Enable a Custom SAML Identity Provider
By default, SAP Cloud Platform Identity Authentication is used by SAP Analytics Cloud. SAP Analytics Cloud also supports single sign-on (SSO), using your identity provider (IdP).
- You must have an IdP that supports SAML 2.0 protocol.
- You must be able to configure your IdP.
- You must be assigned to the System Owner role in SAP Analytics Cloud. For more information, see Standard Application Roles.
- SAP Analytics Cloud can
be hosted either on SAP data centers or on non-SAP data centers. Determine which
environment SAP Analytics Cloud is
hosted in by inspecting your SAP Analytics Cloud URL:
- A single-digit number, for example us1 or jp1, indicates an SAP data center.
- A two-digit number, for example eu10 or us30, indicates a non-SAP data center.
- If your users are connecting from Apple devices using the SAP Analytics Cloud mobile app, the certificate used by your IdP must be compatible with Apple's App Transport Security (ATS) feature.
- From the side navigation, go to .
- Select (Edit).
In the Authentication Method area, select
SAML Single Sign-On (SSO) if it is not already
NoteBy default, SAP Cloud Identity is used for authentication.
In Step 1, select Download and
save the metadata file.
An SAP Analytics Cloud metadata file will be saved.
Upload the SAP Analytics Cloud metadata
file to your SAML IdP.
The file includes metadata for SAP Analytics Cloud, and is used to create a trust relationship between your SAML Identity Provider and your SAP Analytics Cloud system.
- (Optional) You can access the system from your SAML Identity Provider by adding a new assertion consumer service endpoint to your identity provider. For more information, see Enable IdP-Initiated Single Sign On (SAP Data Center Only).
Map your SAML IdP user attributes and roles.
If SAP Analytics Cloud is running on an SAP data center, you must submit an SAP Product Support Incident using the component LOD-ANA-ADM. In the support ticket, indicate that you want to set up user profiles and role assignment based on custom SAML attributes, and include your SAP Analytics Cloud tenant URL.NoteIf SAP Analytics Cloud is running on an SAP data center, and you want to continue using User Profiles and Role assignment using SAML attributes, you will need to open a support ticket each time you switch to a different custom IdP.If SAP Analytics Cloud is running on a non-SAP data center, you must configure your SAML IdP to map user attributes to the following case-sensitive allowlisted assertion attributes. We recommend that you map only the user attributes and roles that will be used in SAP Analytics Cloud. Mapping additional user attributes may result in a large SAML assertion, which could produce a login error.
Attribute Name Notes Required if your NameID is "email". Groups Required. Set to "sac". familyName Optional. familyName is the user's last name (surname). displayName Optional. functionalArea Optional. givenName Optional. givenName is the user's first name. preferredLanguage Optional. custom1 Optional. For SAML role assignment. custom2 Optional. For SAML role assignment. custom3 Optional. For SAML role assignment. custom4 Optional. For SAML role assignment. custom5 Optional. For SAML role assignment.
<AttributeStatement> <Attribute Name="email"> <AttributeValue>email@example.com</AttributeValue> </Attribute> <Attribute Name="givenName"> <AttributeValue>Abc</AttributeValue> </Attribute> <Attribute Name="familyName"> <AttributeValue>Def</AttributeValue> </Attribute> <Attribute Name="displayName"> <AttributeValue>Abc Def</AttributeValue> </Attribute> <Attribute Name="Groups"> <AttributeValue>sac</AttributeValue> </Attribute> <Attribute Name="custom1"> <AttributeValue>Domain Users</AttributeValue> <AttributeValue>Enterprise Admins</AttributeValue> <AttributeValue>Enterprise Key Admins</AttributeValue> </Attribute> </AttributeStatement>NoteIf you are using the SAP Cloud Platform Identity Authentication service as your IdP, map the Groups attribute under Default Attributes for your SAP Analytics Cloud application. The remaining attributes should be mapped under Assertion Attributes for your SAP Analytics Cloud application.
- Download metadata from your SAML IdP.
- In Step 2, select Upload, and choose the metadata file you downloaded from your SAML IdP.
In Step 3, select a User
The attribute will be used to map users from your existing SAML user list to SAP Analytics Cloud. The user attribute you select must match the NameID used in your custom SAML assertion:
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><Your Unique Identifier></NameID>Determine what your NameID maps to in your SAP Analytics Cloud system. It should map to User ID, Email or a custom attribute. You can view your SAP Analytics Cloud user attributes in .NoteNameID is case sensitive. The User ID, Email, or Custom SAML User Mapping must match the values in your SAML IdP exactly. For example, if the NameId returned by your SAML IdP is firstname.lastname@example.org and the email you used in SAP Analytics Cloud is User@company.com the mapping will fail.
