As a follow-up to the blog post below, i will describe the specific configuration we tried with the following applications in depth and step by step.
https://blogs.sap.com/2021/06/14/setup-multiple-identity-providers-for-sap-analytics-cloud/
The following applications were used to test the configuration.
1. SAP Identity Authentication Service – Act as IdP proxy
2. SAP Identity Authentication Service – Corporate IdP
3. Microsoft Azure IdP – External IdP
4. Microsoft ADFS IdP – External IdP
5. SAP Analytics Cloud – Service Provider
6. SAP HANA Database – Service Provider
1. Setting up trust between IdP proxy to Corporate IdP and External IdP
In proxy system, add all the three IdP entries by uploading metadata
1.1 ldP proxy to Corporate ldP
Switch to IdP proxy’s Administration console. In the “Corporate Identity Providers” menu, add a new corporate IdP and provide a name like your “Your Corporate IdP”
SAML 2.0 Configuration – Upload the metadata from your corporate IdP
Identity Provider Type – Set it to “SAML 2.0 Compliant”. Set this value accordingly if your corporate IdP is Microsoft ADFS / Azure or SAP Single Sign-On.
Name ID Format – Set it as “E-Mail”
Save the configurations and we have completed the setup of the IdP proxy to Corporate IdP. Similarly, we need to repeat the same configuration for the External IdP ex 0 Microsoft Azure and ADFS.
1.2 ldP proxy to External ldP – Microsoft Azure
Download the Microsoft Azure metadata and switch to IdP proxy’s Administration console. In the “Corporate Identity Providers” menu, add a new corporate IdP and provide a name like your “Your External IdP”
SAML 2.0 Configuration – Upload the metadata from your external IdP
Identity Provider Type – Set it to “Microsoft ADFS / Azure AD”
Name ID Format – Set it as “E-Mail”
Save the configurations and we have completed the setup of the IdP proxy to External IdP.
1.3 IdP proxy to External ldP – Microsoft ADFS
Download the Microsoft ADFS metadata and switch to IdP proxy’s Administration console. In the “Corporate Identity Providers” menu, add a new Corporate IdP and provide a name like “ADFS IdP”
SAML 2.0 Configuration – Upload the metadata from ADFS IdP
Identity Provider Type – Set it to “Microsoft ADFS / Azure AD”
Name ID Format – Set it as “E-Mail”
Save the configurations and we have completed the setup of the IdP proxy to External IdP.
2. Setting up trust between IdPs and IdP proxy
2.1 Corporate ldP to ldP proxy
Access the Corporate IdP’s administration console and create an application for the central IAS as a proxy. As shown in the following screenshot, the application is named as “IAS proxy”
Set the following values
Type – SAML 2.0
SAML 2.0 Configuration – Upload the metadata from IdP proxy tenant
Subject Name Identifier – Set it as “E-Mail”
Default Name Identifier – Set it as “E-Mail”
Default Attributes – Add attribute “Groups”, and its value “sac”
Assertion Attributes – Add a new SAML assertion attribute for group “sac” as shown below. These SAML attributes will be used later for dynamic user creation, team assignment, role mappings between IdP and SAP Analytics Cloud. SAP Analytics Cloud has a list of case-sensitive assertion attributes
2.2 External ldP – Microsoft Azure to ldP proxy
- Download the IdP proxy metadata and switch to Microsoft Azure
- Goto Azure Active Directory –> Enterprise Applications –> All Applications
- New Application – In the All Applications window, click on New Application
- SAP Cloud Platform Identity Authentication is available in gallery with name SAP Cloud Platform Identity Authentication
- Add an Application – Provide application name and click on Add
- Assign user – Users and groups – Add user
- SAML configuration – Click on Single Sign-on and select SAML-base Sign-on from drop down for Single Sign-on Mode
Upload the IdP proxy downloaded metadata
- Select user.mail from User Identifier
- Download Metadata.xml to your local directory. This will be used later to upload to IdP Save
2.3 External ldP – Microsoft ADFS to ldP proxy
- Download the IdP proxy metadata and switch to Microsoft ADFS
- Launch ADFS Management
