cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI 4.1 SSO - Trusted Authentication with X.509 Certificates

Former Member

on ‎11-01-2016 8:35 PM

0 Kudos

Hi all,

I am having the most difficult time finding configuration steps and examples in setting up X.509 Trusted Authentication for Single Sign On (SSO) in BI 4.1

Most examples are all related to MobileBI...which we are not deploying yet

I have read through the Administrators Guide (Chapter 9 - Authentication) and understand how Trusted Authentication works, but the examples in the guide only reference SAML. Nothing specific to X.509 can be found anywhere in the guide or on the web

Is there anyone here who as deployed X.509 SSO Trusted Auth with BI and is able to point me in the right direction with sample configuration files or a document that outlines the steps required?

I thank you in advance for any assistance!

Show replies
Show replies
Former Member
‎11-03-2016 4:15 PM
0 Kudos

This is what we have done so far with no success

Our users have certificates issued to them with a SAN / UPN of user@company.com

We created users within BI that match the UPN (user@company.com) and assigned a local password

1) Create "global.properties" file in "custom" folder with the following values

sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=MyUser
trusted.auth.shared.secret=MySecret

2) Modified the custom.jsp file with the following entries

request.getSession().setAttribute("MySecret","ehdusdsuwj3.......");
request.getSession().setAttribute("MyUser", request.getUserPrinicipal().getName());

After both changes to these files, we re-deployed the BOE application via wdeploy

When browsing the /BOE/BI or /BOE/BI/custom.jsp, we are presented with a login screen and SSO is not working with X509 certificates

We perform the initial login using user@company.com and local password...However, every subsequent attempt does NOT leverage SSO and we are still being prompted for logon.

Is there a step we are missing? Is there another config file we should be modifying?

TIA!

Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Colt
Active Contributor
‎11-04-2016 1:33 PM

Hi there,

as far as I know X.509 client authentication isn't supported for SAP Business Objects BI 4.1...despite the information in the manual I never saw such setup. However multiple times, we successfully managed to configure BI4.1 with Kerberos/SPNego (WinAD) which is well documented and apart from the many configuration steps, works fine. Check SAP Note 1631734 Configuring Active Directory Authentication and SSO Manual for BI4 and the referenced PDF of Steve Fredell.

The goal is that users can use SSO for both – access to the BI platform at the front-end (BI Launchpad) and single sign-on access to the databases at the back-end. Users need to provide their logon credentials only once, when they log on to the operating system, to have access to the BI platform and to be able to perform actions that require database access, such as viewing reports. In BI platform, end-to-end SSO is supported on Windows AD and Kerberos.

Regards, Carsten

Show replies
Show replies
pmelli
Product and Topic Expert
Product and Topic Expert
‎11-05-2016 2:39 AM
0 Kudos

SAP Business Objects BI Platform as of Release 4.0 Web based applications has Kerberos, SAML and X.509 Cerficates available for Single Sign On.

For X.509 Certificates, configure Trusted authentication for SSO.

Show replies
Show replies
Former Member
‎02-22-2018 5:53 AM
0 Kudos

Hi Patrick, does this work for BOBJ with Tomcat server or NW Java server ?

pmelli
Product and Topic Expert
Product and Topic Expert
‎11-05-2016 2:35 AM
0 Kudos

18.1.3.10.4.2 Creating an OAuth Consumer Key for SAP StreamWork

Before you can create an OAuth Consumer Key, you must have administrator rights for the SAP StreamWork Enterprise organization.

    In the SAP StreamWork administration console, on the Admin tab, select SAML Trusted IDPs, and log on to SAP StreamWork using an account designated as an Enterprise organization administrator.

    Click Register your identity provider.

    Select Click here to create a new administrative OAuth application, and accept the Terms of Use Agreement.

    1. In the Register a new Application OAuth application window, perform the following actions:
      2. In the
    Application Name box, enter the name of the application instance to use in the integration.

    This information identifies which application is needed to take action on behalf of a user—for example, to post SAP StreamWork feeds for a user. Users must be able to recognize this application name.

    In the Integration URL box, enter the URL for the BI launch pad.

    In the Base64 X509 Certificate box, enter the Base64 certificate value that was generated when SAP StreamWork was configured in the Central Management Console (CMC) in the BI platform.

    If you do not have the value, contact your external application administrator.

    Click Register.

    The OAuth Consumer Key is generated. Make a note of the OAuth Consumer Key value for the BI platform administrator to use.

    Click Back to display the SAML trusted identity providers.

  1. In the Register a new SAML Trusted Identity Provider window, perform the following actions:

    2. In the Display Name box, enter a name for the BI platform deployment.

    This name will appear to users in SAP StreamWork.

    In the IDP ID box, enter the unique identity provider value that was created when SAP StreamWork was configured in the BI platform.

    If you do not have the value, contact your external application administrator.

    In the Base64 X509 Certificate box, enter the Base64 certificate value that was generated when SAP StreamWork was configured in the BI platform.

    If you do not have the value, contact your external application administrator.

    Click Register.

    Show replies
    Show replies
    Ask a Question