CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Embedded Analytics for SAP Commissions - How to setup IDP/IAS SSO integration

6 min read

Table of Contents


Embedded Analytics requires users to authenticate using SAP Cloud Identity Services for SSO. When a customer is using corporate IDP to authenticate users, Identity Services needs to be configured to use Corporate IDP for user authentication. The purpose of this setup is to enable corporate IDP for SSO with Identity Services to log in to Embedded Analytics. Corporate IDP is configured for users with corporate email domain using conditional authentication rule and all other users are authenticated using Identity Services.

Single Sign-On (SSO) Options

Single Sign-On (SSO) enables single sign-on and single identity synchronization across the SAP Sales Cloud suite of products. 

Single Sign-On uses SAP Cloud Identity Services to support the use of either direct single sign-on or federated single sign-on.

Sales Cloud Single Sign-On is powered by SAP Cloud Identity Services, which contains:

  • Identity Authentication service (IAS) - An IdP that supports user and group management and allows configurations for single sign-on. This IdP can also act as a service-provider, if needed

  • Identity Provisioning service (IPS) - Provisions users from IAS to the applications or service providers, and vice-versa from applications to IAS. This solution provides a unified customer experience across Sales Cloud products and provides a single point of entry for user onboarding and access control

Now let's looks at tje architecture for Direct Single Sign-on (IAS as the IdP) and Federated Single Sign-on (Corporate IdP).

Option 1 - Direct Single Sign-On (IAS as the IdP)

Identity Authentication service acts as the identity provider and user store. When customer tenants are provisioned, Direct Single Sign-On is already configured and activated for customers.

Option 2 - Federated Single Sign-On (Corporate IdP)

Customer's preferred corporate identity provider is used for federated single sign-on. The following figure depicts the technical architecture of Sales Cloud Single Sign-On using federated single sign-on. Security Assertion Markup Language (SAML) is used to connect Identity Authentication service with the corporate identity provider. This article is primarily focusing on setting up Federated Single Sign-On.

How to setup IAS with customer corporate IDP

Please follow steps below to setups Federated Single Sign-On. 

Step 1: Login to IAS with admin credentials

Step 2: Navigate to Applications & Resources -> Tenant Settings -> SAML 2.0 Configuration and download the Metadata file

Step 3: Send the downloaded IAS Metadata file to the Customer IT Team and request them to provide you with the Customers Corporate IDP Metadata file

Step 4: Once you receive Customers Corporate IDP Metadata file, as an IAS Admin, navigate to Identity Providers -> Corporate Identity Providers and click on Add an Identity Provider button\

Step 5: Provide a name for the Corporate Identity Provider and Save

Step 6: For the New Identity Provider, navigate to SAML 2.0 Configuration

Step 7: Upload Customers Corporate Identity Provider Metadata file and Save

Step 8: Once the xml file is uploaded, all the below sections will be automatically populated

Step 9: For the New Identity Provider, navigate to Identity Provider Type and make sure SAML 2.0 Complaint is selected

Step 10: For the New Identity Provider, navigate to Name ID Format and make sure Unspecified is selected

Step 11: For the New Identity provider, navigate to Enriched Assertion Attributes and make sure nothing is added

Step 12: For the New Identity provider, in section SINGLE SIGN-ON, Forward All SSO Requests to Corporate IDP is switched Off

Step 13: For the New Identity Provider, navigate to Identity Federation make sure Use Identity Authentication user store option is checked on

Step 14: Navigate to Applications & Resources -> Applications and do below Conditional Authentication settings to below Custom Applications

  • Sales Cloud Analytics

  • SCA_OpenID

  • TBAI 2.0

  • Sales Cloud Commissions

a. Make sure Default Authenticating Identity Provider is SAP Cloud Identity Services

b. Select Add new Rule

c. Enter below information. Make sure, you choose New Corporate Identity Provider for Identity Provider and for E-Mail Domain, enter Customers domain


Step 15: Login in Embedded Analytics to test SSO

a. If a User with email domain logs in, IAS will automatically forward the Authentication to Corporate IDP.

b. If a User with any other email domain logs in, IAS will prompt the user to enter IAS Password to authenticate.

Troubleshooting SAP Cloud Identity Services

  • Follow the interactive documentation designed to help you troubleshoot issues and guide you through tasks for setting up IAS.

  • If you have questions or encounter an issue while working with the Identity Authentication service, you can address them through the communication channels listed below:


By end of this article, you should be able to do the following:

  • Understand SSO requirement for Embedded Analytics for SAP Commissions
  • Understand different SSO options available for Embedded Analytics for SAP Commissions
  • Connect SAP Cloud Identity Services with Corporate IDP