Hey experts,

this is for the BI4 (BOBJ) cracks. I have configured SSO for BO based on AD/Kerberos with Tomcat/Vintela lots of time. Now I got a customer who is running his BOBJ on Linux and on NetWeaver Java AS.

Currently SAP ID (SAP R3 user) authentication is used, but as the customer introduces SSO (SNC) also for the entitled system (e. g. BW) the BW users will have no password in the near future. Target is to achieve SSO for BI Launchpad and LDAP authentication for Client tools such as WebI Rich Client oder Analytics Office.

My idea was to utilize trusted authentication. The customer has SAP SSO 3.0 and Secure Login Server, thus all users have X.509 certificates. Also the customer is operating an ADFS (SAML IdP) thus have the possibility to use both X.509 or SAML-Assertions. Both will be supported via LoginModules on the NetWeaver for sure, it is clear how to set this up.

Challenge: User names in the SAP system and AD (e.g. certificate or SAML assertion) differs.

I have found contradictory information like a table describing the methods of single sign-on support for BI launch pad that says, trusted authentication only works with authentication mode "Enterprise" and not LDAP. In other documents I was able to see that is seems to work with LDAP as well.

We like to avoid creating enterprise users, so I planned to import the users from one AD group and use LDAP authentication, but I am unsure whether LDAP and trusted authentication is working in this specific environment.

In addition as far as i know, trusted authentication only works for BI Launchpad or ODoc but does not cover Rich Clients such as WebI or AO, thus LDAP would be required in any case to allow users to enter their AD instead using the SAP R3 credentials.

SSO to BW is already established via STS (MYSAPSSO2) and should work after trusted authentication is performed.

Any one who has good experience with that specific scenario? Would love to get some more information about that.

Cheers, Carsten