2991960 - Unable to login to Mobile App with Custom IdP enabled in SAP Analytics Cloud (SAC) & SAP Digital Boardroom

The following behavior occurs in the SAP Analytics Cloud Mobile App for iOS and Android (SAC):

• Unable to log in when a Cloud Foundry hosted SAP Analytics Cloud Tenant is configured with a Custom SAML SSO Identity Provider
• Logon failed: Authorization Rejected. Please contact your administrator.

• SAP Analytics Cloud (Enterprise) 2020.21.x
• Custom Identity Provider Enabled (e.g. Windows ADFS / SAP Identity Authentication Services)
• Cloud Foundry (e.g. EU10 / US10)

1. Open the SAP Analytics Cloud Mobile App for iOS or Android.
2. Attempt to access a Tenant hosted in a CF landscape with Custom IdP enabled.
3. Observe the error.

This issue is caused by a recent XSUAA library change which now requires the SAML "Groups" attribute to be set to "sac" as per Step 7 in the guide below:

• Enabling a Custom SAML Identity Provider - https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/3651184dad944aa2b361ad029a7a8cae.html

Images and data taken from SAP internal systems and demo environments. Any similarity to production data is purely coincidental.

Please note: The following steps must be completed in your Identity Provider so these changes will require the involvement of your IdP Administrator

Set the Groups SAML Attribute to Value = sac as per the prerequisite of Enabling a Custom SAML Identity Provider with a CF Tenant as per the example below:

Example (SAML Response with Groups=sac):

If you are using the SAP Cloud Platform Identity Authentication Service (SAP IAS) as your IdP, map the Groups attribute under Default Attributes for your SAP Analytics Cloud application. The remaining attributes should be mapped under Assertion Attributes for your SAP Analytics Cloud application.

Example (Groups in IAS):

Example (Groups in Windows ADFS):

How to test if the "Groups=sac" Static Attribute has been set correctly:

AWS CF Tenants (eg. EU10 / US10)

Please navigate to the URL below and check that the SAML groups [sac] parameter is displayed:

https://<tenantname>.authentication.<regionhost>.hana.ondemand.com/config?action=who&details=true

e.g. https://mycustomername.authentication.eu10.hana.ondemand.com/config?action=who&details=true

China AliCloud Tenants (eg. CN40)

https://<tenantname>.authentication.cn40.platform.sapcloud.cn/config?action=who&details=true

eg. https://mycustomername.authentication.cn40.platform.sapcloud.cn/config?action=who&details=true

For more information please refer to KBA 2922448 - SAML Attribute Mapping in SAP Analytics Cloud (SAC) & SAP Digital Boardroom Master KBA

• 2922448 - SAML Attribute Mapping in SAP Analytics Cloud (SAC) & SAP Digital Boardroom Master KBA
• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
• Search for SAP Analytics Cloud content using Google or Bing:
• https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud > Learning > Data Connections
• SAP Analytics Cloud > Learning > Guided Playlists
• SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped , KBA , cf , please contact your administrator. , logon failed: authorization rejected. pl , mobile sac groups , 2.80.0) does not work anymore , sap analytics cloud app (for ios, 2.80. , issues work anymore on iphone or ipad pr , iphone or ipad pro , LOD-ANA-MOB , SAC Mobile , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-MOB-AND , SAC Mobile Android Specific , LOD-ANA-MOB-IOS , SAC Mobile IOS specific , Problem