SAP Analytics Cloud (SAC) is SAP’s a cloud-based analytics solution and it is also part of the SAP cloud platform. SAC offers connectivity with SAP BW, SAP HANA, SAP Universes and several other data sources and cloud systems. Like any other analytics/reporting tool, when dealing with such diverse data sources and with support for a hybrid model, Single Sign-on (SSO) becomes an important requirement for SAC as well. However, due to its cloud-only nature, traditional Single Sign-on options can’t be used in SAC. However, SAC offers an easy SAML setup interface which greatly simplifies setup and administration of the SSO.
SAC comes preconfigured with SAP’s cloud identity provider and new users signing up into the system are given self-service registration options. If the organization already has a cloud identity provider preconfigured, it can be re-used with SAC. SAC can also be configured to make use of corporate IdP (Identity Providers) and leverage the existing setup.
To setup Single Sign-on for SAC systems, the following are the requirements
- A SAML Identity Provider
- Server Provider (This will be SAC in this case)
- System owner account
- A user launches SAC URL in the browser. SAC is the service provider that will redirect to the Identity Provider.
- Identity Provider will verify the user’s credential with the director. Credentials can be obtained through different formats like login page, Smart Card, X.509 cert etc., based on the IdP being used.
- Once the credentials are verified by the IdP, a SAML session will be sent to the SAC system. Once the session is validated by SAC, the user will be logged in.
Setting up SSO against custom IdP is fairly simple in SAC. Login into SAC with the “system owner” account and go to System -> Administration -> Security and switch to “Edit” mode
*Note: this is the System Owner account in SAC
- Select the “SAML Single Sign-on (SSO)” option under “Authentication” option
- Download the Service Provider Metadata from SAC. Upload this metadata to IdP and setup required assertions
- Upload the IdP metadata into the SAC system. Once uploaded, the SAC system will show the IdP metadata expiry date
- Choose a user attribute. User and Email options are available by default. Custom attribute mapping is also available
- Then verify the setup with a user account
SAC is case sensitive in verifying the SAML attribute. If the UserID (or) Email attribute is stored in case sensitive format in the IdP, then it should be stored in SAC with the exact same case. For an instance, if the user id is sent by SAML IdP as User01, then it should be created in SAC with the same case (User01). Else, SAML SSO will fail.
Renewing Identity Provider Metadata
Identity provider certificates have their own validity and when we update those certificates the metadata will also change. When this happens, SAML SSO to SAC will fail and there are no fall back options available as of now. We have to reach out to SAP support to update the new metadata in the SAC system. However, this can be prevented by following one of the steps mentioned below
- Switch to default cloud identity provider before SAML metadata update and then upload the new SAML metadata once the certificate is renewed
- Login to SAC before metadata update and update IdP metadata after that. Then upload the updated metadata into the SAC system
Stay tuned for more blogs on Single Sign-on options.