Skip to Content

Help to configure SAML SSO

Hi Team,

We need help to configure SAML authentication in BI 4.2 SP5. We did speak with SAML team and they just need target URL and ACS Url. Target is load balancer url which we provided but ACS URL is something which contains IDP URL(Unique URL for SAML) and they provided cert as well as xml file for the same. We want to know how to configure ACS URL for BO in order to proceed with SAML.

Platform: Windows Server 2012 R2, Tomcat.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

5 Answers

  • Dec 18, 2018 at 10:24 AM

    Hi,

    Below blog has a detailed implementation steps on How to configure SAML (ACS URL) for BO.

    https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

    The above blog is targeted for ADFS as IDP.

    Thanks
    Ashraf

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Mohammed,

      I followed steps mentioned in https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/ and downloaded spring metadata file, provided it to SAML and the plugin got configured automatically with ACS as well as Target URL. Both target and ACS URLs are http:// :8080/BOE/saml/sso but we are getting http 404 error while navigating through SAML. I am trying to configure it for single tomcat in Sandbox environment however we are using F5 load balancer in live environment where we have SSL configured already. Not sure what is going wrong. Please advise.

  • Jan 02 at 05:22 AM

    Hi,

    Both target and ACS URLs should be https (if IDP is ADFS, it does not accept http URLs).

    Regarding 404 error, you can follow the steps from below link

    https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/#comment-425019

    More configuration details can be found in blog below

    https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

    Thanks
    Ashraf

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Mohamed,

      I am just concentrating on Sandbox environment for now which has single tomcat server and single CMS. I followed steps as per https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/#comment-425019 but its routing to http:// :8080/BOE/logon.jsp;jsessionid=9DC6FFBF959625B4531254124CFED2D0. We disabled encryption and now its redirecting to http:// :8080/BOE/saml/SSO (see the config doc and SAML trace attached.)

      I am using trusted authentication using WEB_SESSION. Do I need to make changes in custom.jsp for WEB_SESSION too?

      my global.properties file:

      sso.enabled=true

      trusted.auth.user.retrieval=WEB_SESSION

      trusted.auth.user.param=UserName

  • Jan 02 at 06:51 AM

    There are some slight changes to be done in securityContext.xml file for SAML configuration for load balancer.

    Please follow the steps in the below SAP note.

    https://launchpad.support.sap.com/#/notes/2621904

    Add comment
    10|10000 characters needed characters exceeded

    • I did it and its routing to SAML I believe however stil geting htp 404 eror and not sure why its redirecting to http://<tomcatservername>:8080/BOE/logon.jsp;jsessionid=9DC6FFBF959625B4531254124CFED2D0

  • Jan 02 at 10:13 AM

    After configuring SSL https, you need to regenerate SP metadata (spring_saml_metadata.xml file).

    Type the URL https://BOEHOST:8443/BOE/saml/metadata

    This will automatically download a xml file spring_saml_metadata.xml

    To make sure, SP metadata is generated with https URL, open spring_saml_metadata.xml file and check ID and EntityId urls have https.

    Thanks
    Ashraf

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Ashraf,

      I just cleared tocmat cache in order to test further and enable SAML log4 logging but observed that tomcat is not building cache (BOE and other folders are empty (0KB)), however tocmat builds cache if I disable SAML filters. Not sure whats going wrong.

  • Feb 11 at 05:44 AM

    Hi Ashraf,

    I was able to configure SAML successfully in all BO environments however we are intermittently getting 404 error where the SAML page is redirectign to BOE/saml/SSO instead of BOE/BI as a target. Please suggest what could be the issue.

    Add comment
    10|10000 characters needed characters exceeded