cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP without using Siteminder

former_member316829
Participant

on ‎05-03-2017 1:32 PM

0 Kudos

Hello Experts,

I am using LDAP authentication for SAP BI4.2 SP3. Now for SSO I do not want to go for Siteminder which is a third party application and would require license.

Do I have any other options that can be used to implement SSO with LDAP.

Regards,

Deepak

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

BasicTek
Advisor
Advisor
‎05-17-2017 3:53 PM
0 Kudos

We actually recommend not using siteminder plugin, it's been deprecated for a while and no longer being developed.

trusted authentication in KBA 1593628 is the method for al other non AD oir SAP SSO types. That KBA will show you how to setup BI but the tricky part is delivering the username, which SAP doesn't document as it's up to each customer environment and SSO mechanism available.

Regards,

Tim

Show replies
Show replies
former_member316829
Participant
‎05-18-2017 7:58 AM
0 Kudos

But if we use this method, any user can login using any other users account, for instance even if I do not have administrator password for SAP BO, i can enter http://serverName:8080/BOE/BI?user=Administrator and I will be able to access Administrator BI Launchpad.

So there would not be any security to SAP BO, in this case how do I achieve security.

BasicTek
Advisor
Advisor
‎05-23-2017 7:47 PM
0 Kudos

that KBA is only the setup, query_string is not the solution just the test. You must provide your username via one of the other methods, and secure yourself via SSL, IP resctiction, etc

Ed_SAPBI
Explorer
‎08-06-2023 7:27 PM
0 Kudos

I am not sure if what you mean by your comments is that LDAP authentication simply isn't used and 'trusted' authentication should be used in its place. Is this the case?

If not, I imagine the following needs to be adjusted for LDAP:

  • sso.enabled=true

  • trusted.auth.user.param=user
  • trusted.auth.user.retrieval=QUERY_STRING

Are there additional parameters we need to include? Does Query_String need to be adjusted to conform to our environment? We use a Windows server with Tomcat so not sure anything special here.

BasicTek
Advisor
Advisor
‎08-07-2023 1:46 PM
0 Kudos

QUERY_STRING is used to test trusted authentication, the other methods are used to determine where the username is coming from.

Usually if the username is coming from AD we use TrustedPrincipal KBA 1965433, if it's coming from SAML (ADFS, AZURE) we use trustedSession, KBA 2791348, and some that were using siteminder would use HTTP_HEADER KBA 1603002. Siteminder can also be integrated with SAML.

Trusted auth from the BI side is the same, the method to obtain the user name varies depending on what the customer is sending to us. SAP doesn't recommend how your external authentication is setup, but we can troubleshoot BI with the web/app logs using these KBA's 2752905, 3076470,

-Tim

Ed_SAPBI
Explorer
‎08-07-2023 6:23 PM
0 Kudos

Thank you for the response. Since we use LDAP and do not use SiteMinder, would http_header be the route we should pursue?

BasicTek
Advisor
Advisor
‎08-07-2023 6:29 PM
0 Kudos

If you use HTTP_HEADER, what will be passing the Header to BI? You can use any method, but the trick for the customer is that the credentials must be supplied.

2 methods where they are are with AD KBA 1965433 and SAML 2791348

trusted auth is compatible with any method as long as the username is supplied, how the customer supplies the username is not documented KBA 1603002 is the HTTP header guidence from the BI side

Ask a Question