Enabling a Custom SAML Identity Provider

By default, SAP Cloud Platform Identity Authentication is used by SAP Analytics Cloud. SAP Analytics Cloud also supports single sign-on (SSO) with using your identity provider (IdP).

Prerequisites

  • You must have an IdP that supports SAML 2.0 protocol.
  • You must be able to configure your IdP.
  • You must be assigned to the System Owner role in SAP Analytics Cloud. For more information, see Standard Application Roles.
  • SAP Analytics Cloud can be hosted either on SAP data centers or on non-SAP data centers. Determine which environment SAP Analytics Cloud is hosted in by inspecting your SAP Analytics Cloud URL:
    • A single-digit number, for example us1 or jp1, indicates an SAP data center.
    • A two-digit number, for example eu10 or us30, indicates a non-SAP data center.
  • If your users are connecting from Apple devices using the SAP Analytics Cloud mobile app, the certificate used by your IdP must be compatible with Apple's App Transport Security (ATS) feature.

Procedure

  1. Go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step SecurityEnd of the navigation path.
  2. Select (Edit).
  3. In the Authentication Method area, select SAML Single Sign-On (SSO) if it is not already selected.
  4. In Step 1, select Download and save the metadata file.
    An SAP Analytics Cloud metadata file will be saved.
  5. Upload the SAP Analytics Cloud metadata file to your SAML IdP.
    The file includes metadata for SAP Analytics Cloud, and is used to create a trust relationship between your SAML Identity Provider and your SAP Analytics Cloud system.
  6. Map your SAML IdP user attributes and roles.

    If SAP Analytics Cloud is running on an SAP data center, you must submit an SAP Product Support Incident using the component LOD-ANA-BI. In the support ticket, indicate that you want to set up user profiles and role assignment based on custom SAML attributes, and include your SAP Analytics Cloud tenant URL

    If SAP Analytics Cloud is running on a non-SAP data center, you must configure your SAML IdP to map user attributes to the following case-sensitive white-listed assertion attributes:
    Attribute Name Notes
    email Required if your NameID is "email".
    Groups Required. Set to "sac".
    familyName Optional. familyName is the user's last name (surname).
    displayName Optional.
    functionalArea Optional.
    givenName Optional. givenName is the user's first name.
    preferredLanguage Optional.
    custom1 Optional. For SAML role assignment.
    custom2 Optional. For SAML role assignment.
    custom3 Optional. For SAML role assignment.
    custom4 Optional. For SAML role assignment.
    custom5 Optional. For SAML role assignment.
  7. Download metadata from your SAML IdP.
  8. In Step 2, select Upload, and choose the metadata file you downloaded from your SAML IdP.
  9. In Step 3, select a User Attribute.
    The attribute will be used to map users from your existing SAML user list to SAP Analytics Cloud. The user attribute you select must match the NameID used in your custom SAML assertion:
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><Your Unique Identifier></NameID>
    Determine what your NameID maps to in your SAP Analytics Cloud system. It should map to User ID, Email or a custom attribute. You can view your SAP Analytics Cloud user attributes in Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path.
    Choose one of the following options:
    • USER ID: If NameID maps to the SAP Analytics Cloud User ID.
    • Email: If NameID maps to SAP Analytics Cloud Email address.
    • Custom SAML User Mapping: If NameID maps to a custom value.
  10. (Optional) Enable Dynamic User Creation.

    When dynamic user creation is enabled, new users will be automatically created using the default role and will be able to use SAML SSO to log onto SAP Analytics Cloud. For more information, see Setting the Default Role. After users are created, you can set roles using SAML attributes. For more information, see Mapping Roles Using SAML Attributes.

  11. In Step 4, enter <Your Unique Identifier>.
    This value must identify the SAP Analytics Cloud system owner. The Login Credential provided here will be automatically set for your user.
  12. Test the SAML IdP setup, by logging into SAP Analytics Cloud with your IdP, and then clicking Verify Account to open a dialog for validation.

    In another browser, log on to the URL provided in the Verify Your Account dialog, using your SAML IdP credentials. You can copy the URL by selecting (Copy).

    You must use a private session to log onto the URL; for example, Guest mode in Chrome. This ensures that when you log on to the dialog and select SAP Analytics Cloud, you are prompted to log in and do not reuse an existing browser session.

    If you can log on successfully, the SAML IdP setup is correct.
  13. In the Verify Your Account dialog, select Check Verification.
    If the verification was successful, a green border should appear around the Login Credential box.
  14. (Optional) Enter a password management URL.
    The URL should link to the password management page of your SAML IdP.
  15. Select (Save).
    The Convert to SAML Single Sign-On confirmation dialog will appear.
  16. Select Convert.
    When conversion is complete, you will be logged out and directed to the logon page of your SAML IdP.
  17. Log on to SAP Analytics Cloud with the credentials you used for the verification step.
  18. Go to Start of the navigation path Security Next navigation step  UsersEnd of the navigation path and look for the column of the User Attribute you selected in step 8.
    The values in this column should be a case sensitive match with the NameId sent by your IdP’s SAML assertion.

Results

Users will be able to use SAML SSO to log onto SAP Analytics Cloud.

Next Steps

Disabling SAML SSO

To revert your system to the default IdP (SAP Cloud Identity) and disable your custom SAML IdP, do the following:
  1. Go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step SecurityEnd of the navigation path.
  2. Select (Edit).
  3. In the Authentication Method area, select SAP Cloud Identity (default).
  4. Select (Save).

When conversion is complete, you will be logged out and directed to the SAP Cloud Identity logon page.

Updating the SAML IdP Signing Certificate

If SAML SSO is enabled and the metadata from your IdP is updated with a new signing certificate, please submit an SAP Product Support Incident using the component LOD-ANA-BI. You must specify your SAP Analytics Cloud URL and attach the new metadata XML to the support incident.

Switch to a Different Custom IdP

If SAML SSO is enabled and you would like to switch to a different SAML IdP, you can repeat steps 1-18 using the new SAML IdP metadata.