2571892 - Best Practice - How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory Services

Symptom

You want to use your Azure Active Directory (AD) as custom IdP to authenticate users in SAP Analytics Cloud (SAC)
How to configure SAP Analytics Cloud SAML SSO using Azure Active Directory Services?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP Analytics Cloud, Enterprise Edition
Azure Active Directory services

Resolution

***Disclaimer***:

This document is only used to provide one best practice based on testing results in SAP.
All steps performed inside Azure AD are out scope of SAP Support, so it is strongly recommended to discuss these steps with your AD administrators. Refer to the article by Microsoft: Tutorial: Integrate SAP Analytics Cloud with Azure Active Directory

1. Download XML Service Provider Metadata

You need to download the Service Provider metadata for your SAC tenant.

Log on to your SAP Analytics Cloud tenant using System Owner account.
Go to the menu System > Administration > Security.
Click the pencil icon to edit.
Select SAML Single Sign-On (SSO).
Click the Download button that appears in the menu.
Download Service Provider metadata.
Open the downloaded metadata XML file, search for entityID tag. Copy the value for later use. Example:
Look for tag AssertionConsumerService and Copy the link https://authn.xxx.hana.ondemand.com/saml2/sp/acs/xxxxxx/xxxxxx after Location for later use. Example:

2. Add SAP Analytics Cloud application to Azure Active Directory

Logon to the Azure Portal.
Select Azure Active Directory from left Menu
Select Enterprise Applications
Select All Applications.
Click +New Application.
Search for SAP and select SAP Analytics Cloud from the list, and then select Add.

3. Set up Azure AD single sign-on

Click Single sign-on.
Select SAML-base Sign-on from the dropdown menu for Single Sign-on Mode.
Enter the information under SAP Analytics Cloud Domain and URLs.
Check Show advanced URL Settings and enter Reply URL. This information is collected in Step 1, location.
Select user.mail for User Identifier
Click "Metadata.xml" and download it your local directory. This will be used later to upload to your SAC Tenant
Click Save on Top.

4. Create User in Azure Portal

Logon to your Azure Portal
Select Azure Active Directory from left Menu
Select Users and groups
Select All Users
Select +New User
Enter Details for new user and click Create

5. Configure SAML Single Sign-on (SSO) within SAC

Log on to your SAP Analytics Cloud tenant using System Owner account.
Go to the menu System > Administration > Security.
Click the 'Pencil Icon' to edit
Select SAML Single Sign-On (SSO).
Click the Upload... button and when prompted select "Metadata.xml" file saved from Azure Portal. See Step 3.6.
Under User Attribute, select Email in the drop-down.
For Verify your account with the identity provider, enter e-mail ID (First.Last@..microsoft.com) of the user created within Azure.
Validating the account.
- Before we can save the configuration we need to validate the configuration.
- You will copy the URL from the validate window and open an Incognito tab in your browser or open a browser in another machine.

Keywords

SAC, Analytics Cloud, IDP, Azure, SSO, SAML, e-mail, attribute, metadata, Microsoft, authentication , KBA , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , LOD-ANA-ADM , SAC Administration , How To

Product

SAP Analytics Cloud 1.0

Attachments

new_user.png