Symptom
- After successfully configuring SAP Analytics Cloud to use Microsoft Azure IDP as a Custom SAML SSO Identity Provider for authentication with SAP Analytics Cloud tenant, after several days, the login will fail with error
"Response doesn't have any valid assertion which would pass subject validation" - When the error occurs in one client browser, the login will continue to fail with this error.
- After cleaning browser cache the issue no longer persists but after some days, the same error may occur again.
- Issue does not persist in Incognito Window (Private Mode)
- The error can occur intermittently if the parameter OneTimeUse is set on IdP side.
Environment
- SAP Analytics Cloud (Enterprise)
Cause
- The authentication was rejected because there was too great a difference between the time the authentication was initiated (IssueInstant) and the time when the IDP last authenticated the user (AuthnInstant).
- The default for maxAuthenticationAge in SAP Cloud Platform was 90 days. See SAP NOTE: 2817768
- The issue only occurs, if an SAML2 IDP issues in an SAML2 Assertion an AuthnInstant time and current time+date differs more than 90 days.
- OneTimeUse condition (set on the IDP side of the assertion) is not supported by the service that handles SAML between IdP and SAC.
Resolution
In Microsoft Azure IDP side, configure authentication session management to make sure the session lifetime should be less than 90 days.
See Microsoft document: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
See Also
- 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
- Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
- 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
- SAP Analytics Cloud > Learning > Guided Playlists
- SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
- Need More Help? Contact Support or visit the solution finder today!
- 3021277 - Response doesn't have any valid assertion which would pass subject validation - SSO error on Cloud Foundry
Your feedback is important to help us improve our knowledge base.
Keywords
SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC , KBA , sac authentication issue , assertion which would pass subject valid , response doesn't have any valid assertio , subject validation , ms edge not working for a specific user. , LOD-ANA-AUT , SAC Authentication / Login , Problem