- SAP Managed Tags:
In SAP Sales and Service V2 (V2) we don’t have native analytics but instead offer SAP Analytics Cloud, embedded edition (eSAC) as part of the product which can only be accessed through the use of Single-Sign On.
The below steps are outlined in the Help Portal under section Configure Single Sign-On for SAP Analytics Cloud but this blog dives deeper into the steps providing examples and annotated screenshots.
So let's get to it!
Configuration of Single Sign-On (SSO)
eSAC only allows for SSO authentication and this requires configuration of four systems:
- SAP Sales and Service Cloud V2 (V2)
- SAP Analytics Cloud, embedded edition (eSAC)
- SAP Business Technology Platform (BTP for eSAC live connectivity)
- SAP Cloud Identity Services (IAS) or third-party Identity Provider (IdP)
SSO works by simply comparing the value of a Subject Name Identifier specified in each system and it is the IdP that plays the central role in authenticating users across all systems. This allows for easy, safe and secure login for your end-users.
Onboarding of eSAC Tenant
First step is to onboard Analytics in your tenant. Onboarding of the eSAC tenant on BTP is triggered from the V2 tenant by the customer.
- Go to Settings under the user menu.
- Search and open SSO Configuration for SAP Analytics Cloud under All Settings.
- Click SAC Tenant Onboarding.
Note: This will take some time to complete.
Download of SSO Metadata from V2 for Upload into your IdP
The metadata contains the SAML authentication instructions in XML format needed for SSO across all the systems. There are three of these metadata files that needed to complete the configuration of the IdP.
Download V2 metadata:
- Go to Settings under the user menu.
- Search and open Identity Provider Configuration under All Settings.
- Click Download Metadata.
Download eSAC and BTP metadata:
- Go to Settings under the user menu.
- Search and open SSO Configuration for SAP Analytics Cloud under All Settings.
- Click Download Metadata.
Note: Downloaded ZIP file contains two XML files
The following steps are relevant if the customer is using the IAS IdP:
- Go to Application & Resources and select Applications.
- Click Create.
- Choose a Display Name and click + Create
- Go to Trust setting SAML 2.0 Configuration, click Browse… select the XML file.
- Save this Application.
- Repeat the same steps for V2, eSAC and BTP
Checkpoint!
Over halfway there! You should now have three separate applications in the IdP for the three systems:
- SAP Sales and Service Cloud V2 (V2)
- SAP Analytics Cloud, embedded edition (eSAC)
- Business Technology Platform (BTP)
Defining the Subject Name Identifier and Creation of Users in the IdP
At this point you need to define which attribute to use for authentication in the IdP. You define this for each Application separately under Trust setting Subject Name Identifier.
Using Basic Configuration, the administrator selects a basic attribute that corresponds to an attribute of the User Details in the IdP. The value of this attribute becomes the authenticating value that will be compared against the Subject Name Identifier of the different systems to uniquely validate the user.
For V2 and eSAC, both usernames and emails are allowed however for BTP, only an email can be used.
Note: The attribute chosen doesn’t necessarily matter if it contains an expected value.
Now that we have chosen the Subject Name Identifier, we need to actually create the users in the IdP with the required basic attribute provided as this will be the system that all users will be initially logging into.
- Go to User Management under Users and Authorizations.
- Click +Add.
- Fill mandatory details and click +Add.
Example 1:
V2 User ID: SAPUSER1
Email Address: sapuser1@sap.test
To configure eSAC for User ID, SAPUSER1 will be the authenticating value. The recommendation is then to use Login Name as the Subject Name Identifier in the eSAC-IdP Application and ensure that there is a corresponding user in the IdP where SAPUSER1 is maintained for this basic attribute.
In the BTP-IdP setting, you can only use email. The recommendation is then to only use Email as the Subject Name Identifier in the BTP-IdP Application.
Example 2:
V2 User ID: SAPUSER2@SAP.TEST
Email Address: sapuser2@sap.test
To configure eSAC for email, sapuser2@sap.test will be the authenticating value. The recommendation is then to use Email as the Subject Name Identifier in the eSAC-IdP and BTP-IdP Application and ensure that there is a corresponding user in the IdP where sapuser2@sap.test is maintained for this basic attribute.
If in case you have maintained SAPUSER2@SAP.TEST or SapUser2@sap.test under the user attributes in the IdP, the authentication will fail to eSAC as this is case sensitive.
Download of the IdP SSO Metadata and Upload of IdP Metadata in V2
We're almost there! A fourth metadata file must be downloaded from the configured IdP and this contains settings that enable this IdP for user authentication. This is found in SAML 2.0 Configuration in the Tenant Settings.
- Back in your V2 tenant, reopen Identity Provider Configuration setting and click + under Trusted Identity Providers.
- Select the appropriate Subject Name Identifier.
- Choose an Alias, upload the metadata XML file and save.
Reopen SSO Configuration for SAP Analytics Cloud and click + under Trusted Identity Providers to select the IdP uploaded previously.
This will replicate the metadata and selected Subject Name Identifier to both the SAC and BTP systems automatically and this will take a couple minutes.
Note: In case the upload is taking longer, please revisit the screen after a couple hours until it shows failed. Then try the upload again once.
User replication from V2 to eSAC will happen automatically once the metadata has successfully been sent.
Congratulations! Analytical capabilities have now been configured on your new V2 tenant! After 24 hours the pre-delivered stories will be available under Design Stories and these can be assigned to your Business Roles as required.
Alternative Configuration - Microsoft Entra ID
There are many third-party IdPs that can be used for SSO and the most common one is Microsoft Entra ID. Microsoft Entra ID handles the IdP metadata in a different way and so there is some alternative steps to consider. For IAS, we only have one metadata file downloadable from the IdP. For Microsoft Entra, we have a separate metadata file for each application.
You also need to create your own application for SAP BTP but you can select SAP Cloud for Customer and SAP Analytics Cloud from then App Gallery for V2 and eSAC respectively.
Once the application is created, you can navigate to the SAML configuration screen via the Overview.
Upload and then Save the default configuration settings under Basic SAML Configuration
Note: As per SAP IAS configuration, you need to do these steps for each of the relevant systems. You will again have three applications in your IdP at the end.
Download the generated Federation Metadata XML from Microsoft Entra IdP...
...and upload each of these three applications separately on the Configure Identity Provider and Configure Single Sign-On for SAC UI Screen in V2.
So, depending on your IdP provider, you will need to refer to the documentation and apply the relevant steps.
Please feel free to comment below and keep an eye out for future blogs on this topic!
4 Comments
