SAP Knowledge Base Article - Public

2824009 - Some users get the error "It seems you profile is not configured for this system" when logging into SAP Analytics Cloud configured with Custom SAML Authentication

Symptom

  • Some users get the error "It seems you profile is not configured for this system" when logging in SAP Analytics Cloud (SAC) configured with custom SAML Authentication identity provider (IdP).
  • "Your user account has been updated. You'll need to log on with the following identification from now on"

Environment

  • SAP Analytics Cloud
  • Custom SAML IdP
  • non-SAP data center (Cloud Foundry)

Reproducing the Issue

  1. Successfully switch SAC to a Custom SAML Identity Provider.
  2. All users are able to log in except some users who get the error "It seems you profile is not configured for this system".
  3. As per KBA 2656152, you are able to verify the <NameID> attribute value in the SAML Assertion returned from the IDP.
    It matches with the corresponding User Attribute (either User ID, e-mail, or Custom SAML User Mapping) selected for Custom SAML configuration in the Security > Users page.
  4. Try to convert back to the default SAP Analytics Cloud IdP and then you switch back to the Custom IDP, but it does not help.

Cause

  • There was once a case change of <NameID> attribute value of invalid users in the Custom Identity Provider, for example from uppercase to lowercase.
  • SAP Cloud Platform was caching their <nameID> in uppercase, although both the SAC Users page and <NameID> value in the SAML Assertion were lowercase.
  • You can verify whether there is a cached <NameID> value by following the steps below:
  1. Retrieve the SAP Cloud Platform User Account and Authentication (UAA) information of problematic user who fails to logon to SAC:
    • The UAA User Information page can be accessed via this URL pattern: https://<tenant>.authentication.<landscape>.hana.ondemand.com/config?action=who
    • For example, if your SAC URL is https://test-eu.eu10.sapanalytics.cloud, then the information page can be found at https://test-eu.authentication.eu10.hana.ondemand.com/config?action=who.
    • Navigating to this URL will cause a redirection to your custom SAML IdP for authentication, and proceed to log in.
    • UAA User Information displays as below. Pay attention to userName field:

UAA.png

    • userName value (SAP Cloud Platform UAA Information) is case-insensitive but the SAC Users page (HANA user's external identity) is case-sensitive.
    • These two values must exactly matched for the login to succeed.
    • In the sample above:
      • userName value : Firstname.Lastname@company.com
      • user's e-mail in SAC > Users page : firstname.lastname@company.com
      • <NameID> value in SAML Assertion : <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">firstname.lastname@company.com</NameID>

Resolution

  • Manually change the SAC > Users page to make it match with the UAA userName value for failing users. After that, the user should be able to succesfully login, and it should flush the cache.
  • If it still does not work, please contact SAP Product Support team with component LOD-ANA-BI-AUT, and include the three values of each failed user. We will clear the cache for those users.

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, UAA, XSUAA, ad fs, okta, adfs, azure, email , KBA , "it seems your profile is not configured , for this system" , analytics cloud "it seems your profile i , LOD-ANA-BI-AUT , User Access Errors incl SSO SAM/IDP, Login issue , Problem

Product

SAP Analytics Cloud 1.0