As a follow-up to the blog post below, i will describe the specific configuration we tried with the following applications in depth and step by step.

https://blogs.sap.com/2021/06/14/setup-multiple-identity-providers-for-sap-analytics-cloud/

The following applications were used to test the configuration.
1. SAP Identity Authentication Service – Act as IdP proxy
2. SAP Identity Authentication Service – Corporate IdP
3. Microsoft Azure IdP – External IdP
4. Microsoft ADFS IdP – External IdP
5. SAP Analytics Cloud – Service Provider
6. SAP HANA Database – Service Provider

1. Setting up trust between IdP proxy to Corporate IdP and External IdP

In proxy system, add all the three IdP entries by uploading metadata

1.1 ldP proxy to Corporate ldP

Switch to IdP proxy’s Administration console. In the “Corporate Identity Providers” menu, add a new corporate IdP and provide a name like your “Your Corporate IdP”

SAML 2.0 Configuration – Upload the metadata from your corporate IdP

Identity Provider Type – Set it to “SAML 2.0 Compliant”. Set this value accordingly if your corporate IdP is Microsoft ADFS / Azure or SAP Single Sign-On.

Name ID Format – Set it as “E-Mail”

Save the configurations and we have completed the setup of the IdP proxy to Corporate IdP. Similarly, we need to repeat the same configuration for the External IdP ex 0 Microsoft Azure and ADFS.

1.2 ldP proxy to External ldP – Microsoft Azure

Download the Microsoft Azure metadata and switch to IdP proxy’s Administration console. In the “Corporate Identity Providers” menu, add a new corporate IdP and provide a name like your “Your External IdP”

SAML 2.0 Configuration – Upload the metadata from your external IdP

Identity Provider Type – Set it to “Microsoft ADFS / Azure AD”

Name ID Format – Set it as “E-Mail”

Save the configurations and we have completed the setup of the IdP proxy to External IdP.

1.3 IdP proxy to External ldP – Microsoft ADFS

Download the Microsoft ADFS metadata and switch to IdP proxy’s Administration console. In the “Corporate Identity Providers” menu, add a new Corporate IdP and provide a name like “ADFS IdP”

SAML 2.0 Configuration – Upload the metadata from ADFS IdP

Identity Provider Type – Set it to “Microsoft ADFS / Azure AD”

Name ID Format – Set it as “E-Mail”

Save the configurations and we have completed the setup of the IdP proxy to External IdP.

2. Setting up trust between IdPs and IdP proxy

2.1 Corporate ldP to ldP proxy

Access the Corporate IdP’s administration console and create an application for the central IAS as a proxy. As shown in the following screenshot, the application is named as “IAS proxy”

Set the following values

Type – SAML 2.0

SAML 2.0 Configuration – Upload the metadata from IdP proxy tenant

Subject Name Identifier – Set it as “E-Mail”

Default Name Identifier – Set it as “E-Mail”

Default Attributes – Add attribute “Groups”, and its value “sac”

Assertion Attributes – Add a new SAML assertion attribute for group “sac” as shown below. These SAML attributes will be used later for dynamic user creation, team assignment, role mappings between IdP and SAP Analytics Cloud. SAP Analytics Cloud has a list of case-sensitive assertion attributes

 

2.2 External ldP – Microsoft Azure to ldP proxy

  1. Download the IdP proxy metadata and switch to Microsoft Azure
  2. Goto Azure Active Directory –> Enterprise Applications –> All Applications
  3. New Application – In the All Applications window, click on New Application
  4. SAP Cloud Platform Identity Authentication is available in gallery with name SAP Cloud Platform Identity Authentication
  5. Add an Application – Provide application name and click on Add
  6. Assign user – Users and groups – Add user
  7. SAML configuration – Click on Single Sign-on and select SAML-base Sign-on from drop down for Single Sign-on Mode
    Upload the IdP proxy downloaded metadata

  • Select user.mail from User Identifier
  • Download Metadata.xml to your local directory. This will be used later to upload to IdP Save

 

