Excel Add-In integration for demand-planning (si-2308) fails with SSO errors

SCM SAP IBP
, , , , , , ,
1

Our demand planners cannot connect to SAP IBP si-2308 using the Excel Add-In. The add-in was working fine until last week, but now users are getting SSO authentication failures when trying to log in.

The error message shows: “SAML assertion validation failed. Unable to authenticate user credentials.” This happens for all 15 users in our demand planning team, but the web UI works perfectly fine with the same credentials.

We recently updated our corporate identity provider (Azure AD) configuration, which might be related. Our IT team confirmed that the SAML metadata in Azure AD is current and matches what was provided during initial IBP setup. The Excel Add-In version is 2.8.1, which according to SAP documentation is compatible with si-2308.

Users are blocked from updating forecasts in Excel, causing significant delays in our monthly planning cycle. Has anyone experienced SSO compatibility issues between Excel Add-In and updated identity providers?

2

The Azure AD update likely changed the SAML assertion format or signing certificate. Even though your IT team says the metadata matches, there are subtle differences that can break Excel Add-In authentication while web UI continues working.

The web UI uses a different authentication flow (browser-based SAML redirect) compared to Excel Add-In (embedded browser with stricter validation). Check if Azure AD changed the signature algorithm or added new claims that IBP isn’t expecting.

3

I’m providing a complete solution addressing Excel Add-In version compatibility, SAML metadata synchronization, and SSO configuration alignment:

1. Excel Add-In Version Verification and Update:

Your current version (2.8.1) has known limitations with SHA-256 SAML signatures. Upgrade to version 2.9.2 or later:

  • Download the latest Excel Add-In from SAP Support Portal (search for “SAP IBP Excel Add-In 2.9.2”)
  • Deploy using group policy or SCCM to all demand planning users
  • Minimum required version for si-2308 with SHA-256: 2.9.0
  • Recommended version for best compatibility: 2.9.2 (released March 2024)

Verify installation by checking: Excel > IBP Add-In > About > Version should show 2.9.2.x

2. SAML Metadata Synchronization:

The metadata exchange between Azure AD and IBP needs refresh after Azure AD changes:

Step A - Export updated metadata from Azure AD:

  • Navigate to Azure AD > Enterprise Applications > SAP IBP Application
  • Go to Single Sign-On > SAML Signing Certificate
  • Download “Federation Metadata XML” (this contains the new SHA-256 certificate)

Step B - Update IBP tenant configuration:

  • Log into SAP IBP Admin Console (https://[tenant].sapibp.cloud/admin)
  • Navigate to Security > Identity Provider Configuration
  • Upload the new Federation Metadata XML from Azure AD
  • Click “Validate Metadata” to ensure proper parsing
  • Save and activate the configuration

Step C - Verify certificate chain:

  • In IBP Admin Console, check that the certificate thumbprint matches Azure AD
  • Confirm validity dates (should be valid for 1-3 years from Azure AD update date)
  • Ensure intermediate certificates are included in the metadata

3. SSO Compatibility Configuration:

Align Azure AD SAML assertions with Excel Add-In requirements:

NameID Format Fix: In Azure AD > Enterprise Applications > SAP IBP > Single Sign-On:

  • User Attributes & Claims section
  • Edit “Unique User Identifier (Name ID)”
  • Source attribute: user.mail
  • Name identifier format: Email address (critical for Excel Add-In)
  • Save changes

Required Claims Configuration: Ensure these claims are present:

  • email: user.mail
  • givenname: user.givenname
  • surname: user.surname
  • name: user.userprincipalname

Excel Add-In specifically requires the ‘email’ claim for user identification.

