Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
former_member456023
Contributor
4,564
This blog describes How to map SAML user assertions attributes when SAP Analytics Cloud uses custom IdP ex – ADFS for SAML Sign-On authorization

You can map existing SAML user attributes to SAP Analytics Cloud user profiles

In summary, the configuration provided in this document have been executed on the below mentioned platform

  • Microsoft ADFS (Windows Server 2012 R2) as Identity Provider

  • SAP Analytics Cloud as Service Provider


Prerequisite



  • SAML needs to be enabled in SAP Analytics Cloud

  • Follow below blog to configure SAML for SAP Analytics Cloud using ADFS Identity Provider


https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation...

  • Your custom SAML Identity Provider (IdP) must be configured and you should be able to login to your tenant without problems


Context


To ensure that SAP Analytics Cloud user profiles  are updated with the latest information from your SAML IdP, you can map SAML user attributes to the following fields in SAP Analytics Cloud:

  • First Name

  • Last Name

  • Display Name

  • E-Mail

  • Functional Area

  • Language

  • Custom1, Custom 2, and so on


Each time a user logs on to SAP Analytics Cloud, the latest information is read from their SAML assertion and updated in their SAP Analytics Cloud user profile.

Configuring ADFS


We need to configure ADFS to return one or more SAML user attributes in the SAML assertions that are issued to authenticated SAML users.



    1. Open ADFS Management

    2. Right-click on relying party which is used for configuring SAML for SAP Analytics Cloud and select Edit

    3. NOTE: If SAP Analytics Cloud is running on a non-SAP data center, for example Cloud Foundry (AWS), you must map your SAML attribute assertion to our white-listed attributes.
      Map the assertion like below:




Note – LDAP Attribute: SAM-Account-Name to an intermediary claim (you can select any claim type from dropdown list, or provide any custom claim type name. In this sample, we manually enter the custom claim type name called my_intermediate_claim

  1. Now add a transformation from this intermediary claim to the claim required by SAP Analytics Cloud – Name ID

  2. Click Ok


Configuring SAP Analytics Cloud


Map SAML Attributes in SAP Analytics Cloud

  1. Logon to SAP Analytics Cloud and verify the passed SAML attributes, using the SAML add-on for google dev tools
    Press F12 and select SAML tab before logging in
    Log in and notice that the attribute match to the ones defined on ADFS side.

  2. Go to Security -> Users

  3. Select Map SAML User Properties

  4. Map SAML attributes can be mapped to SAP Analytics Cloud user properties by selecting the appropriate SAML attribute for each target property
    In our case we map following SAML attributes to target property


Note – if you notice that only “1 Attributes found”, the number of attributes found is only one but in the SAML response ADFS side attributes are visible, then check out the below note




https://apps.support.sap.com/sap/support/knowledge/public/en/2559605

Verification



  • To verify if configuration and mapping is correct, change one of the user attributes ex - FirstName in the ADFS user property

  • Login to SAP Analytics Cloud using the user whose FirstName attribute has been changed

  • Go to Security -> Users


Verify the latest information is read from the SAML assertion and updated in the SAP Analytics Cloud user profile

References


For more information, refer SAP Analytics Cloud help

https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/5e917dc3fc8f42828d4dfa850...

Learn More:

https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-c...

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation...

https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-in...