cancel
Showing results for 
Search instead for 
Did you mean: 

SSO (WinAD) to CMC with 4.1 SP6?

mhf
Active Participant
0 Kudos

Hello Community,

with 4.1 SP6 it should be possible to use SSO to login to the CMC. Does this feature work for anyone? SSO (WinAD) to the BI Launchpad is working fine, but when trying to open the CMC the standard login window shows up.

Do we need to configure anything to get this work?

Thanks in advance!

BR,

Michael

Accepted Solutions (1)

Accepted Solutions (1)

former_member202789
Contributor
0 Kudos

I have not tried it yet. But there are supporting SAP knowledgebase ( 2128490 - Unable to logoff the CMC for winAD SSO) that it works in SP6.

Following steps are mentioned in SP6 Admin Guide to configure the same.

---------------------------------------------------------------------------------------------------------------------

9.1.3.1.1 Enabling Single sign-on for CMC

To enable SSO for CMC, follow the below mentioned steps:

On the client side, cache has to be cleared before the initial CMC setup. Else, the Enterprise authentication method will be cached.

On Tomcat server, perform the below mentioned steps:

1. On a system already configured for SSO for BILP, go to C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom.

2. Create a file CmcApp.properties and mention ○ sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder ○ authentication.default=secWinAD in that file.

3. Restart tomcat. SSO for CMC is enabled.

---------------------------------------------------------------------------------------------------------------------

Former Member
0 Kudos

Does anyone know if only secWinAD is possible? I tested secEnterprise without success.

If this method is not given. When is it available?

Former Member
0 Kudos

Hi Roberto,

Please check this KBA:

https://service.sap.com/sap/support/notes/1243521

Cheers,

Manoubia

Former Member
0 Kudos

Dear Manoubia,

I don't get your point. Since SP6 it is possible using WinAD to use SingleSignOn using CMC.

My question is:

  • Is SecWinAD the only possible method?
  • If yes. Only currently or with SP xzy the feature will be enhanced.

Greets

Roberto

mhf
Active Participant
0 Kudos

Hello Roberto,

according to the admin guide the current supported auth types are:

sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

SAP would recommend to raise an idea on the ideaplace for additional types.

BR,

Michael

Former Member
0 Kudos

Hi Roberto,

I believe it should work with the other authentication types as well since SAP has allowed the parameters "sso.types.and.order=" and "sso.supported.types=" for CMC.

You can try to configure trusted authentication using query string method and later you can test SSO with CMC using the enterprise authentication.

Query String Trusted Authentication will use the enterprise authentication. You can follow the SAP note:1593628 to configure TA with query string method.

Please consider following risks before configuring SSO with CMC.

  1. If an attacker gains access to an OS they will have full admin access to BI (this is why microsoft recommends that admins only login with their admin account to perform tasks) With CMC SSO you will be allowing admin login ALL the TIME.
  2. SSO on occasion has issues, one of the 1st things to do is login to the CMC to resolve, now if SSO fails login to the CMC will not be possible until SSO is disabled and web/app restarted.
  3. Currently there is no logonNoSso for CMC

~Swapnil

Former Member
0 Kudos

See admin Guide -> 9.1.3.1.1 Enabling Single sign-on for CMC

Regarding authentication.default only secWinAD is stated!!

Former Member
0 Kudos

Hi Roberto,

A Good News !!!

I have just tested SSO using the enterprise authentication and it worked with both BILaunchpad and CMC.

I have used TA(QUERY_STRING) method to configure SSO with CMC and BILaunchpad in BI4.1SP06.

I have used the below two URLs:

  1. http://ServerIP:8080/BOE/BI?SwapnilY=administrator
  2. http://ServerIP:8080/BOE/CMC?SwapnilY=administrator

In the admin guide it is nowhere mentioned that only Windows AD authentication is supported with CMC SSO. I guess it is just an example that they have used Windows AD authentication in the admin guide to describe steps to configure SSO with CMC.

Hope this helps.

~Swapnil

Former Member
0 Kudos

SecEnterprise is possible. The following config works

sso.supported.types=trustedHeader

authentication.default=secEnterprise

Former Member
0 Kudos

Hi Roberto,

Yes, it works I also tested it with QUERY_STRING method. So it's clear now that Windows AD authentication is just an example in the admin guide.

~Swapnil

former_member369473
Discoverer
0 Kudos

Hi,

it means that can i use the ssofilter like at the launchpad?

Chri

Former Member
0 Kudos

Yes, Chris.

former_member369473
Discoverer
0 Kudos

Sorry,

i have anoter question.

in the Administration guide are parameters described from CmcApp.properties.

But you have described the Parameter value HTTP_VALUE and this is normal a value from parameter trusted.auth.user.retrieval in global.properties

I'm not quite sure what paraters I need. And in wich files

chris

Former Member
0 Kudos

Hi Chris,

In order to configure Trusted Authentication you would need to configure both the files i.e. CMC and global properties files.

~Swapnil

Answers (0)