2.3 External ldP – Microsoft ADFS to ldP proxy

  1. Download the IdP proxy metadata and switch to Microsoft ADFS
  2. Launch ADFS Management
  3. Under Trust Relationships –> right click on Relying Party Trusts
  4. Click start
  5. Select Import data about the relying party from a file and select file metadata.xml that we downloaded on step 1
  6. After importing file, click on next
  7. Specify Display name and click next
  8. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click next
  9. Issuance Authorization Rules, select Permit all users to access this relying party and click on next and finish
  10. Add Claim Rule for SAP IAS ProxySelect Send LDAP Attribute as Claims and click on next
    Enter Claim Rule name
    AD Login to Name ID
    Select attribute store – Active Directory and mapping of LDAP attributes
    Add Rule

Select Transform an Incoming Claim and click on next

Enter Claim Rule name
Transform NameID
Select Incoming claim type – Email Address
Outgoing claim type – Name ID
Outgoing name ID format – Email

3. Setting up trust between IdP proxy and SAP Analytics Cloud

3.1 Configuring ldP proxy with SAP Analytics Cloud

Once you complete the above configurations, navigate to IdP proxy Administration console

Configure SAP Analytics Cloud as Service Provider in IdP Proxy

Navigate back to the IdP proxy’s Administration console and create an application under Applications and Resources menu

Under Trust, set the below values

Type – SAML 2.0

SAML 2.0 Configuration – Upload the metadata from SAP Analytics Cloud tenant

Subject Name Identifier – Set it as “E-Mail”

Default Name Identifier – Set it as “E-Mail”

Default Attributes (optional) – Add attribute “Groups”, and its value “sac”

Assertion Attributes (optional) – Add a new SAML assertion attribute for dynamic user creation, team assignment, role mappings between IdP and SAP Analytics Cloud

The Default Attributes and Assertion Attributes are not required, if you already configured the at corporate IdP level, in case that the needed assertion attributes exist only in IdP proxy, which means the user profiles also exist in IdP proxy, you can then add the assertion attributes here. All you need to do is to switch on the Identity Federation under the corporate IdP as shown in the following screenshot

User logon using Conditional Authentication

To ensure that different users can logon SAP Analytics Cloud via different Identity Providers, we need to use Conditional Authentication in IAS. IAS tenant administrator can control the access to an application by defining different rules for the authentication identity provider. Based on these rules, users are authenticated either via a corporate identity provider or via Identity Authentication.

Click on the application “SAP Analytics Cloud” in identity Authentication proxy, and open Conditional Authentication. We can define ules for authentication identity provider according to e-mail domain, user type, user group, and IP range. As shown in above image, users who use company E-Mail, or belong to user group “Employee” will be authenticated via corporate IdP. Next, you need to define rules for your external users based on IP addresses, so that the external users will be authenticated via External IdP.

3.2 SAP Analytics Cloud with ldP proxy

Once you complete the above configurations, we can navigate to SAP Analytics Cloud Administration and configure the trust between SAP Analytics Cloud and IdP proxy

  1. Enabling a Custom SAML Identity Provider in SAP Analytics Cloud

For detailed step-by-step instruction, follow the below blog

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

  1. Upload the metadata from IdP proxy
  2. Select “E-Mail” as the user attribute type and enable Dynamic User Creation

Once Dynamic User Creation is enabled, new user profile will be automatically created using SAML attributes for First Name, Last Name, Display Name etc.

4. Verification

  1. Login into SAP Analytics Cloud (enter SAC URL in browser)
  2. It redirects to login page, enter your email
    Ex – TESTUSER@sapgtc.onmicrosoft.com
    Based on the domain, it redirects to the IdP authentication page
  3. Enter password
  4. Once successfully authenticated, it logs into SAP Analytics Cloud

Multiple Identity Providers for END2END SSO with SAP Analytics Cloud and SAP HANA Database – Part 2

https://blogs.sap.com/2022/09/30/multiple-identity-providers-for-end2end-sso-with-sap-analytics-cloud-and-sap-hana-database-part-2/

Learn More:

https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-cloud/

https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation-services-as-an-identity-provider/

https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-intelligence-platform/

Sara Sampaio

Sara Sampaio

Author Since: March 10, 2022

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x