Skip to Content

Setting up SSO with SAP BO and SAP BW (using keystore and certificate)

Mar 16, 2017 at 07:34 PM


avatar image

Dear all,

I’m currently trying to setup SSO (Single Sign-On) between the BO system and the BW system to schedule Analysis for Office workbooks stored in the BI Launchpad by using a keystore and certificate. All of this is happening during my practical phase (internship) and writing of my bachelor thesis (implementing SAP BO into a company already using SAP BW) as the last steps to finish my bachelors degree, so bear with me, if I might lack some knowledge in the SAP environment. I’ve already installed the Analysis for Office Add-On on the BO system and filled in the path in the CMC to the installation directory before doing the other steps. Sorry for the formatting of the question but entering new paragraphs doesn't seem to work.

To give you an insight about the software we are using/has been installed on the BO server:

  • Windows Server 2012
  • SAP BO BI platform 4.2 SP2 (product version:
  • SAP BusinessObjects Analysis for Office, edition for Microsoft Office (product version:
  • SAP BusinessObjects Analysis for Office, Scheduling Add-In 2.4

I’ve used those documents as a guideline to work through all the steps needed:

So far it looks like that every step was performed successful, I’m able to create a session in the Information Design Tool with SAP authentication and using the credentials of an BW account. Further, I’m able to create and publish an OLAP connection with BICS Client and using SSO to the BO repository, testing the connection is also successful.

But once I try to use this OLAP connection in Analysis for Office, I get prompted to enter the BW credentials which should not be the case, if the SSO would be working properly.

The documentations linked above will already give you an idea of how I proceeded but I’m still going to provide a somewhat detailed overview of my steps:

  • created the keystore and certificate on the server with the BI platform installation (BO server) on it, as alias I used KEYSTOREBO, as password keypw123 and as CN I used the name of our BO server (let’s say the name is BO-SAP).
  • logged into the BW system with my own user (which has SAP-ALL rights), imported the certificate and added it to the two lists (certificate list and ACL), SYSTEM-ID entered was BO-SAP and client 000 (my own client is 100 but every documentation suggested 000 – maybe that’s the reason why the whole setup is not working), saved all that afterwards.
  • added the information of the BW system into the BO system (Authentication -> SAP in the CMC) and imported the same roles which my BW user has in the BW system (around nine roles). For each imported role, a new user group was automatically created in the BO system. Then I imported the keystore to the BO server (SYSTEM ID BO-SAP, the password and alias as used before). The message “A key store file has been uploaded.” is also shown. Enable SAP Authentication is selected and I’ve selected named users instead of concurrent users because of the number of licenses we currently have.
  • then I started the Information Design Tool and opened a session using BO-SAP as system, as user name and password I entered the same as my BW credentials and Authentication is set to SAP. Once the session is created or opened, a BO user with the name of my BW user is created in the BO system. I did grant him BO administrator rights, which allowed me to publish the created OLAP connection to the BO repository after.
  • the OLAP connection is set as SAP BICS Client and SSO is checked, after entering all the BW system details I’m able to use this connection in any client tool and get the data I want, but I’m not able to use it in Analysis for Office without getting prompted to enter BW credentials.

I’m not sure where to start looking for possible errors since the connection itself is working, there must be something wrong in the previous steps taken. If anyone has some insight on this topic and can provide some helpful tips where to start, that would be great, any help is appreciated.


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

5 Answers

Marco Sielhorst Mar 20, 2017 at 06:19 PM


While creating the Analysis for Office workbook I was still using the Enterprise authentication with the BO credentials instead of SAP authentication and the BW user credentials. So after changing this, I didn't get prompted to enter the BW credentials anymore when I was refreshing the data, which is basically the confirmation for SSO working as desired. When I use the BO credentials to login and refresh data I will get prompted to enter the BW credentials.

The scheduling itself still doesn't work because I tried to schedule the Analysis for Office workbook with a different BO account instead of the one I used to create the workbook. Since I'm not able to change the authentication method for the BI Launchpad I have to find a workaround but maybe someone can help me on that, if the SSO itself is working now.

10 |10000 characters needed characters left characters exceeded
Tim Ziemba
Mar 21, 2017 at 02:56 PM

Have you seen KBA 1670073? also when testing it's helpful to use KBA 1767629 to verify STS not secondary credentials is performing SSO



10 |10000 characters needed characters left characters exceeded
Kelly Stone Mar 21, 2017 at 07:42 PM

Here is another link that can help. I've been through setting up SSO between BOE and BW. Also BI Launch Pad with Windows AD. Lots of fun here.

KBA 1646920 -

Kind regards,


10 |10000 characters needed characters left characters exceeded
Marco Sielhorst Mar 23, 2017 at 09:43 AM


Thanks for your answer and help. I've checked both KBA 1767629 and KBA 1767629 earlier. The SSO itself is working, I don't get prompted to enter BW credentials in Analysis for Office anymore, if I want to refresh the data in my workbook. I need to find a way to log in to the BI Launchpad using SAP authentication instead of the standard Enterprise authentication and it seems like I have to modifier the login mask of the Launchpad to make this work.


Thank you too for answering and your help. I will give KBA 1646920 a shot later on and see how it goes.

10 |10000 characters needed characters left characters exceeded
Marco Sielhorst Mar 27, 2017 at 09:21 AM


I was finally able to make the scheduling work. I edited the login mask of the BI Launchpad to use SAP authentication instead of enterprise, entered the BW user credentials and scheduled the previously created Analysis for Office workbook I also created with the same BW user credentials and everything worked fine.

To edit the login mask of the BI Launchpad I navigated to <INSTALLDIR>:\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\default and copied the "" file to <INSTALLDIR>:\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom (from default folder to custom folder) and changed the line:


to true. I restarted the tomact server and SIA afterwards and the login mask was successfully edited.

Thanks for the help of any contributor!



10 |10000 characters needed characters left characters exceeded