Human Capital Management Blogs by SAP
Get insider info on SAP SuccessFactors HCM suite for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
cancel
Showing results for 
Search instead for 
Did you mean: 
yogananda
Product and Topic Expert
Product and Topic Expert
2,625

Dear All,

Here are some common basic troubleshooting steps for embedded analytics authentication and authorization:

    • Check the authentication settings. Make sure that the authentication settings in the embedded analytics solution are correct. This includes the authentication method, the authentication server, and the authentication credentials.
    • Check the authorization settings. Make sure that the user has the appropriate permissions to access the embedded analytics solution. This includes the user's role, the user's group and the user's permissions on the data sources.
    • Check the user's login status. Make sure that the user is logged in to the embedded analytics solution. If the user is not logged in, they will not be able to access the solution.
    • Check the browser's cookies. Make sure that the browser's cookies are enabled. Cookies are used to store the user's authentication credentials, so if cookies are disabled, the user will not be able to authenticate to the embedded analytics solution.
    • Check the firewall settings. Make sure that the firewall settings allow traffic to the embedded analytics solution. If the firewall is blocking traffic, the user will not be able to access the solution.
    • Check the network connectivity. Make sure that the user has a good network connection. If the network connection is poor, the user may experience authentication or authorization errors.

Follow all the below neccessary steps when Users faces any issues in Authentication and Authorization

What cookies are used in SAP Analytics Cloud (SAC)

Here are the available cookies set for SAC

Set By Cookie Purpose When Set

ApprouterJSESSIONIDSingle cookie placed on the users device so the server can identify the user.Created as a browser session cookie whenever a new user visits SAC site.
The value is not updated unless the current session ends, in which case a completely new JSESSIONID cookie is set.
x-sap-boc-refererSingle cookie placed on the users device to track request referrerCreated as a browser session cookie when authenticating with SAC
HANA xsjs code**x-sap-boc-pusher-countSingle cookie placed on the users device to track session stateCreated as a browser session cookie after successfully authenticated in SAC
HANAxsSecureId*Single cookie placed on the users device so the backend hana server can identify the user.Created as a browser session cookie after successfully authenticated in SAC
sapxslbSingle cookie placed on the users device to ensure sticky backend hana sessionCreated when client first time access the hana server.
PlatformBIGipServer*Used for BIGIP to route traffic and ensure sticky sessionCreated when client first time access the server.
JTENANTSESSION_<tenantid>This cookie is issued along with the JSESSIONID cookie and is used for session consistency - if it is not send along with the JSESSIONID cookie then the session will be considered invalidThe cookie is issued after successful authentication by the application runtime.
mdsourcrs*Multi-Domain cookie which contains the URL and some additional information about the application that has triggered the authentication so that a redirect to this application is made after successful authentication.The cookie is issued during authentication by the authentication login modules in regular platform domains scenario
'ouc*'Realy state cookie which contains the URL and some additional information about application that has triggered the authentication.The cookie is issued during authentication by the authentication login module in custom domains scenario


How do I allow third-party cookies in my web browser settings?

How to enable in your browser settings

To allow third-party cookies in the web browser please check the links provided below for the most popular browsers:

Google Chrome

In Chrome, go to the "customize" … menu and open the "settings" and search for "block". Or open this URL: chrome://settings/cookies?search=block

Set the "General settings" to "Allow all cookies" as here.

Firefox

Firefox works out-of-the-box with the "Standard" security settings

Safari

Here´s the way to setup Safari (untested): Open "Settings" and click on "Preferences". Then, select the "Privacy tab" and deselect the checkbox before the "Prevent cross-site tracking" option. Deselect the checkbox before the "Block all cookies" option. Then exit the popup.

Install Chrome Extension : SAML Tracer for Tracing /Troubleshooting with User Login

Here are the steps
    • Open the Chrome web browser.
    • Click on the "Add to Chrome" button.
    • Click on the "Add extension" button.
    • The SAML Tracer extension will be installed in your Chrome browser.

To use the SAML Tracer extension, you need to enable it. To do this, follow these steps:

    • Click on the three dots in the top right corner of the Chrome browser window.
    • Select "More tools" > "Extensions".
    • Find the SAML Tracer extension and click on the toggle switch to enable it.

