2571892 - Best Practice - How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory Services

• You want to use your Azure Active Directory (AD) as custom IdP to authenticate users in SAP Analytics Cloud (SAC)
• How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory Services?

• SAP Analytics Cloud, Enterprise Edition
• Azure Active Directory services

***Disclaimer***:

• This document is only used to provide one best practice based on testing result in SAP.Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
• All steps perfomend inside Azure AD are out scope of SAP Support, so it is strongly recommended to discuss these steps with your AD administrators. Refer to the article by Microsoft: Tutorial: Integrate SAP Analytics Cloud with Azure Active Directory

1. Download XML Service Provider Metadata:

You need to download the Service Provider metadata for your SAC tenant.

1. Log on to your SAP Analytics Cloud tenant using System Owner account.
2. Go to the menu System > Administration > Security.
3. Click the pencil icon to edit.
4. Select SAML Single Sign-On (SSO).
5. Click the Download button that appears in the menu.
6. Download Service Provider metadata.
7. Open the downloaded metadata XML file, search for entityID tag. Copy the value for later use. Example: 
8. Look for tag AssertionConsumerService and Copy the link https://authn.xxx.hana.ondemand.com/saml2/sp/acs/xxxxxx/xxxxxx after Location for later use. Example: 

2. Add SAP Analytics Cloud application to Azure Active Directory.

1. Logon to the Azure Portal.
2. Select Azure Active Directory from left Menu.

    3. Select Enterprise Applications.

     4. Select All Applications.

     5. Click +New Application.

     6. Search for SAP and select SAP Analytics Cloud from the list, and then select Add.

3. Set up Azure AD single sign-on

1. Click Single sign-on.

    2. Select SAML-base Sign-on from the dropdown menu for Single Sign-on Mode.

    3. Enter the information under SAP Analytics Cloud Domain and URLs.

     4. Check Show advanced URL Settings and enter Reply URL. This information is collected in Step 1, location.

      5. Select user.mail for User Identifier

       6. Click "Metadata.xml" and download it your local directory. This will be used later to upload to your SAC Tenant

         7. Click Save on Top.

4. Create User in Azure Portal

1. Logon to your Azure Portal
2. Select Azure Active Directory from left Menu

    3. Select Users and groups

    4. Select All Users

    5. Select +New User

    6. Enter Details for new user and click Create

5. Configure SAML Single Sign-on (SSO) within SAC

1. Log on to your SAP Analytics Cloud tenant using System Owner account.
2. Go to the menu System > Administration > Security.
3. Click the pencil icon to edit
4. Select SAML Single Sign-On (SSO).
5. Click the Upload... button and when prompted select "Metadata.xml" file saved from Azure Portal. See Step 3.6.
6. Under User Attribute, select Email in the drop-down.
7. For Verify your account with the identity provider, enter e-mail ID (First.Last@..microsoft.com) of the user created within Azure. 
8. Validating the account.

• Before we can save the configuration we need to validate the configuration.
• You will copy the URL from the validate window and open an Incognito tab in your browser or open a browser in another machine.

• Tutorial: Azure Active Directory integration with SAP Analytics Cloud
• SAML integration between Microsoft Azure Portal and SAP Analytics Cloud
• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
• Search for SAP Analytics Cloud content using Google or Bing:
• https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud > Learning > Data Connections
• SAP Analytics Cloud > Learning > Guided Playlists
• SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

EPM, SAP Cloud for Planning,  cloudforplanning, Hana Cloud for Planning, EPM-ODS, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud,  connecting, conecting, conectando, conexão, modelo,SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, SAC, Analytics, Cloud, Azure, configuration, SAML, SSO, IDP, microsoft, AD, , KBA , azure active directory (azure ad , saas app integration , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , LOD-ANA-ADM , SAC Administration , How To