You can logon to SAP Analytics Cloud after configuring your Active Directory Federation Services (ADFS) as your custom SAML Identity Provider
However, when you log out, your browser shows: HTTP status 500 - Multidomain params signature is not valid in SAP Analytics Cloud (SAC)
- SAP Analytics Cloud
- Active Directory Federation Services (ADFS)
Reproducing the Issue
- Configure SAML SSO authentication for SAP Analytics Cloud using ADFS
- Log in to SAP Analytics Cloud
- Log out of SAP Analytics Cloud
- The browser shows the error: HTTP status 500 - Multidomain params signature is not valid
The ADFS claim does not contain the required format: <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID>
The original Claim only contains:
SAP Analytics Cloud expects to receive the claim in the fomat <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID> in SAML assertion returned from SAML Identity Provider. Add additonal transformation thus to supplement and tranform the claim to the expected format.
Warning - The steps indicated here are correct for our testing Active Directory. You should contact your AD FS administrator or Microsoft to confirm that are valid for your environment.
- In the AD FS Administrator, go to Relying Party Trusts > Select the entry for SAP Analytics Cloud > Right click and select Edit Claim Rules...
- Modify the rule used to Send LDAP Attributes as Claims. As Outgoing Claim Type, you can select any claim type from the dropdown list, or provide any custom claim type name. In this sample, we manually enter the custom claim type name called: my_intermediate_claim. We use the logon name (LDAP Attribute: SAMAccountName).
- Click OK to save the changes
- Add a new rule > Select Transform an Incoming Claim > Give it a name "Tranform Claim to set unspecified" for example
- As Incoming claim Type, select or manually type the previous intermidiate claim type name in Step 2
- As Outgoing claim type select "Name ID" from the list
- Leave Outgoing Name ID format: "Unspecified"
- Click OK to save the change
- How to find User Assistance for SAP Analytics Cloud?
- Ask a question on the SAP Community!
- 2487011 - What information do I need to provide when opening incidents with SAP Analytics Cloud (Hint: Use component LOD-ANA*)
directory, error, 500, logoff, logout, exit, saml, adfs, ad, saml2, saml, sso, Cloud-Analytics, multi, domain, params. signature, Default NAME ID format, unspecified, active directory, AD , KBA , logout , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predicitive , Problem