This blog describes How to map SAML user assertions attributes when SAP Analytics Cloud uses custom IdP ex – ADFS for SAML Sign-On authorization
You can map existing SAML user attributes to SAP Analytics Cloud user profiles
In summary, the configuration provided in this document have been executed on the below mentioned platform
- Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
- SAP Analytics Cloud as Service Provider
Prerequisite
- SAML needs to be enabled in SAP Analytics Cloud
- Follow below blog to configure SAML for SAP Analytics Cloud using ADFS Identity Provider
https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation...
- Your custom SAML Identity Provider (IdP) must be configured and you should be able to login to your tenant without problems
Context
To ensure that SAP Analytics Cloud user profiles are updated with the latest information from your SAML IdP, you can map SAML user attributes to the following fields in SAP Analytics Cloud:
- First Name
- Last Name
- Display Name
- E-Mail
- Functional Area
- Language
- Custom1, Custom 2, and so on
Each time a user logs on to SAP Analytics Cloud, the latest information is read from their SAML assertion and updated in their SAP Analytics Cloud user profile.
Configuring ADFS
We need to configure ADFS to return one or more SAML user attributes in the SAML assertions that are issued to authenticated SAML users.
- Open ADFS Management
- Right-click on relying party which is used for configuring SAML for SAP Analytics Cloud and select Edit
- NOTE: If SAP Analytics Cloud is running on a non-SAP data center, for example Cloud Foundry (AWS), you must map your SAML attribute assertion to our white-listed attributes.
Map the assertion like below:
Note – LDAP Attribute: SAM-Account-Name to an intermediary claim (you can select any claim type from dropdown list, or provide any custom claim type name. In this sample, we manually enter the custom claim type name called my_intermediate_claim
- Now add a transformation from this intermediary claim to the claim required by SAP Analytics Cloud – Name ID
- Click Ok
Configuring SAP Analytics Cloud
Map SAML Attributes in SAP Analytics Cloud
- Logon to SAP Analytics Cloud and verify the passed SAML attributes, using the SAML add-on for google dev tools
Press F12 and select SAML tab before logging in
Log in and notice that the attribute match to the ones defined on ADFS side.
- Go to Security -> Users
- Select Map SAML User Properties
- Map SAML attributes can be mapped to SAP Analytics Cloud user properties by selecting the appropriate SAML attribute for each target property
In our case we map following SAML attributes to target property
Note – if you notice that only “1 Attributes found”, the number of attributes found is only one but in the SAML response ADFS side attributes are visible, then check out the below note
https://apps.support.sap.com/sap/support/knowledge/public/en/2559605
Verification
- To verify if configuration and mapping is correct, change one of the user attributes ex - FirstName in the ADFS user property
- Login to SAP Analytics Cloud using the user whose FirstName attribute has been changed
- Go to Security -> Users
Verify the latest information is read from the SAML assertion and updated in the SAP Analytics Cloud user profile
References
For more information, refer SAP Analytics Cloud help
https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/5e917dc3fc8f42828d4dfa850...
Learn More:
https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-c...
https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation...
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-in...