Signature Algorithm Verification:

  • Azure AD > Enterprise Applications > SAP IBP > Single Sign-On
  • SAML Signing Certificate section
  • Signing Option: “Sign SAML response and assertion” (recommended)
  • Signing Algorithm: SHA-256 (confirm this is set)

4. Trust Certificate Distribution:

For Windows-based Excel Add-In authentication:

Option A - Group Policy Distribution:

  • Export the new Azure AD signing certificate (Base-64 encoded)
  • Create GPO to import certificate into: Computer\Trusted Root Certification Authorities
  • Apply to all demand planning user machines
  • Force GPO update: gpupdate /force

Option B - Manual Import (for testing):

  • Download certificate from Azure AD SAML configuration
  • On user machine: Run > certmgr.msc
  • Import to Trusted Root Certification Authorities > Certificates
  • Restart Excel and test Add-In connection

5. Testing and Validation:

Systematic testing approach:

Test 1 - Single User Validation:

  • Select one demand planner for pilot testing
  • Upgrade Excel Add-In to 2.9.2
  • Import certificate manually
  • Test connection to IBP demand-planning planning area
  • Verify ability to load and save forecast data

Test 2 - SAML Response Inspection:

  • Use browser developer tools (F12) during Excel Add-In login
  • Capture SAML response in Network tab
  • Decode Base64 SAML assertion
  • Verify NameID format is email
  • Confirm signature algorithm is SHA-256
  • Check all required claims are present

Test 3 - Certificate Chain Validation:

  • Use OpenSSL to verify certificate chain: openssl verify -CAfile azure_chain.pem user_cert.pem
  • Ensure no “unable to get local issuer certificate” errors

Test 4 - Rollout to Team:

  • After successful single-user test, deploy to 3-5 users
  • Monitor for any authentication errors
  • Full team deployment after 48-hour validation period

6. Troubleshooting Steps if Issues Persist:

If SSO still fails after above steps:

a) Enable detailed logging in Excel Add-In:

  • Excel > IBP Add-In > Settings > Enable Debug Logging
  • Reproduce login failure
  • Check logs at: %APPDATA%\SAP\IBP Excel Add-In\Logs
  • Look for SAML validation errors with specific claim names

b) Verify Azure AD token lifetime:

  • Azure AD might have reduced token lifetime during update
  • Check: Azure AD > Enterprise Applications > SAP IBP > Token Configuration
  • Ensure “Access token lifetime” is at least 60 minutes

c) Clear Excel Add-In cache:

  • Close Excel completely
  • Delete: %LOCALAPPDATA%\SAP\IBP Excel Add-In\Cache
  • Restart Excel and retry login

d) Network proxy considerations:

  • If using corporate proxy, verify proxy.pac file allows direct access to *.sapibp.cloud
  • Excel Add-In authentication can fail if proxy intercepts SAML traffic

7. Ongoing Monitoring:

Implement these checks to prevent future issues:

  • Set calendar reminder 30 days before Azure AD certificate expiration
  • Monitor IBP Admin Console for SAML authentication failure alerts
  • Create test user account for monthly Excel Add-In connectivity validation
  • Document the complete Azure AD > IBP SAML configuration for future updates

This comprehensive approach addresses all three critical areas: Excel Add-In version compatibility with SHA-256, proper SAML metadata synchronization between Azure AD and IBP, and correct SSO configuration that satisfies Excel Add-In’s specific authentication requirements. The key is ensuring the entire authentication chain (client certificate trust, SAML assertion format, and IBP metadata) is aligned after the Azure AD update.

4

Also worth checking the certificate trust chain. When Azure AD updated, they might have issued a new signing certificate. The Excel Add-In needs to trust the entire certificate chain, not just the leaf certificate. Sometimes the intermediate certificates aren’t included in the SAML response, causing validation failures.

You can test this by temporarily importing the new Azure AD certificate into the Windows certificate store on a user’s machine and see if that resolves the issue for that specific user.

5

SHA-256 should be supported in si-2308, but the Excel Add-In version matters. Version 2.8.1 might not handle the new signature algorithm properly. Check SAP Note 3245678 which addresses SAML signature algorithm compatibility for Excel Add-In versions.

You may need to upgrade to Excel Add-In version 2.9.0 or later, which has better SHA-256 support. Also verify that the SAML metadata in IBP tenant was refreshed after the Azure AD changes.

6

In addition to the signature algorithm, check the NameID format in your Azure AD SAML configuration. Excel Add-In is very particular about receiving NameID in email format. If Azure AD changed this to persistent or transient format during the update, authentication will fail.

Go to Azure AD > Enterprise Applications > SAP IBP > Single Sign-On > User Attributes, and verify NameID is set to user.mail with format emailAddress.