on 10-22-2021 8:23 AM
Dear Community,
Me and a colleague have been investigating for weeks now, why the establishment of a Live data connection (SAPMKTNW) for the SAC Content of Marketing Cloud is not working... without a solution so far 😞
We've opened an incident for SAP but still, there is no explanation on the issue.... so we are seeking for other experts who successfully achieved this connection already.
What we did: We followed the whole documentation here:
All steps, except the last were executed successfully ... only when creating the Live connection, we receive error:
You are not authorized to query the remote system. Please ask your administrator to grant you the InA role
see: https://launchpad.support.sap.com/#/notes/2805974
So far, I nowhere found what exactly the InA role is - however my user in Marketing Cloud has basically any role - but this message is misleading, since the real error in Chrome Debugger is:
Error: invalid_grant: Provided authorization grant is invalid. Exception was No user found with alias 'myname@mycompany' (format: unspecified)
The strange thing is:
- We use the same Identity Provider for both, the SAC and the Marketing Cloud.
- If I open any of both URLs, for SAC and SMC and use the same login e-mail address in lower case letters and the same password, then I get access into both systems without any issue.
Our configuration in the IDP is like you can see the same:
Basically, it seems that not the communication user "SAC" - which is used in the SAC connection - is checked against the Marketing Cloud, but it is MY personal user, who is trying to establish the connection. Isn't this weird?
The SAP colleagues who worked on the incident checked all the Marketing Cloud settings we did, and obviously all entries we did are correct, since - if you ask me - the help guide could explain it better, like this:
The only thing which is not working is to enter my mail address in the SMC client directly:
Is there any setting in Marketing Cloud to enable that? My user contains my mail address so there is a relation between the IDP log in and forwarding to SMC. ... this is the last idea I have.
Any ideas of what to do or what to check are highly appreciated.
Thanks,
Martin
Dear all,
in the meanwhile we were able to solve our issue.
The settings in Marketing Cloud have already been correct ... the hint out of the blog, provided by Marc Dorais about the Audience helped as well.
The main issue was located in our IDP!
For SAC the login SAML attribute was e-mail, but Marketing Cloud is not able to handle e-mail.
So we had to change the login field to custom attribute, so that the login works via user id, which then is the same like in Marketing Cloud ... and voila, the connection can be established.
Unfotunately you never find that out via the "InA role is missing" error message 😞
The help page documentations / screenshots are not really valuable, since you can guess which entry is which.
And also in the Marketing Cloud, there should be some more validation steps, during setup in Communication system and scenario.
BR, Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Martin,
am I getting it right, that you did the following (amongst others) to make it work
Another question, if I may: You seem to have harmonized your IdP to SAP IAS, so both SMC's and SAC's IdP is SAP IAS, correct? Did you (maybe later) switch away from that harmonization? The reason I'm asking is I already setup IdP for SAC to be MS Azure. I also have put SMC's IAS to federate so it will use MS Azure. In my book (that might be wrong) this should be enough to have SMC accept a SAML token issued for a user logged onto SAC?
Many thanks and Cheers
Jens
Hello jens.schwendemann
yes, basically you are right... we changed the SAML User Mapping from Mail to User ID, which must match between SAC and SMC to achieve the login.
As of now, no we did not yet switch away... but might be will again, since it was just for testing purposes of our Demo SAC.
After that we faced another issue during the BW Live login, which I described here and for which we still did not find the right solution:
https://answers.sap.com/questions/13598171/sac-bw-live-connection-with-saml2-shows-error-iola.html
I really don't understand why SAP created things like this so complicated 😞
10 or 15 years ago you had proper wizards, with which you could go through all steps and you knew in the end it would work.
Here you just get confusing error messages which do not reflect the root cause at all.
BR, Martin
Hello Martin,
Perhaps you can check this blog with the most common issues when connection SAP Analytics Cloud with SAP Marketing Cloud
Best regards,
Marc
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear foekenm and abdullah.amerk
I went through the help pages again, to start looking for issues right from the beginning...