Once the SAML Tracer extension is enabled, it will start capturing all SAML requests and responses that are sent and received by your browser. You can view these requests and responses by opening the SAML Tracer extension window. To do this, follow these steps:

    • Click on clear and ask User to login which capture the logs
    • Select the row which shows SAML in yellow and analyze from SAML/Summary tab
    • Select the next row which shows SAML in yellow and analyze again to determine what is passing from Idp to Application userName ( This will be in your NameId Subject)

How to troubleshoot with SAML Logs for a User and analyze what is happening on each SAML Trace

Here are the steps to perform with User having issues to login through Identity Provider

    • Gather the SAML logs. The SAML logs are the files that contain the details of all SAML requests and responses that have been sent and received. These logs can be found in the SAML server or in the application that is using SAML for authentication.
    • Identify the user who is having the problem. The first step is to identify the user who is having the problem. This can be done by looking at the SAML logs for the user's login attempt.
    • Analyze the SAML trace for the user. The SAML trace is a detailed record of the SAML request and response for the user's login attempt. This trace can be used to see what is happening at each step of the authentication process.
    • Identify the problem. Once you have analyzed the SAML trace, you should be able to identify the problem that is causing the authentication failure. This could be a problem with the user's field mapping, Subject NameId, Attributes been sent from Idp, a problem with the SAML configuration, or a problem with the application.
    • Fix the problem. Once you have identified the problem, either IDP Admin or IAS Admin need to fix it. This could involve updating the user loginName according to IDP and Embedded Analytics userId, changing the SAML configuration, or fixing the application.

Here are some additional things to keep in mind when troubleshooting SAML logs:

    • The SAML logs can be large and complex when you export and share it with Support team, so it is important to be patient and methodical when analyzing them.
    • It is helpful to have a good understanding of the SAML protocol in order to interpret the SAML logs.
    • If you are not able to identify the problem yourself, you should contact the SAP Technical Support team of the SAML solution for help.
    • It needs to be tested with several times with a User and requires a lot of patience to test till it sucessfully works.

How to check if user is in Embedded Analytics or SAC ?


As you know, it's too dificult to get into Admin side of it to check and validate the Users in User Administration...
After you login into SAC or EA, you will go to SCIM API URL for Users to find and validate
URL should look like this : https://<SAC URL>/api/v1/scim/Users/<P0000001>

How to check SAC or EA SCIM APIs versions and where it is used for User Sync?

SCIM API versions 1 and 2 are available and latest is api/v1/scim2 which got Introduced on April 2023

SAP Analytics Cloud: User and Team Provisioning API

Managing Users and Teams → api/v1/scim

Managing Users and Teams → api/v1/scim2

This API uses SCIM 2.0. For more information, see SCIM Core Schema.

sac.api.version   Handles the version of SAP Analytics Cloud SCIM API.

Possible values:
    • 1 - Indicates that SAP Analytics Cloud SCIM API version 1 is used.
    • 2 - Indicates that SAP Analytics Cloud SCIM API version 2 is used.

Default value: 1

Identity Provisioning - Properties Settings

How to check if User is assigned to proper Embedded Analytics User Group in IAS ?

The Authorization user groups that are available for SAP Commissions are as follows:

APP_SCANEmbedded AnalyticsGroup for SCA Application
ADMINISTRATOR_COMM-SCANEmbedded AnalyticsGroup for SCA administrator
AUTHOR_COMM-SCANEmbedded AnalyticsGroup for SCA author
AUTHENTICATED_COMM-SCANEmbedded AnalyticsGroup for SCA viewer

Go to IAS Admin Console and User Management - Validate the User has got all required User groups are assigned
When SAP Identity Provisioning Service ( IPS) sync the User to SAC or EA, below transformation logic will set the approriate role based on User Group assigned in IAS User Management for the particular User.In the above illustration, its shown for SAP Commissions Product, so you can consume the right user groups for other SAP Products.

Bonus : Tips & Tricks to solve your Performance Issues on SAC / Embedded Analytics for Users

here are the steps to have one around of check

    • Check if the issue can be reproduced after closing all other browser windows, tabs, and applications
    • Check if the issue can be reproduced when not teleconferencing, screensharing, screen recording, or playing video or audio
    • Check if the issue can be reproduced when using a physical computer, rather than a virtual machine, if applicable
2 Comments