Managing Users Using SAML Attributes

Objective

After completing this lesson, you will be able to Dynamically create and manage users.

Dynamic User Management Process

In this lesson, we'll cover the following topics related to dynamic user management:

  1. User creation, including validation.
  2. User assignment to roles and teams.

Business Scenario

At The Mock Company, you want new users to be created and assigned to the required roles and teams. You enable Dynamic User Creation and then validate that it is working correctly. You work with your SAML IdP administrator to map the SAML attributes to allow for automatic role and team assignment.

This video will take you through the process in setting up dynamic user management in SAP Analytics Cloud.

Dynamic User Creation

Enabling Dynamic User Creation

While it's possible to select Dynamic User Creation while configuring SAP Analytics Cloud to use a custom SAML IdP, it's recommended to leave the option unchecked while configuring your SAML single sign-on.

In the previous lesson, the custom SAML IdP was set up and now that it has been successfully configured and validated, we will enable dynamic user creation.

To access the option, go to System in the vertical menu and select the Security tab at the top of the page, as shown below.

SAP Analytics Cloud Security Page with the Authentication Method in Edit mode. Step 3 of the SAML Single Sign-On Configuration is shown with Dynamic User Creation checkbox highlighted.

When dynamic user creation is enabled, new users are automatically created in the SAP Analytics Cloud on their first login. The user will be created with the user attributes as described in the last lesson.

In this lesson, we will show you how users can be automatically assigned to teams and roles in SAP Analytics Cloud.

Note

If this option is enabled, dynamic user creation still occurs in SAP Analytics Cloud even when SAML user attributes have not been set for all IdP users. To prevent a user from being automatically created, your SAML IdP must deny the user access to SAP Analytics Cloud.

Automatic User Deletion

Automatic user deletion is not supported in SAP Analytics Cloud. If a user is manually removed in the custom SAML IdP system, then you must also manually delete the users from the Users list in the SAP Analytics Cloud system.

This process is covered in the lesson on Creating and Maintaining Users in SAP Analytics Cloud.

Map SAML Attributes to Existing Users

Map Existing SAML Attributes to SAP Analytics Cloud User Profiles

You can map existing SAML user attributes to SAP Analytics Cloud user profiles. Each time a user logs on to SAP Analytics Cloud, the latest information is read from their SAML assertion and updated in their SAP Analytics Cloud user profile.

You can map SAML user attributes to the following fields in SAP Analytics Cloud:

  • First Name
  • Last Name
  • Display Name
  • Email
  • Functional Area
  • Language
  • Custom1, Custom2, and so on.

Mapping SAML Attributes

Mapping SAML attributes to SAP Analytics Cloud user profiles is a three-step process:

Step 1: Your custom SAML IdP is configured by the IdP administrator to return one or more SAML user attributes in the SAML assertions that are issued to authenticated SAML users.

Attribute NameNotes
emailRequired if your NameID is "email".
GroupsRequired. Set to "sac".
familyNameOptional. familyName is the user's last name (surname).
displayNameOptional.
functionalAreaOptional.
givenNameOptional. givenName is the user's first name.
preferredLanguageOptional.
Example of a custom SAML IdP with SAML Attributes highlighted.

Step 2: Select Map SAML User Properties in the Users list.

Step 3: In the Map SAML Attributes dialog, select a SAML Attribute and the corresponding Target Property using the dropdowns.

Select the New Mapping Definition icon to add additional SAML attributes, if necessary.

Map SAML User Properties highlighted at the top of the screen. The Map SAML Attribute dialog is open on screen with 6 SAML attributes mapped to 6 Target Properties.

Additional Information

For more information on mapping SAML attributes to users, please visit Map SAML Attributes to Users.

Dynamic User Assignment

Assign Users to Roles and Teams

When you have enabled a custom SAML IdP in your SAP Analytics Cloud tenant, you can automatically assign users to roles and teams based on their SAML attributes if your custom SAML IdP is configured to return one or more SAML user attributes in the SAML assertion.

In the screenshot below, custom1 is used to expose the user's Department in SAP NetWeaver IdP.

SAML Custom Attribute custom1 is used to expose the user's Department in SAP NetWeaver IdP.

These attributes can be used to specify which roles and teams the user is assigned to in SAP Analytics Cloud.

Dynamically Assign Users to Roles

In the exercise in this lesson, we use the assignment of users to teams to demonstrate the steps for dynamic assignment. However, the process is similar for roles.

To dynamically assign users to roles using SAML attributes, you follow the process below:

  1. From the Roles list, select an existing role.
  2. Select the Open SAML Role Mapping icon.
  3. In the Create SAML Mapping dialog, select a SAML Attribute, a Condition, and enter a Value. Supported conditions are Equal, Does Not Equal, Is Null, Is Not Null.
  4. Select New Mapping Definition to add mappings to the role assignment, if required.
  5. Under Conditions Logic, select AND or OR.
    • If AND is selected, then the conditions for all attributes must be met for the mapping to be applied.
    • If OR is selected, the conditions for only one of the attributes must be met for the mapping to be applied.

The selected role will be applied to all users who meet the specified conditions when logging onto SAP Analytics Cloud using the SAML authentication.

If the selected role was previously assigned to a user, but the user does not meet the specified conditions, the role will be revoked when the user logs in.

Additional Information

For more information on mapping SAML attributes for roles and teams, please visit:

Assign Users to a Team Dynamically

Business Scenario

You have been working with the SAML IdP administrator to set up a custom SAML IdP. Now that the users are being created automatically, you want to create SAML mapping for the teams that you have created so that users can be assigned automatically based on their attributes.

In this practice exercise, you will:

  • Create SAML mapping for the Finance_Adhoc_NA team.
  • Create SAML mapping for the HR_Adhoc_NA team.
ExerciseStart Exercise

User and Team Provisioning API

The User and Team Provisioning API can be used to programmatically manage users and teams.

This API allows you to:

  • Create, read, update, and delete users and teams.
  • Set user profile preferences.
  • Assign existing roles to users and teams.

You cannot create new roles using this API.

Additional Information

For more information on using APIs for user and team provisioning, please visit

Log in to track your progress & complete quizzes