SAP Knowledge Base Article - Public

2991960 - Unable to login to Mobile App with Custom IdP enabled in SAP Analytics Cloud (SAC) & SAP Digital Boardroom


The following behavior occurs in the SAP Analytics Cloud Mobile App for iOS and Android (SAC):

  • Unable to log in when a Cloud Foundry hosted SAP Analytics Cloud Tenant is configured with a Custom SAML SSO Identity Provider
  • Logon failed: Authorization Rejected. Please contact your administrator.


  • SAP Analytics Cloud (Enterprise) 2020.21.x
  • Custom Identity Provider Enabled (e.g. Windows ADFS / SAP Identity Authentication Services)
  • Cloud Foundry (e.g. EU10 / US10)

Reproducing the Issue

  1. Open the SAP Analytics Cloud Mobile App for iOS or Android.
  2. Attempt to access a Tenant hosted in a CF landscape with Custom IdP enabled.
  3. Observe the error.


This issue is caused by a recent XSUAA library change which now requires the SAML "Groups" attribute to be set to "sac" as per Step 7 in the guide below:


Images and data taken from SAP internal systems and demo environments. Any similarity to production data is purely coincidental.

Please note: The following steps must be completed in your Identity Provider so these changes will require the involvement of your IdP Administrator

Set the Groups SAML Attribute to Value = sac as per the prerequisite of Enabling a Custom SAML Identity Provider with a CF Tenant as per the example below:

Example (SAML Response with Groups=sac):

Correct SAML Attributes - Copy.PNG

If you are using the SAP Cloud Platform Identity Authentication Service (SAP IAS) as your IdP, map the Groups attribute under Default Attributes for your SAP Analytics Cloud application. The remaining attributes should be mapped under Assertion Attributes for your SAP Analytics Cloud application.

Example (Groups in IAS):

Groups in IAS - Copy.PNG

Example (Groups in Windows ADFS):

ADFS Example.png

How to test if the "Groups=sac" Static Attribute has been set correctly:

AWS CF Tenants (eg. EU10 / US10)

Please navigate to the URL below and check that the SAML groups [sac] parameter is displayed:



China AliCloud Tenants (eg. CN40)



For more information please refer to KBA 2922448 - SAML Attribute Mapping in SAP Analytics Cloud (SAC) & SAP Digital Boardroom Master KBA

See Also

Your feedback is important to help us improve our knowledge base.


SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped , KBA , cf , please contact your administrator. , logon failed: authorization rejected. pl , mobile sac groups , 2.80.0) does not work anymore , sap analytics cloud app (for ios, 2.80. , issues work anymore on iphone or ipad pr , iphone or ipad pro , LOD-ANA-MOB , SAC Mobile , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-MOB-AND , SAC Mobile Android Specific , LOD-ANA-MOB-IOS , SAC Mobile IOS specific , Problem


SAP Analytics Cloud 1.0