- Some users get the error "It seems you profile is not configured for this system" when logging in SAP Analytics Cloud (SAC) configured with custom SAML Authentication identity provider (IdP).
- "Your user account has been updated. You'll need to log on with the following identification from now on"
- SAP Analytics Cloud
- Custom SAML IdP
- non-SAP data center (Cloud Foundry)
Reproducing the Issue
- Successfully switch SAC to a Custom SAML Identity Provider.
- All users are able to log in except some users who get the error "It seems you profile is not configured for this system".
- As per KBA 2656152, you are able to verify the <NameID> attribute value in the SAML Assertion returned from the IDP.
It matches with the corresponding User Attribute (either User ID, e-mail, or Custom SAML User Mapping) selected for Custom SAML configuration in the Security > Users page.
- Try to convert back to the default SAP Analytics Cloud IdP and then you switch back to the Custom IDP, but it does not help.
- There was once a case change of <NameID> attribute value of invalid users in the Custom Identity Provider, for example from uppercase to lowercase.
- SAP Cloud Platform was caching their <nameID> in uppercase, although both the SAC Users page and <NameID> value in the SAML Assertion were lowercase.
- You can verify whether there is a cached <NameID> value by following the steps below:
- Retrieve the SAP Cloud Platform User Account and Authentication (UAA) information of problematic user who fails to logon to SAC:
- The UAA User Information page can be accessed via this URL pattern: https://<tenant>.authentication.<landscape>.hana.ondemand.com/config?action=who
- For example, if your SAC URL is https://test-eu.eu10.sapanalytics.cloud, then the information page can be found at https://test-eu.authentication.eu10.hana.ondemand.com/config?action=who.
- Navigating to this URL will cause a redirection to your custom SAML IdP for authentication, and proceed to log in.
- UAA User Information displays as below. Pay attention to userName field:
- userName value (SAP Cloud Platform UAA Information) is case-insensitive but the SAC Users page (HANA user's external identity) is case-sensitive.
- These two values must exactly matched for the login to succeed.
- In the sample above:
- userName value : Firstname.Lastname@company.com
- user's e-mail in SAC > Users page : firstname.lastname@example.org
- <NameID> value in SAML Assertion : <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">email@example.com</NameID>
- Manually change the SAC > Users page to make it match with the UAA userName value for failing users. After that, the user should be able to succesfully login, and it should flush the cache.
- If it still does not work, please contact SAP Product Support team with component LOD-ANA-BI-AUT, and include the three values of each failed user. We will clear the cache for those users.
- 2569847 - Where can you find user assistance (help) for SAP Analytics Cloud to use, configure and operate it more effectively?
- Have a question? Ask it here on the SAP Community. Or reply and share your knowledge!
- 2487011 - What information do I need to provide when opening an incident for SAP Analytics Cloud?
- SAP Analytics Cloud > Learning > Guided Playlists
- SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
Your feedback is important to help us improve our knowledge base.
SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, UAA, XSUAA, ad fs, okta, adfs, azure, email , KBA , "it seems your profile is not configured , for this system" , analytics cloud "it seems your profile i , LOD-ANA-BI-AUT , User Access Errors incl SSO SAM/IDP, Login issue , Problem