SAP Knowledge Base Article - Public

3545663 - How to implement the SAML2 bearer assertion flow in SAP Analytics Cloud (SAC) by using SAP Destination Service in BTP

Symptom

  • It is now possible to take advantage of SAP BTP Destination Service to implement the SAML2 bearer assertion flow in SAC for obtaining tokens to consume SAC/Datasphere public API

Environment

  • SAP Analytics Cloud 2024.21

Resolution

  1. Configure Identity Provider & User Attribute Setup

    These steps are required for user attributes to be propagated from the identity provider to SAC.

    1. Configure the Custom IdP on the BTP subaccount where the BTP app is deployed.
    2. The IDP used in the subaccount should be configured to send a static SAML user attribute "Groups" with the value of "sac".
    3. Other user attributes to be propagated should follow the allowlisted attribute names as mentioned in the Step 7 in help document Enable a Custom SAML Identity Provider | SAP Help Portal
          
  2. Establish Trust between BTP Destinations and SAC

    1. Open the SAP BTP subaccount, click the Destinations menu item
    2. Click on "Download IDP Metadata"
      This will download a XML file containing the entityID and the X509Certificate. Copy these 2 fields.
    3. Open the SAC System Administration page, click the App Integration tab
    4. Under "Trusted Identity Providers" click on "Add a Trusted Identity Provider"
      Assign any value for the Name
      The Provider Name should be the entityID from Step ii in Section 2
      The Signing Certificate should be the X509Certificate from Step ii in Section 2
            
  3. Create an SAC OAuth client for the destination

    1. Open the SAC System Administration page, click the App Integration tab
    2. Under "OAuth Clients", save the OAuth2SAML Token URL and OAuth2SAML Audience
    3. Create a new OAuth Client
       a. Assign any value for the Name
       b. Under Purpose select API Access
       c. Under Access select the required authorizations
       d. Under Authorization Grant select SAML2.0 Bearer
       e. Once you click Add, copy the OAuth Client ID and Secret
            
  4. Set up destination to SAC public API

    1. Open the SAP BTP subaccount, click the Destinations menu item
    2. Click "Create Destination" and fill in the form as follows
       a. Name: Provide a name for this destination
       b. Type: HTTP
       c. URL: The SAC public API endpoint consumed
       d. Proxy Type: Internet
       e. Authentication: OAuth2SAMLBearerAssertion
       f. Audience: The OAuth2SAML Audience copied on Section 3
       g. AuthnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
       h. Client Key: OAuth Client ID from Section 3
       i. Token Service URL: OAuth2SAML Token URL from Section 3
       j. Token Service User: OAuth Client ID from Section 3
       k. Token Service Password: Secret from Section 3
       l. Additional Properties
           HTML5.DynamicDestination: true
           HTML5.SetXForwardedHeaders: false
      Information about these fields can be found on the SAP BTP Connectivity page: OAuth SAML Bearer Assertion Authentication | SAP Help Portal 
      Once the destination service is set up, please test the setup using Destination Service's automated access token retrieval via API. For detailed procedure, please refer to below documents:
      Automated Access Token Retrieval
      Calling the Destination Service REST API | SAP Help Portal 
      API Reference | Destination Service (Cloud Foundry) | SAP Business Accelerator Hub 
    3. Save
            
  5. Consuming the destination

    See the SAP BTP Connectivity documentation on how to consume the Destination Service: Consuming the Destination Service | SAP Help Portal 

See Also

Keywords

Analyticcloud,sac, boc, what's new, hot issue, QRC, SAC, SAP, analyze, API, OAuth, Client, SAML2, assertion, authentication, bearer, how to, destination, BTP service , KBA , LOD-ANA-AUT , SAC Authentication / Login , Problem

Product

SAP Analytics Cloud 1.0