Choose one of the following options:
- USER ID: If NameID maps to the SAP Analytics Cloud User ID.
- Email: If NameID maps to SAP Analytics Cloud
Email address.NoteIf your NameID email is not case-sensitive and contains mixed-case, for example User@COMPANY.com, consider choosing Custom SAML User Mapping instead.
- Custom SAML User Mapping: If
NameID maps to a custom value.NoteIf you select this option, there will be a new column named SAML User Mapping in . After switching to your SAML IdP, you must manually update this column for all existing users.
If you are using a live connection to SAP S/4HANA Cloud Edition with OAuth 2.0 SAML Bearer Assertion, NameId must be identical to the user name of the business user on your SAP S/4HANA system.
For example, if you want to map an SAP Analytics Cloud user with the user ID SACUSER to your SAP S/4HANA Cloud user with the user name S4HANAUSER, you must select Custom SAML User Mapping and use S4HANAUSER as the Login Credential in Step 10.
If you are using SAP Cloud Identity as your SAML IdP, you can choose Login Name as the NameID attribute for SAP Analytics Cloud, then you can set the login name of your SAP Analytics Cloud user as S4HANAUSER.
(Optional) Enable Dynamic User Creation.
When dynamic user creation is enabled, new users will be automatically created using the default role and will be able to use SAML SSO to log onto SAP Analytics Cloud. For more information, see Set the Default Role. After users are created, you can set roles using SAML attributes. For more information, see Map Roles Using SAML Attributes.Note
Automatic user deletion is not supported. If a user in SAP Analytics Cloud is removed from your SAML IdP, you must go to and manually delete users. For more information, see Delete Users.
If this option is enabled, dynamic user creation still occurs in SAP Analytics Cloud even when SAML user attributes have not been set for all IdP users. To prevent a user from being automatically created, your SAML IdP must deny the user access to SAP Analytics Cloud.
In Step 4, enter <Your Unique
This value must identify the SAP Analytics Cloud system owner. The Login Credential provided here will be automatically set for your user.NoteThe Login Credential depends on the User Attribute you selected under Step 3.
Test the SAML IdP setup, by logging into SAP Analytics Cloud with
your IdP, and then clicking Verify Account to open a
dialog for validation.
In another browser, log on to the URL provided in the Verify Your Account dialog, using your SAML IdP credentials. You can copy the URL by selecting (Copy).
You must use a private session to log onto the URL; for example, Guest mode in Chrome. This ensures that when you log on to the dialog and select SAP Analytics Cloud, you are prompted to log in and do not reuse an existing browser session.NoteIf SAP Analytics Cloud is running on a non-SAP data center, upon starting the verification step, you will see a new screen when logging into SAP Analytics Cloud. Two links will be displayed on this page. One will link to your current IdP and the other will link to the new IdP you will switch to. To perform the Verify Account step, use the link for the new IdP. Other SAP Analytics Cloud users can continue logging on with the current IdP. Once you have completed Step 16 and the IdP switch has completed, this screen will no longer appear.If you can log on successfully, the SAML IdP setup is correct.
In the Verify Your Account dialog, select
If the verification was successful, a green border should appear around the Login Credential box.
(Optional) Enter a password management URL.
The URL should link to the password management page of your SAML IdP.
(Optional) Configure Logout.
Choose one of the following logout options:
NoteBy default, when users log out of SAP Analytics Cloud, they are automatically logged out of their SAML IdP.
- IdP Logout: Log out of your SAML IdP.
- Application log out: Log out of SAP Analytics Cloud and remain signed in to your IdP system.
The Convert to SAML Single Sign-On confirmation dialog will appear.
When conversion is complete, you will be logged out and directed to the logon page of your SAML IdP.
- Log on to SAP Analytics Cloud with the credentials you used for the verification step.
From the side navigation, go to User Attribute you selected in step 8.
and look for the column of the
The values in this column should be a case sensitive match with the NameId sent by your IdP's SAML assertion.NoteIf you selected Custom SAML User Mapping as User Attribute, you must manually update all fields in the SAML User Mapping column.
Users will be able to use SAML SSO to log onto SAP Analytics Cloud.
Switch to a Different Custom IdP
If SAML SSO is enabled and you would like to switch to a different SAML IdP, you can repeat the above steps using the new SAML IdP metadata.