system, arrangement, communication , KBA , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , Problem