Symptom
- It is now possible to take advantage of SAP BTP Destination Service to implement the SAML2 bearer assertion flow in SAC for obtaining tokens to consume SAC/Datasphere public API
Environment
- SAP Analytics Cloud 2024.21
Resolution
- Configure Identity Provider & User Attribute Setup
These steps are required for user attributes to be propagated from the identity provider to SAC.
- Configure the Custom IdP on the BTP subaccount where the BTP app is deployed.
- The IDP used in the subaccount should be configured to send a static SAML user attribute "Groups" with the value of "sac".
- Other user attributes to be propagated should follow the allowlisted attribute names as mentioned in the Step 7 in help document Enable a Custom SAML Identity Provider | SAP Help Portal
- Establish Trust between BTP Destinations and SAC
- Open the SAP BTP subaccount, click the Destinations menu item
- Click on "Download IDP Metadata"
This will download a XML file containing the entityID and the X509Certificate. Copy these 2 fields. - Open the SAC System Administration page, click the App Integration tab
- Under "Trusted Identity Providers" click on "Add a Trusted Identity Provider"
Assign any value for the Name
The Provider Name should be the entityID from Step ii in Section 2
The Signing Certificate should be the X509Certificate from Step ii in Section 2
- Create an SAC OAuth client for the destination
- Open the SAC System Administration page, click the App Integration tab
- Under "OAuth Clients", save the OAuth2SAML Token URL and OAuth2SAML Audience
- Create a new OAuth Client
a. Assign any value for the Name
b. Under Purpose select API Access
c. Under Access select the required authorizations
d. Under Authorization Grant select SAML2.0 Bearer
e. Once you click Add, copy the OAuth Client ID and Secret
- Set up destination to SAC public API
- Open the SAP BTP subaccount, click the Destinations menu item
- Click "Create Destination" and fill in the form as follows
a. Name: Provide a name for this destination
b. Type: HTTP
c. URL: The SAC public API endpoint consumed
d. Proxy Type: Internet
e. Authentication: OAuth2SAMLBearerAssertion
f. Audience: The OAuth2SAML Audience copied on Section 3
g. AuthnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
h. Client Key: OAuth Client ID from Section 3
i. Token Service URL: OAuth2SAML Token URL from Section 3
j. Token Service User: OAuth Client ID from Section 3
k. Token Service Password: Secret from Section 3
l. Additional Properties:
HTML5.DynamicDestination: true
HTML5.SetXForwardedHeaders: false
Information about these fields can be found on the SAP BTP Connectivity page: OAuth SAML Bearer Assertion Authentication | SAP Help Portal
Once the destination service is set up, please test the setup using Destination Service's automated access token retrieval via API. For detailed procedure, please refer to below documents:
Automated Access Token Retrieval
Calling the Destination Service REST API | SAP Help Portal
API Reference | Destination Service (Cloud Foundry) | SAP Business Accelerator Hub - Save
- Consuming the destination
See the SAP BTP Connectivity documentation on how to consume the Destination Service: Consuming the Destination Service | SAP Help Portal
See Also
- Integrating with SAP Datasphere Consumption APIs u... - SAP Community
- SAP Analytics Cloud: Q4 2024 Release's Features with Experts & Demos
- 2487011 - What information do I need to provide when opening a case for SAP Analytics Cloud?
- 2511489 - Troubleshooting performance issues in SAP Analytics Cloud (Collective KBA)
- 2728183 - SAP Analytics Cloud (SAC) Release & Delivery Schedule - SAP for Me
- 2888562 - Intelligent Enterprise Suite: Harmonized release calendar for SAP Cloud products - SAP for Me
Keywords
Analyticcloud,sac, boc, what's new, hot issue, QRC, SAC, SAP, analyze, API, OAuth, Client, SAML2, assertion, authentication, bearer, how to, destination, BTP service , KBA , LOD-ANA-AUT , SAC Authentication / Login , Problem
Product
SAP Analytics Cloud 1.0