on 12-18-2018 10:14 AM
Hi Team,
We need help to configure SAML authentication in BI 4.2 SP5. We did speak with SAML team and they just need target URL and ACS Url. Target is load balancer url which we provided but ACS URL is something which contains IDP URL(Unique URL for SAML) and they provided cert as well as xml file for the same. We want to know how to configure ACS URL for BO in order to proceed with SAML.
Platform: Windows Server 2012 R2, Tomcat.
Hi Ashraf,
I was able to configure SAML successfully in all BO environments however we are intermittently getting 404 error where the SAML page is redirectign to BOE/saml/SSO instead of BOE/BI as a target. Please suggest what could be the issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
After configuring SSL https, you need to regenerate SP metadata (spring_saml_metadata.xml file).
Type the URL https://BOEHOST:8443/BOE/saml/metadata
This will automatically download a xml file spring_saml_metadata.xml
To make sure, SP metadata is generated with https URL, open spring_saml_metadata.xml file and check ID and EntityId urls have https.
Thanks
Ashraf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok, I am not sure if I should follow https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/ or https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/ and do I need WEB_SESSION or trusted.auth.shared.secret=MySecret? and I did not understand changes in custom.jsp.
1. https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/ focuses on HCP as IDP
2. https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/ focuses on ADFS as IDP, if you are using ADFS as IDP. (nicely documented steps)
Make the changes in custom.jsp as per second blog.
trusted.auth.shared.secret - used to retrieve the secret for Trusted Authentication. Only applies if using the web session to pass the shared secret.
WEB_SESSION - The user name is retrieved from the contents of a specified session variable
Thanks Mohammed.
I did all steps for tomcat, configured SSL, enabled SAML filters, generated keystore, imported it to SP, medata file is configured at IDP end and now BI launchpad URL is redirecting to SAML however throws error "The VIP Access Manager encountered an internal error and was unable to complete your request. Try again later." I have not done the custom.jsp file edit as I am not sure of shared secret.
What is the value I need to write into the custom.jsp
request.getSession().setAttribute(“???”,???);
request.getSession().setAttribute(“???”,request.getUserPrincipal().getName());
You need to configure trusted authentication.
Follow below steps
Configure Trusted Authentication for Tomcat with Web session
sso.enabled=true
trusted.auth.shared.secret=MySecret
trusted.auth.user.param=MyUser
trusted.auth.user.retrieval=WEB_SESSION
<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\
<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86\
copy the content of TrustedPrincipal.conf file, we require in below step
2. Locate the custom.jsp file inside the web folder at C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\eclipse\plugins\webpath.InfoView\web\custom.jsp
Make the following changes to the custom.jsp file in the location mentioned above
custom.jsp file -
<\!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “http://www.w3.org/TR/html4/loose.dtd”>
<%@ page language=”java” contentType=”text/html;charset=utf-8″ %>
<% //custom Java code
%>
Note - MySecret placeholder value (random generated numbers) has to be replaced with your TrustedPrincipal.conf file content which we copied in above step
Restart Tomcat.
Hope it helps
Thanks
Ashraf
Thanks. I did everythign now and getting attached error. AML is not getting response. error2.jpg
1. I entered URL https://BOEHOST:8443/BOE/BI and its redirecting to URL https://<SAML link>/ssg-saml/saml/userData?id=0c3ae7fa-64e2-47f9-b6ea-b27da486babc but throws same error ""The VIP Access Manager encountered an internal error and was unable to complete your request. Try again later."
2. If I go using SAML icon from SAML page, it redirects to https://<servername>:8443/BOE/logon.jsp;jsessionid=B2136381AC0919DFDF11916D0E36E6BC
Will check IDP logs tomorrow.
There are some slight changes to be done in securityContext.xml file for SAML configuration for load balancer.
Please follow the steps in the below SAP note.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I did it and its routing to SAML I believe however stil geting htp 404 eror and not sure why its redirecting to http://<tomcatservername>:8080/BOE/logon.jsp;jsessionid=9DC6FFBF959625B4531254124CFED2D0
Hi,
Both target and ACS URLs should be https (if IDP is ADFS, it does not accept http URLs).
Regarding 404 error, you can follow the steps from below link
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/#comment-425019
More configuration details can be found in blog below
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
Thanks
Ashraf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks. So, you mean I have to configure https for tomcat... will do it in some time and let you know. We have F5 load balancer in live environment where we need to configure this actually. Let me know which steps need to follow in that case and how securtyConext.xml will read our keystore file and authentication details.
Hi Mohamed,
I am just concentrating on Sandbox environment for now which has single tomcat server and single CMS. I followed steps as per https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/#comment-425019 but its routing to http:// :8080/BOE/logon.jsp;jsessionid=9DC6FFBF959625B4531254124CFED2D0. We disabled encryption and now its redirecting to http:// :8080/BOE/saml/SSO (see the config doc and SAML trace attached.)
I am using trusted authentication using WEB_SESSION. Do I need to make changes in custom.jsp for WEB_SESSION too?
my global.properties file:
sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=UserName
Hi,
Below blog has a detailed implementation steps on How to configure SAML (ACS URL) for BO.
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
The above blog is targeted for ADFS as IDP.
Thanks
Ashraf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mohammed,
I followed steps mentioned in https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/ and downloaded spring metadata file, provided it to SAML and the plugin got configured automatically with ACS as well as Target URL. Both target and ACS URLs are http://<tomcatservername>:8080/BOE/saml/sso but we are getting http 404 error while navigating through SAML. I am trying to configure it for single tomcat in Sandbox environment however we are using F5 load balancer in live environment where we have SSL configured already. Not sure what is going wrong. Please advise.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.