Enabling a Custom SAML Identity Provider

Single Sign-On authentication to a custom identity provider (IdP) can be configured using SAML 2.0 protocol.

Prerequisites

  • You must use SAML 2.0 protocol.
  • Existing SAP Analytics Cloud users must have a corresponding user account in your custom SAML Identify Provider (IdP).
  • You must be assigned to the System Owner role in SAP Analytics Cloud. For more information, see Standard Application Roles.

Procedure

  1. Go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step SecurityEnd of the navigation path.
  2. Select (Edit).
  3. In the Authentication Method area, select SAML Single Sign-On (SSO).
    Note
    By default, SAP Cloud Identity is used for authentication.
  4. In Step 1, select Download and save the metadata file.
    An SAP Analytics Cloud metadata file will be saved.
  5. Upload the SAP Analytics Cloud metadata file to your SAML Identity Provider (IdP).
    The file includes metadata for SAP Analytics Cloud, and is used to create a trust relationship between your SAML Identity Provider and your SAP Analytics Cloud tenant.
    Note

    If SAP Analytics Cloud is running on a non-SAP data center, for example Cloud Foundry (AWS), you must map your SAML attribute assertion to our white-listed attributes. Mapping these fields will ensure that your IdP's attributes will appear correctly in SAP Analytics Cloud. Additionally, you will be able to map roles based on your SAML assertion attributes.

    The following assertion attributes are expected:
    Attribute Name Notes
    Groups Required. Set to "sac".
    familyName Required.
    email Required if your Name ID is "email".
    givenName Optional.
    functionalArea Optional.
    preferredLanguage Optional.
    custom1 Optional. For SAML role assignment.
    custom2 Optional. For SAML role assignment.
    custom3 Optional. For SAML role assignment.
    custom4 Optional. For SAML role assignment.
    custom5 Optional. For SAML role assignment.
  6. Download metadata from your SAML IdP.
  7. In Step 2, select Upload, and choose the metadata file you downloaded from your SAML IdP.
  8. In Step 3, select a User Attribute.
    The attribute will be used to map users from your existing SAML user list to SAP Analytics Cloud. The user attribute you select must match the NameID used in your custom SAML assertion:
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><Your Unique Identifier></NameID>
    <Your Unique Identifier> may be a user ID or email.
    Note
    Any ID selected is case sensitive. The user ID, email, or Custom SAML user mapping must match exactly in your SAML IdP and SAP Analytics Cloud. For example, if the email returned by your SAML IdP is user@company.com and the email you used in SAP Analytics Cloud is User@company.com the mapping will fail.
    Choose one of the following options:
    • USER ID: If <Your Unique Identifier> is a user ID that is identical to the SAP Analytics Cloud user ID.
      Note
      You can view your SAP Analytics Cloud user ID in Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path list.
    • Custom SAML User Mapping: If <Your Unique Identifier> is a user ID that is NOT identical to the SAP Analytics Cloud user ID.
      Note
      If you select this option, you must manually add the SAML User Mapping to <Your Unique Identifier> in Step 18.
    • Email: If <Your Unique Identifier> is an email address.
    Note

    If you are using a live connection to SAP S/4HANA Cloud Edition with OAuth 2.0 SAML Bearer Assertion, <Your Unique Identifier> must be identical to the user name of the business user on your SAP S/4HANA system.

    For example, if you want to map an SAP Analytics Cloud user with the user ID SACUSER to your SAP S/4HANA Cloud user with the user name S4HANAUSER, you must select Custom SAML User Mapping and use S4HANAUSER as <Your Unique Identifier>.

    Additionally, if you are using SAP Cloud Identity as your identity provider, you can choose Login Name as the Name ID attribute, and set the login name of your SAP Analytics Cloud user to S4HANAUSER. You must manually add the SAML User Mapping to S4HANAUSER in Step 18.

  9. (Optional) Enable Dynamic User Creation.

