Enabling a Custom SAML Identity Provider

Security Assertion Markup Language 2.0 (SAML 2.0) is an internet standard for exchanging authentication and authorization data between security domains.

SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider and a web service provider. SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO).

A SAML 2.0 landscape consists at a minimum of two components:

1. SAML 2.0 Identity Provider (IdP)
2. SAML 2.0 Internet Service Provider (ISP)

The SAML 2.0 IdP is an authoritative site that authenticates end users and asserts their identity information in a trusted fashion to trust partners, that is, the SAML 2.0 ISP. It's responsible for the management of the user identity lifecycle.

The ISP hosts the web application, and has a trust relationship to an IdP to accept and trust asserted information provided by the IdP on behalf of a user. The ISP delegates identity lifecycle and access management load to the IdP.

SAML 2.0 uses a claim attribute to map Identity between the IdP and ISPs. It can be a User ID, email address, or any custom field. But remember, the mapping attribute is case sensitive!

The SAML 2.0 process flow is strictly dependent on time. The SAML 2.0 process flow must be executed within a short period of time, as specified by the optional Not Before and Not On Or After attributes. You will need to make sure the identity provider clock and the service provider clocks are in sync.

In this learning journey, we use SAML 2.0 authentication to set up custom SAML IdP for SAP Analytics Cloud.

The following is a typical SAML workflow:

1. User attempts to access a resource that is protected by SAML 2.0.
2. The ISP redirects the user to a SAML IdP for authentication.
3. The IdP queries the user for authentication credentials.
4. The user supplies the requested credentials.
5. The IdP returns the user to the ISP with an authentication response.
6. The ISP presents the requested resource to the user.

It's also possible to set up an IdP-initiated single sign-on with SAP Analytics Cloud. By default, IdP-initiated SSO is not enabled.

To enable IdP-initiated SSO on a tenant running in an SAP data center, you must request that the IdP administrator add a new assertion consumer service endpoint to your identity provider.

Possible reasons for doing this include:

1. To reduce the number of round-trips in your landscape. Starting at the ISP always redirects the user agent to the IdP. By starting at the IdP, you save at least one round-trip.
2. To make your IdP the single point of access.
3. Perhaps your portal is the host of your ISP. Since all users start here anyway, you do not have to send them to the ISP and then back to the portal before sending them to the ISP.

By default, SAP Cloud Identity authentication is used by SAP Analytics Cloud. It also supports SAML Single Sign-On (SSO) using an identity provider (IdP). While it can be either an on-premise identity provider or a cloud-based identity provider, it must support SAML 2.0 protocol.

SAP Analytics Cloud system owners can configure their tenants to use a custom SAML IdP for authentication. In the System page, they go to the Security tab, where they select the Edit icon, as shown in the following example and perform the necessary configuration.

You will have to work with your IdP administrator to enable a custom SAML IdP for SAP Analytics Cloud. Your IdP administrator will need to perform the many of required configuration steps in the identity provider.

At The Mock Company, SAP NetWeaver IdP (SAP's on-premise SAML 2.0 provider) will be used as the custom SAML IdP for SAP Analytics Cloud.

This video will show you from start to finish how SAML SSO was enabled in SAP Analytics Cloud, by showing you what was configured by the system owner of SAP Analytics Cloud and the IdP administrator of SAP NetWeaver IdP.

Download the SAP Analytics Cloud system metadata file. SAP Analytics Cloud system metadata file is an XML file that contains both the metadata information of the tenant and the SAP Analytics Cloud system certificate, which you will need to import into your custom SAML IdP. You provide the metadata file to the IdP administrator for the next step in the process.

When uploaded to your SAML IdP, a trusted relationship is created between your custom SAML IdP and your SAP Analytics Cloud system.

The IdP administrator maps your SAML IdP user attributes in the custom SAML IdP. They provide you with a metadata file from the custom SAML IdP that you upload to SAP Analytics Cloud.

For SAP Analytics Cloud Systems Running On Non-SAP Data Centers:

If SAP Analytics Cloud is running on a non-SAP data center, you must configure your SAML IdP to map user attributes to the following case-sensitive allowlisted assertion attributes.

We recommend that you map only the user attributes and roles that will be used in SAP Analytics Cloud. Mapping additional user attributes may result in a large SAML assertion, which could produce a login error. If SAP Analytics Cloud is running on a non-SAP data center, you must configure your SAML IdP to map user attributes to the following case-sensitive white-listed assertion attributes:

Select a User Attribute. The attribute will be used to map users from your existing SAML user list to SAP Analytics Cloud. The user attribute you select must match the NameID used in the custom SAML assertion:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><Your Unique Identifier></NameID>

NameID is case sensitive and must exactly match the values in your custom SAML IdP. For example, if the NameId returned by your SAML IdP is user@company.com and the email you used in SAP Analytics Cloud is User@company.com, then the mapping will fail.

From the dropdown menu, there are three options:

1. Select USER ID if NameID maps to the SAP Analytics Cloud User ID.
2. Select Email if NameID maps to the SAP Analytics Cloud email address.
3. Select Custom SAML User Mapping if NameID maps to a custom value.

   Consider choosing Custom SAML User Mapping if your email addresses contain mixed case, for example User@COMPANY.com.

   If you select this option, there will be a new column named SAML User Mapping in the Users list. After switching to your SAML IdP, you must manually update this column for all existing users.

In the following example, you can see that the ADMIN user was selected as the Login Credential (USER ID) to test the user attribute mapping with SAML. Using this user, you confirm that the mapping is working by opening a private browsing session and pasting the URL displayed in the Verify Your Account dialog into the browser address bar. An SAP Analytics Cloud login page will be displayed where you enter the user credentials for the user selected in Login Credential (USER ID) field to be authenticated by the custom SAML IdP.

You must use a private session to log onto the URL, for example, Incognito mode in Chrome. This ensures that when you paste the link, that you will be prompted to log in and does not reuse an existing browser session.

Once you have successfully logged in using the private browsing window, select Check Verification in the Verify Your Account dialog. If the verification was successful, then a green border will appear around the Login Credential box.

You can also add optional configuration when setting up SAML SSO in SAP Analytics Cloud.

1. Configure Identity Provider Administration tool.

   The tool allows system owners to manage the custom SAML identity provider configured with SAP Analytics Cloud. They can choose to upload new metadata for the current custom SAML identity provider or revert to using the default identity provider.

2. Add a user profile URL. The URL should link to the profile management page of your SAML IdP.
3. Add a password management URL. The URL should link to the password management page of your SAML IdP.
4. Configure Logout. Choose one of the following logout options:
   • Application log out: Log out of SAP Analytics Cloud and remain signed in to your IdP system.
   • IdP Logout: Log out of your SAML IdP.

   • By default, when users log out of SAP Analytics Cloud, they are automatically logged out of their SAML IdP.

If you have a metadata file that contains the new certificate from your custom SAML IdP, then you can update the SAML IdP Signing Certificate in the Security page or using the Identity Provider Administration tool.

Remember, in order to continue using SAML SSO, you must renew the SAP Analytics Cloud SAML Signing Certificate before it expires. An email with details on how to renew the SAML X509 certificate will be sent to administrators before the certificate expiry date. If the certificate expiry is less than 30 days away, a warning message will also appear when you log on to SAP Analytics Cloud.

For more information on enabling and maintaining a custom SAML IdP for SAP Analytics Cloud, please visit: Enable a Custom SAML Identity Provider | SAP Help Portal