- Under Trust Relationships –> right click on Relying Party Trusts
- Click start
- Select Import data about the relying party from a file and select file metadata.xml that we downloaded on step 1
- After importing file, click on next
- Specify Display name and click next
- Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click next
- Issuance Authorization Rules, select Permit all users to access this relying party and click on next and finish
- Add Claim Rule for SAP IAS ProxySelect Send LDAP Attribute as Claims and click on next
Enter Claim Rule name
AD Login to Name ID
Select attribute store – Active Directory and mapping of LDAP attributes
Add Rule
Select Transform an Incoming Claim and click on next
Enter Claim Rule name
Transform NameID
Select Incoming claim type – Email Address
Outgoing claim type – Name ID
Outgoing name ID format – Email
3. Setting up trust between IdP proxy and SAP Analytics Cloud
3.1 Configuring ldP proxy with SAP Analytics Cloud
Once you complete the above configurations, navigate to IdP proxy Administration console
Configure SAP Analytics Cloud as Service Provider in IdP Proxy
Navigate back to the IdP proxy’s Administration console and create an application under Applications and Resources menu
Under Trust, set the below values
Type – SAML 2.0
SAML 2.0 Configuration – Upload the metadata from SAP Analytics Cloud tenant
Subject Name Identifier – Set it as “E-Mail”
Default Name Identifier – Set it as “E-Mail”
Default Attributes (optional) – Add attribute “Groups”, and its value “sac”
Assertion Attributes (optional) – Add a new SAML assertion attribute for dynamic user creation, team assignment, role mappings between IdP and SAP Analytics Cloud
The Default Attributes and Assertion Attributes are not required, if you already configured the at corporate IdP level, in case that the needed assertion attributes exist only in IdP proxy, which means the user profiles also exist in IdP proxy, you can then add the assertion attributes here. All you need to do is to switch on the Identity Federation under the corporate IdP as shown in the following screenshot
User logon using Conditional Authentication
To ensure that different users can logon SAP Analytics Cloud via different Identity Providers, we need to use Conditional Authentication in IAS. IAS tenant administrator can control the access to an application by defining different rules for the authentication identity provider. Based on these rules, users are authenticated either via a corporate identity provider or via Identity Authentication.
Click on the application “SAP Analytics Cloud” in identity Authentication proxy, and open Conditional Authentication. We can define ules for authentication identity provider according to e-mail domain, user type, user group, and IP range. As shown in above image, users who use company E-Mail, or belong to user group “Employee” will be authenticated via corporate IdP. Next, you need to define rules for your external users based on IP addresses, so that the external users will be authenticated via External IdP.
3.2 SAP Analytics Cloud with ldP proxy
Once you complete the above configurations, we can navigate to SAP Analytics Cloud Administration and configure the trust between SAP Analytics Cloud and IdP proxy
- Enabling a Custom SAML Identity Provider in SAP Analytics Cloud
For detailed step-by-step instruction, follow the below blog
- Upload the metadata from IdP proxy
- Select “E-Mail” as the user attribute type and enable Dynamic User Creation
Once Dynamic User Creation is enabled, new user profile will be automatically created using SAML attributes for First Name, Last Name, Display Name etc.
4. Verification
- Login into SAP Analytics Cloud (enter SAC URL in browser)
- It redirects to login page, enter your email
Ex – TESTUSER@sapgtc.onmicrosoft.com
Based on the domain, it redirects to the IdP authentication page - Enter password
- Once successfully authenticated, it logs into SAP Analytics Cloud
Multiple Identity Providers for END2END SSO with SAP Analytics Cloud and SAP HANA Database – Part 2
Learn More:
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
