SAP Analytics cloud SAML SSO with BTP Cloud Identi...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
In my last blog i have explained about End to End SAML SSO configuration between SAP Analytics cloud and SAP Business Technology Cloud Identity services - Identity Authentication Services and SAP Business Warehouse with userid and emaild as NameID attribute.
In this second blog, I would like to cover on SAML SSO configuration using SAP Analytics cloud Custom SAML user mapping option.
When to go with Custom SAML user mapping.
How to successfully configure end to end SAML SSO with custom saml user mapping SAC/IAS/BW.
Why and When you need to chose the Custom SAML user mapping:
Few Problem statements:
If the userid's or login name's or email id's in your corporate identity providers are in Lower case or Mixed cases, for example userid as userid or USERid or any special characteristics like Hyphen, dot, coma, etc are not supported by SAP Analytics cloud inline with SAP HANA USER unpermitted charatceristics
Email ID- incase if the user email address in identity provider doesn't user upper/lower case in a consistent manner (e.g., always all-lowercase), so as to avoid the likelihood of values being entered with mismatches in SAP Analytics Cloud.
most importantly, if applying conversion rules to convert Lower case Userid's to Uppercase at Identity Provider level
To solve the above challenges, Customer SAML User is an option.
Let's begin with one of the challenge:-
- In my Identity provider, all the users have been created in lowercase with hyphen at the end or in-between.
- I cannot create users in SAP Analytics cloud with same username to be in consistent with IDP
- In my SAP BW, there is no issue with userid's as they are created in line with Identity provider.
Screenshot from IAS:
Please note login name: sanugu-
In SAP Analytics cloud, the user has been created as SANUGU
My SAP BW, user has been created as sanugu- or SANUGU- , its not case sensitive in ABAP World.
So as admin, i have to configure SAC SSO successfully without changing Login name at IDP or applying conversion rules and real challenge is all the users created in SAC should work as it is before SSO.
Step 3, select a user attribute as Custom SAML User Mapping from the drop down list
Step4: Verification of user attribute, you should provide the user attribute defined in Identity provider exactly as it is .. here its sanugu-
Important tip: Please read the tool tip text carefully " The Login credential is case-sensitive. Use the NameID of your custom Identity Provider user.
i have seen customers making mistakes due to providing nameid as the SAP Analytics userid.
Click on verify account, please copy the verify account link and verify it in a new incognito window.
After successful verification of user attribute, you can close the new incognito window and continue with the SAC SSO configuration in the normal browser window
If you get the Login Credential user mapping highlighted in green, you are good to save the configuration and click on convert in the appeared popup window
You should be now automatically logged out of SAP Analytics cloud, if not please logout and relogin, you should notice the login page is now being redirected to Identity provider login page where you provide your IDP user login credentials, in my case its sanugu-
After you login to SAP Analytics cloud, please go to Security --> users, notice there is a new Column SAML USER MAPPING has been created
My user details are mapped:
Yes, you can notice userid is SANUGU and saml user mapping from idp is mapped as sanugu-
Please note: you have to map the saml user mapping manually for the existing SAP Analytics users only.
If you have plans to switch on Dynamic User creation to automate user creation in SAC, all the new users created in SAC will have the SAML USER MAPPING column mapped automatically from IDP.
The existing BW live report should work as well.
Without making any major changes at IDP or SAC or BW system's the simplification of user attributes and SAC SSO configuration is successful.
SAP Analytics Cloud Custom SAML user mapping option solves these type of challenges perfectly without major hiccups without a need to convince your administrators .
Hope this blog helps you to make a successful SAC SSO configurations where there are user attribute limitations at your IDP level.