Symptom
The following behavior occurs in the SAP Analytics Cloud Mobile App for iOS and Android (SAC):
- Unable to log in when a Cloud Foundry hosted SAP Analytics Cloud Tenant is configured with a Custom SAML SSO Identity Provider
- Logon failed: Authorization Rejected. Please contact your administrator.
Environment
- SAP Analytics Cloud (Enterprise) 2020.21.x
- Custom Identity Provider Enabled (e.g. Windows ADFS / SAP Identity Authentication Services)
- Cloud Foundry (e.g. EU10 / US10)
Reproducing the Issue
- Open the SAP Analytics Cloud Mobile App for iOS or Android.
- Attempt to access a Tenant hosted in a CF landscape with Custom IdP enabled.
- Observe the error.
Cause
This issue is caused by a recent XSUAA library change which now requires the SAML "Groups" attribute to be set to "sac" as per Step 7 in the guide below:
- Enabling a Custom SAML Identity Provider - https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/3651184dad944aa2b361ad029a7a8cae.html
Resolution
Please note: The following steps must be completed in your Identity Provider so these changes will require the involvement of your IdP Administrator
Set the Groups SAML Attribute to Value = sac as per the prerequisite of Enabling a Custom SAML Identity Provider with a CF Tenant as per the example below:
Example (SAML Response with Groups=sac):
If you are using the SAP Cloud Platform Identity Authentication Service (SAP IAS) as your IdP, map the Groups attribute under Default Attributes for your SAP Analytics Cloud application. The remaining attributes should be mapped under Assertion Attributes for your SAP Analytics Cloud application.
Example (Groups in IAS):
Example (Groups in Windows ADFS):
How to test if the "Groups=sac" Static Attribute has been set correctly:
AWS CF Tenants (eg. EU10 / US10)
Please navigate to the URL below and check that the SAML groups [sac] parameter is displayed:
https://<tenantname>.authentication.<regionhost>.hana.ondemand.com/config?action=who&details=true
e.g. https://mycustomername.authentication.eu10.hana.ondemand.com/config?action=who&details=true
China AliCloud Tenants (eg. CN40)
https://<tenantname>.authentication.cn40.platform.sapcloud.cn/config?action=who&details=true
eg. https://mycustomername.authentication.cn40.platform.sapcloud.cn/config?action=who&details=true
For more information please refer to KBA 2922448 - SAML Attribute Mapping in SAP Analytics Cloud (SAC) & SAP Digital Boardroom Master KBA
See Also
- 2922448 - SAML Attribute Mapping in SAP Analytics Cloud (SAC) & SAP Digital Boardroom Master KBA
- 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
- Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
- 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
- Search for SAP Analytics Cloud content using Google or Bing:
- https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
- https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
- Note: Add relevant text or warning/error messages to the text search field to filter results.
- SAP Analytics Cloud > Learning > Data Connections
- SAP Analytics Cloud > Learning > Guided Playlists
- SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
- Need More Help? Contact Support or visit the solution finder today!
Your feedback is important to help us improve our knowledge base.
Keywords
SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped , KBA , cf , please contact your administrator. , logon failed: authorization rejected. pl , mobile sac groups , 2.80.0) does not work anymore , sap analytics cloud app (for ios, 2.80. , issues work anymore on iphone or ipad pr , iphone or ipad pro , LOD-ANA-MOB , SAC Mobile , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-MOB-AND , SAC Mobile Android Specific , LOD-ANA-MOB-IOS , SAC Mobile IOS specific , Problem