cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAC BW Live SSO connects without authentication

SvenS
Participant

on ‎08-17-2021 1:53 PM

Hello

We are having some weird behaviour regarding our SSO connection from SAC BW live connection via IAS.
So the setup we have at the moment is following:
We have setup SSO for SAC->IAS->AzureAD based on email, which is working just fine.
Now we setup the SSO for SAC BW Live connection to our on premise BW development system also with email.
We followed this guide with the setup all the way at the bottom regarding using the email address for SSO:
https://blogs.sap.com/2021/07/19/sap-analytics-cloud-saml-sso-with-btp-cloud-identity-services-ident...

When I test the auth and getserviceinfo from the ina in SICF they both work and with the SSO.
Also on SAC when I use the BW Live connection the SSO works just fine and I can access the queries.

The problem that we face at the moment is that users that don't have an email address assigned to them in BW development in SU01 are still able to connect to the SAC BW Live connection. It seems that the SSO still connects them even though they have no email address linked to them (see attachment).


However when a user that exists on SAC but not on BW development tries to access the live connection, they get a login failed.

My question is now, how is the SSO mapping done with BW? Because it is not taking the email address into consideration from SU01, so to what is it being mapped, if we setup the SAML2 in BW development to use email address? Or is there a different place that email addresses are held in BW that it is mapped to?

Kind regards
Sven

Show replies
Show replies
Chrispri
Advisor
Advisor
‎09-08-2021 7:22 AM
0 Kudos

Hi Sven,

Can you recheck your BW SAML user mapping that it is properly setup, and the user is getting correctly mapped to the user ID (default)? It could be the SAML user mapping setting on the BW system and on the IdP that is causing the issue. If you do a HTTP trace that shows the SAML assertions this would would also reveal how SAML user mapping is currently configured.

Br,

Chris

Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

D_Olderdissen
Advisor
Advisor
‎08-27-2021 6:12 PM

Hi Sven,

maybe review the SAML flow - the actual authentication in your setup is most likely done by AzureAD. The SAML token represents this successfull authentication. BW is configured to trust the AzureAD authentication and thus grant every users with a valid SAML token access according to their configured access rights (authorization). The principle of delegate authentication.

Hope this makes more sense now.

Cheers,

Dirk

Show replies
Show replies
D_Olderdissen
Advisor
Advisor
‎08-25-2021 7:49 PM
0 Kudos

I am not into BW at all. From my security thinking, it sounds a bit like you are trying to use the existence of an email address in a user record as authorization criteria. Nothing I would recommend my customers to do.

Right now, I would guess AzureAD authenticates the user (they got the email?), IAS issues the SAML2 token and BW finds some information in the SAML token that makes it identify the user and things go their way with the rights and roles for that user in BW.

What I don`t get is what is the intended result? Looks like you want to have two BW user groups. One that uses SAC and BW from external (WAN) and an other group that should only be able to use BW internally (LAN).

I would recommend to revisit the different user groups and what they should do or not and how and from where they access the different systems ...

Cheers,
Dirk

Show replies
Show replies
SvenS
Participant
‎08-26-2021 9:16 AM
0 Kudos

Hello Dirk

The intended result is just to have SSO for the BW live connection from SAC.
And this is setup and working at the moment so our intentions are already working which is great.
The company I work for asked me to do the SSO with a setup that uses the azureAD email address for SSO, so this was/is not my choice.

But the question I'm having is how is it possible that a user that exists in SAC, with an email address linked to him for SAC and also has an user created in the BW system but no email address to him in SU01, is still able to get connected through SSO for the SAC BW live connection. In my opinion this should not happen unless it is linked to an email linked somewhere else in the BW system that I don't know of.

Kind regards
Sven

Ask a Question