on 07-05-2012 6:40 PM
We were eagerly awaiting BI4 SP04 to address several SAP integration issues including the requirement use Windows AD for single sign to SAP Enterprise Portal hosting BI4 content (dashboards/webis/Analysis for OLAP) and BEx Web analyzer, i.e. user logs on once for Windows to authenticate to all SAP systems, ECC, BW, BI, EP, etc.. We have no plans to use the BI Launch Pad.
We are on AIX 6.1 for BI4 SP04, NW 7.3.1 and EP and BW 7.3.1 and are working through Kerberos client on AIX to Windows AD and SNC and SSO in SAP...
Frankly we have been struggling for some time with issues on BI4 SP02 and NW 7.3 so we are frustrated when we came across the followg in SAP doc -
Business Intelligence Platform Administrator Guide.pdf (http://help.sap.com/businessobject/product_guides/boexir4/en/xi4_bip_admin_en.pdf)
Page 211
The Windows AD security plugin cannot authenticate users if the BI platform server components are running on Unix
Page 212
Windows AD with Kerberos is supported if the Java application is on Unix. However, BI platform services must run on a Windows server.
Can someone clarify these statements? We will install Java application (NW? BI Java?) on UNIX. We will not run BI Platform? services on Windows.
If our requirement is to have a user only logon once to Windows and access BI4 content in the SAP Portal, not the BI Launch Pad, MUST we run BI4 on Windows?
Sincere thanks for your time and thoughts,
Lee Lewis
Summit Electric Supply
ASUG EDW and BO SIG Volunteer - Market Leader
[Email address removed. Please see the rules of engagement. The forum Administrator]
There is no Active Directory plugin on Unix. The AD plugin uses native windows API so cannot be used to import users from the Active Directory. This means that the Central Management Server (CMS) must be installed on a windows machine.
You can use the LDAP connectivity plugin on unix to access your AD, however unless your CMS is running on windows you will not get kerberos SSO.
However you can configure the SAP portal for SSO to BI using SAP SSO tickets.
Have a look at this blog:
http://wiki.sdn.sap.com/wiki/display/BOBJ/BI4+Integration+into+the+SAP+Entreprise+Portal+7.0.x
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Greg,
with SAP NW SSO the customer could use X.509 certificates (they will be generated automatically out of the Kerberos ticket) which would work for SAP Enterprise Portal on Unix and many other systems for client authentication.
Would this work also for BOBJ4? Topic: Enterprise trusted authentication?
This would of course only work only for all web applications.
Regards
Matthias
Hi Lee,
How did you end up resolving this issue? Did you come up with a work around?
The client I am working at is in the exact same scenario.
Cheers,
Ainsley
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ainsley,
A work around? Yes and no and sort of ...kind of...
This turns out to be quite complex and tempermental.
In short, you cannot use Windows AD authentication, but instead use LDAP (with the Microsoft Active Directory). We were able to get this to work with much effort. The biggest limitation is that it supports a single AD forest.
I am giving a presentation on silent single sign on for BI4 and Enterprise Portals at the SAP BO User Confernce in Orlando and will see about posting the slides after the conference, but can share some of the resources here that we found to be most useful. Please reach out to me if I can help further.
Lee Lewis
•Integrating SAP BusinessObjects BI Platform 4.x with SAP NetWeaver, Ingo Hilgefort, SapPress 2011
•Configuring LDAP Manual Authentication and SSO for BI4 on Unix
•1631734 - Configuring Active Directory Manual Authentication and SSO for BI4
•Business Intelligence Platform Administrator Guide, SAP BusinessObjects Business Intelligence platform 4.0 Feature Pack 3, June 2012
•1670073 - How -To: Generate keystore and certificate in the process of configuring STS for SAP
•1687295 - How to configure Single Sign On (SSO) on the SAP Netweaver 7.x portal to BI4
•IBM - Configure single sign-on authentication on AIX
•1537480 - Best Practice: How To setup Active Directory Single Sign On when BOE CMS is on Unix or Linux
•Kerberos Explained - Microsoft Technet
•SAP Help - Secure Network Communications (SNC)
•Using Kerberos Authentication for Single Sign-On
•SAP Netweaver 7.3 Configuring Kerberos Authentication
•SAP BusinessObjects BI4 Active Directory SSO Tutorial
• 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4
•1245218 - How to connect the LDAP plugin to Active Directory
Lee Lewis
Zav,
Lee has provided a very comprehensive list and some good information. Officially you can have SSO with AD using the LDAP connector for Active Directory (not silent - i.e. you have to type in your AD credentials).
It is possible to have silent SSO (i.e. user is signed in automatically) and Lee provides a link: •1537480 - Best Practice: How To setup Active Directory Single Sign On when BOE CMS is on Unix or Linux. This was updated for BI4 in note 1636349.
The silent SSO is unfortunately not supported although support will help:
Thanks,
Bill
User | Count |
---|---|
93 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.