Mapping SAML Attributes to Users

You can map existing SAML user or group attributes to SAP Analytics Cloud user profiles.

Prerequisites

  • SAP Analytics Cloud is running on an SAP data center.

    Determine which environment SAP Analytics Cloud is hosted in by inspecting your SAP Analytics Cloud URL:

    • A single-digit number, for example us1 or jp1, indicates an SAP data center.
    • A two-digit number, for example eu10 or us30, indicates a non-SAP data center.
    Note
    If SAP Analytics Cloud is running on a non-SAP data center, you must do the user mapping in your SAML identity provider, and the steps below do not apply. For more information, see Step 6 in Enabling a Custom SAML Identity Provider.
  • When you map SAML attributes to users, you'll need your Subaccount (S-User) details. Have these ready before you start. To find your S-User information, in SAP Analytics Cloud go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step Datasource ConfigurationEnd of the navigation path.
  • You or the owner of your organization’s S-User account must submit an SAP Product Support Incident using the component: LOD-ANA-BI. In the support ticket, indicate that you want to map SAML attributes to user profiles, and include your SAP Analytics Cloud tenant URL.
    Note
    You need to open a support ticket each time you switch to a different custom IdP.
  • You have configured your system to authenticate users against a custom SAML Identity Provider (IdP). You are logged on with a SAML account that is assigned an administrative role in SAP Analytics Cloud. And your custom SAML IdP is configured to return one or more SAML user attributes in the SAML assertions that are issued to authenticated SAML users.

Context

To ensure that users' profiles in SAP Analytics Cloud are updated with the latest information from your SAML IdP, you can map SAML user attributes to the following fields in SAP Analytics Cloud:
  • First Name
  • Last Name
  • Display Name
  • E-Mail
  • Functional Area
  • Language
  • Custom1, Custom 2, and so on
Each time a user logs on to SAP Analytics Cloud, the latest information is read from their SAML assertion and updated in their SAP Analytics Cloud user profile.

Procedure

  1. On the User page of the Security area, select (Map SAML User Properties).
  2. In the Map SAML Attributes dialog, select an SAML Attribute.

    The list of SAML attributes is populated with up to three available mappings. Expand the list beside the selected attribute to change it.

    If you are connecting to an SAP HANA system, you can click properties found and all SAML attributes detected will be added to the list automatically.

  3. Select (New Mapping Definition) to add additional SAML Attributes if necessary.
  4. Select a Target Property for each SAML attribute.
  5. Select Save.

Results

User profiles will be updated with SAML information.

Next Steps

To edit a user's SAML mapping, go to the Users page of the Security area, and select the SAML Mapping you want to modify. Add a new SAML Mapping and press Enter, or select another cell to verify the new mapping. Select (Save) to set the new mapping.

Note
If the mapping is already assigned to another user, a warning will appear and you must enter a new mapping. Every user must be assigned a unique mapping.
Note
Only numbers, letters, and the underscore and ampersand characters can be included in mapped attributes: _, &.

A confirmation email will be sent to the email address linked to the new mapping.

As long as a user has not logged on to the system with the new information, the SAML mapping will appear in pending state on the Users list.

Related Information