    When dynamic user creation is enabled, new users will be automatically created using the default role and will be able to use SAML SSO to log onto SAP Analytics Cloud. For more information, see Setting the Default Role. After users are created, you can set roles using SAML attributes. For more information, see Mapping Roles Using SAML Attributes.

    Note
    • If your instance of SAP Analytics Cloud is running on a non-SAP data center, for example Cloud Foundry (AWS), this option is not supported .
    • To ensure mapping SAML attributes to users, and mapping roles using SAML attributes, works with dynamic user creation, you must submit an SAP Product Support Incident at the following link: https://launchpad.support.sap.com/#incident/solution using the component LOD-ANA-BI. In the support ticket, indicate that you want to set up user profiles and role assignment based on custom SAML attributes, and include your SAP Analytics Cloud tenant URL.
    • Automatic user deletion is not supported. If an user in SAP Analytics Cloud is removed from your SAML IdP, you must go to Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path and manually delete the user. For more information, see Deleting Users.
  10. In Step 4, enter the Login Credential for the user account that is used to authenticate your custom SAML IdP.
    Note
    The login credential depends on the User Attribute you selected under Step 3.
    • If Custom SAML User Mapping was selected, the Login Credential should be the NameID used by your account on your SAML IdP. NameID will only be mapped to your SAP Analytics Cloud System Owner user account, and all other users must be added manually in step 18.
    • If Email was selected, the Login Credential should be the email address of your account on your SAML IdP.
    • If USER ID is selected, Login Credential is set to your SAP Analytics Cloud user name by default.
  11. Test the SAML IdP setup.

    In another browser, log on to the URL provided in the Verify Your Account dialog, using your SAML IdP credentials. You can copy the URL by selecting (Copy).

    You must use a private session to log onto the URL; for example, Incognito mode in Chrome. This ensures that when you log on to the dialog and select SAP Analytics Cloud, you are prompted to log in and do not reuse an existing browser session.

    If you can log on successfully, the SAML IdP setup is correct.
  12. In the Verify Your Account, select Check Verification.
    If the verification is successful, Account Verified will appear in Step 4.
  13. (Optional) Enter a password management URL.
    The URL should link to the password management page of your SAML IdP.
  14. Select (Save).
    The Convert to SAML Single Sign-On confirmation dialog will appear.
  15. Select Convert.
    When conversion is complete, you will be logged out and directed to the logon page of your SAML IdP.
  16. Log on to SAP Analytics Cloud with the credentials of your IdP account.
  17. Go to Start of the navigation path Security Next navigation step  UsersEnd of the navigation path and check that the information for all users is correct.
    • If you selected Custom SAML User Mapping as User Attribute, you must manually update all fields in the SAML User Mapping column, because the information is not automatically updated.
    • If you selected Email as User Attribute, the email address for each user should match to the email address used in your SAML IdP.
    • If you selected USER ID as User Attribute, the values in the USER ID column should match the values of NameID used in your custom SAML assertion.
      Note
      The user ID should be in upper-case.

Results

Users will be able to use SAML SSO to log onto SAP Analytics Cloud.

Note
You can also set up your IdP with your Public Key Infrastructure (PKI) so that you can automatically log in your users with a client side X.509 certificate.

Next Steps

If SAML SSO is enabled and the metadata from your IdP is updated with a new signing certificate, please submit an SAP Product Support Incident using the component LOD-ANA-BI. You must specify your SAP Analytics Cloud URL and attach the new metadata XML to the support incident. There will be a service disruption, and users will be unable to access SAP Analytics Cloud until SAP Support finishes uploading the new metadata.

If you would like to change from your current custom SAML IdP to a different custom SAML IdP, you must first revert to the default IdP before enabling the new IdP, or the system will be inaccessible. For more information, see SAP Note 2609819.

Reverting to the Default IdP

To revert your system to the default IdP (SAP Cloud Identity) and disable a custom SAML IdP, do the following:
  1. You must be assigned to the System Owner role in SAP Analytics Cloud.
  2. Go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step SecurityEnd of the navigation path
  3. Select (Edit).
  4. In the Authentication Method area, select SAP Cloud Identity
  5. Select (Save).