Skip to Content

SSO using Trusted Authentication on BI4 (Linux and Netweaver Java WebAS)

Hey experts,

this is for the BI4 (BOBJ) cracks. I have configured SSO for BO based on AD/Kerberos with Tomcat/Vintela lots of time. Now I got a customer who is running his BOBJ on Linux and on NetWeaver Java AS.

Currently SAP ID (SAP R3 user) authentication is used, but as the customer introduces SSO (SNC) also for the entitled system (e. g. BW) the BW users will have no password in the near future. Target is to achieve SSO for BI Launchpad and LDAP authentication for Client tools such as WebI Rich Client oder Analytics Office.

My idea was to utilize trusted authentication. The customer has SAP SSO 3.0 and Secure Login Server, thus all users have X.509 certificates. Also the customer is operating an ADFS (SAML IdP) thus have the possibility to use both X.509 or SAML-Assertions. Both will be supported via LoginModules on the NetWeaver for sure, it is clear how to set this up.

Challenge: User names in the SAP system and AD (e.g. certificate or SAML assertion) differs.

I have found contradictory information like a table describing the methods of single sign-on support for BI launch pad that says, trusted authentication only works with authentication mode "Enterprise" and not LDAP. In other documents I was able to see that is seems to work with LDAP as well.

We like to avoid creating enterprise users, so I planned to import the users from one AD group and use LDAP authentication, but I am unsure whether LDAP and trusted authentication is working in this specific environment.

In addition as far as i know, trusted authentication only works for BI Launchpad or ODoc but does not cover Rich Clients such as WebI or AO, thus LDAP would be required in any case to allow users to enter their AD instead using the SAP R3 credentials.

SSO to BW is already established via STS (MYSAPSSO2) and should work after trusted authentication is performed.

Any one who has good experience with that specific scenario? Would love to get some more information about that.

Cheers, Carsten

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    May 09, 2018 at 11:13 AM

    If you are using trusted authentication, it has been enhanced in BI 4.2 SP5 to provide clearer documentation and enhancements to allow deeper integration with SAML, and even ADFS.

    Trusted auth will work with AD, LDAP, and Enterprise aliases, furthermore with the setting (trusted.auth.namespace.enabled) you can create a tie in if the trusted auth username does not = the mapped account name (to do this the user would be prompted on their 1st SSO attempt), after that a secexternal alias would be attached to the account for i.e. SAML username " user1" would now be able to SSO into BI with LDAP username "userone". I'm not sure if that would work for your scenario (users must know their mapped user/pw).

    In regards to client tools the only method of SSO is AD kerberos which requires the AD plugin (CMS on windows) Manually all methods can login (AD, LDAP, Enterprise or SAP


    Add comment
    10|10000 characters needed characters exceeded