on 05-03-2017 1:32 PM
Hello Experts,
I am using LDAP authentication for SAP BI4.2 SP3. Now for SSO I do not want to go for Siteminder which is a third party application and would require license.
Do I have any other options that can be used to implement SSO with LDAP.
Regards,
Deepak
We actually recommend not using siteminder plugin, it's been deprecated for a while and no longer being developed.
trusted authentication in KBA 1593628 is the method for al other non AD oir SAP SSO types. That KBA will show you how to setup BI but the tricky part is delivering the username, which SAP doesn't document as it's up to each customer environment and SSO mechanism available.
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
But if we use this method, any user can login using any other users account, for instance even if I do not have administrator password for SAP BO, i can enter http://serverName:8080/BOE/BI?user=Administrator and I will be able to access Administrator BI Launchpad.
So there would not be any security to SAP BO, in this case how do I achieve security.
I am not sure if what you mean by your comments is that LDAP authentication simply isn't used and 'trusted' authentication should be used in its place. Is this the case?
If not, I imagine the following needs to be adjusted for LDAP:
sso.enabled=true
Are there additional parameters we need to include? Does Query_String need to be adjusted to conform to our environment? We use a Windows server with Tomcat so not sure anything special here.
QUERY_STRING is used to test trusted authentication, the other methods are used to determine where the username is coming from.
Usually if the username is coming from AD we use TrustedPrincipal KBA 1965433, if it's coming from SAML (ADFS, AZURE) we use trustedSession, KBA 2791348, and some that were using siteminder would use HTTP_HEADER KBA 1603002. Siteminder can also be integrated with SAML.
Trusted auth from the BI side is the same, the method to obtain the user name varies depending on what the customer is sending to us. SAP doesn't recommend how your external authentication is setup, but we can troubleshoot BI with the web/app logs using these KBA's 2752905, 3076470,
-Tim
If you use HTTP_HEADER, what will be passing the Header to BI? You can use any method, but the trick for the customer is that the credentials must be supplied.
2 methods where they are are with AD KBA 1965433 and SAML 2791348
trusted auth is compatible with any method as long as the username is supplied, how the customer supplies the username is not documented KBA 1603002 is the HTTP header guidence from the BI side
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.