/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
******SAP Internal Only******
- Identity Provider Administration tool allows you to create or modify a bundled SAP Cloud Identity Services Tenant to work with SAP Analytics Cloud
- This document is used to guide SAP Support Engineer how to troubleshoot Issue with Bundled SAP Cloud Identity Services using Identity Provider Administration tool
Environment
- SAP Analytics Cloud, Enterprise Edition
- SAP Cloud Identity Services
Resolution
How to identify if a tenant is bundled
We're going to make a change to the tenant provisioning process where all new tenants are provisioned as "greenfield", meaning:
- Customer will only be able to use the bundling feature while self-service SAML to Enable a Custom SAML Identity Provider (Legacy Custom IdP) will be disabled for these newly created tenants.
- Customer won't be able to disable bundling and use custom IDP. Instead, they can only disable bundling and use default IDP.
On the other hand, tenants which were provisioned before this change are considered "brownfield" and will have the ability to use both self-service SAML and bundling feature.
In order to check the tenant situation, you can check the following two toggles in Config tab of CIC.
IMPORTANT: Don't share the internal toggles (both name and value) to customer. Instead, just tell customer which situation their SAC tenant is in.
| Config Toggle | Value | Description |
| SCI_BUNDLING_GREENFIELD | True | greenfield tenant |
| False | brownfield tenant | |
| SAML_SCI_BUNDLE_ENABLED | True | Bundled (using the bundling feature and fully completed the configuration) |
| False | Not Bundled. |
How to identify if customer has already started bundling
Customer may be unable to use Self Service SAM when setting up the verification process fails with error "uploadIdPMetadata failed with 404 status" shown in Network trace, because The customer may have started the bundling process on IDP Admin.
You can verify this by:
- Open the SAC tenant on CIC
- Go to Config tab.
- Look for trustedIdps
=> There should be an entry with the same name and origin key as the metadata they’re trying to upload but with the type: “oidc1.0” instead of type: “saml”
In this case, tell the customer they cannot use this IDP with legacy Self Service SAML as they have started the bundling process. They must complete the bundling process instead.
Example of Response to Customer:
I see that you have started the bundling process on Identity Provider Administration, due to that you are encountering this error. You cannot use the same IdP with legacy self-service SAML as you are in bundling. If you wish to use legacy Self Service SAML, you must complete the bundling process on Identity Provider Administration (see help https://help.sap.com/docs/SAP_ANALYTICS_CLOUD/00f68c2e08b941f081002fd3691d86a7/d9840fa873e54488b530b81b9dd21616.html) or use a different IdP.
About issue with Configure Authentication for bundled tenant
- After your SAP Cloud Identity Services tenant is provisioned, you must configure authentication to work with the selected SAP Analytics Cloud tenant.
- If customer is facing any issue in this step, DO NOT guide a customer to disable bundling and revert to default IDP. This is the incorrect way to reconfigure authentication. This can cause further problems, delays and make the customer’s situation worse.
- Instead, please focus on fixing the issue through "Configure Authentication", which should result in a quicker fix for the customer and can avoid further problems.
- On the other hand, if the customer indeed wants to revert to default IdP or another custom IdP, we should help them in that path.
See Also
- 3576392 - *MASTER KBA* Cloud Identity Services (IAS/IPS) Bundling with BDC, DSP, and SAC using Identity Provider Administration Tool
- 3719332 - Options to enable a custom SAML Identity Provider are missing in SAP Analytics Cloud (SAC)
- 3719380 - Failed to Verify Account due to upload metadata failure when trying to enable custom IdP in SAP Analytics Cloud (SAC)
- 3719447 - Failed to Validate Login when trying to configure authentication of bundled SAP Cloud Identity Services Tenant in Identity Provider Administration tool
Keywords
SAML, SSO, authentication, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BOC, SAC, BDC, IdP, Admin, bundle , KBA , LOD-ANA-AUT , SAC Authentication / Login , How To
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)