One thing came to my mind... this is the OAuth Client, which is created in SAC and used in SMC:
I'm wondering: In my SAC there is no choice for the lifetime of the Token. It is pre-defined as 1 hour and I cannot change it to blank, like described in this link.
Could this also be the or one problem?
We created the OAuth once and try the connection for weeks now with different settings, changes etc. but if this is valid only for one hour we would have to deleted that and create it before every new try, since you cannot edit the numbers, neither upon creation, nor afterwards:
Or would this have led to a different error later, and still the error 403 (invalid_grant) prevents this error from occuring?
I really wished the there were more explanations and specific "in app information" as on-mouse-over question marks, around all that SAC connections and not one straight-forward process description, where you are completely lost if it does not work at the very end (with an error message from past days).
PS: I found the source of the "InA role missing" error message - 4 years old - and nothing to do with S4, but pure HANA DB based:
Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection
https://www.sapanalytics.cloud/wp-content/uploads/2017/10/SAP-HANA.pdf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi m.kreitlein,
I would check the following things in order to find a solution:
Hope this Helps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Abdullah,
thanks for your reply.
No. 1) Yes, both direct to the same IDP and login works fine in both URLs on the IDP
No. 2) Yes, the connectivity user was created like described here: https://help.sap.com/viewer/0f9408e4921e4ba3bb4a7a1f75f837a7/2108.500/en-US/e8a1c509e0a046099624d3e9... and also used in the SAC connection creation window... obviously this is not used here, since the debugger tool states my mail address and not the SAC user (who has none).
No. 3) My user, with which I create the connection had initially this role in SMC: BR_ADMINISTRATOR ... now finally I have all available roles, but none states "ina":
BR_ADMINISTRATOR_DPR, BR_ADMINISTRATOR_MKT, BR_ANALYTICS_SPECIALIST, BR_BPC_EXPERT, BR_BPC_EXPERT_MKT, BR_BUSINESS_ANALYST_MKT, BR_CONF_EXPERT_BUS_NET_INT, BR_MARKETING_EXECUTIVE, BR_MARKETING_EXPERT, BR_MARKETING_MANAGER, BR_SALES_REP_MKT_INFO, SAP_BR_ADMINISTRATOR
What exactly is the role name in SMC which contains this InA access?
Thanks,
Martin
m.kreitlein the BR_ANALYTICS_SPECIALIST has the necessary Catalogs for InA (Information Access Protocol). You can test if you have access to the stories in the Analytics and Reporting Gallery App.
the only other option is to delete all the definitions you created for this integration and create them again. This was also recommended in the SAP NOTE. I also solved such an issue once by recreating everything.
Hi Martin,
Can you add the 'SAML Chrome Panel' extension to Chrome, make sure you allow the extension to be used in an incognito session and then login to SMC via SAML SSO?
Befor login please:
I'm curious to find out what the content of the SAML assertions from your IDP is. Does this match both how the user is defined in SAC and SMC?
Kind regards,
Martijn van Foeken | Interdobs
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Martijn,
thanks a lot for your reply... here is the result.
I'm logging into the IDP and getting forwarded & logged in to the launchpad of the SMC
It seems there is also a forbidden error for some icons and it seems I cannot access the GetServerInfo ... is that a hint of a missing role? But then it would not be related to the email address...
Do you need one specific information?
BR, Martin
Hello Martijn,
no, I cannot reach it... if I enter the URL: https://myxxxxxxx.s4hana.ondemand.com/sap/es/ina/GetServerInfo
the result is: Error 403 - The request has been blocked by UCON
Is there a SU53 like on premise to check the missing rights?
In fact, there is no role with the name INA in it, available 😞
I found another document, stating the same role, but it looks like a direct HANA DB privilege here?!
sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection
https://www.sapanalytics.cloud/wp-content/uploads/2017/10/SAP-HANA.pdf
BR, Martin
User | Count |
---|---|
6 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.