Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Product versions: SAP BO BI4.0

 
 
 

1. Introduction

  • Please read first How to setup SSO against SAP BW in SBO BI4.0 for LDAP users to understand when to use this setup
  • The topic of this article is Single Sign-On (SSO) to SAP BW by utilizing SAP Security Token Service (STS).
  • The SSO via STS can be utilized with the Common Semantic Layer (UNX) for relational access to SAP BW and OLAP BICS connection for access to SAP BW (no universe involved - BEx query used).
  • BI4.0 client used in the article as an example is WebIntelligence.
  • The described setup can be used for SSO access to SAP BW for non-SAP users like LDAP or Windows AD users.
  • SAP BO BI4.0 introduces the new service called the Security Token Service (STS). The STS is capable of issuing proprietary SAP tokens called Assertion Tickets. Any BI4.0 SDK client that desires SSO2DB to an SAP BW system would make a simple SDK call. This call would be processed by the STS, which would return an Assertion Ticket valid for logon to the target SAP BW system if the user had an alias which mapped to that system. The BI4.0 client would then connect directly to the SAP BW system via RFC, using the Assertion Ticket as the credential.
  • A high-level picture of the solution is below. Note, this shows only the components directly involved in the workflow. While SAP BW, SAP BusinessObjects Analysis, edition for OLAP , and Common Semantic Layer clients are all highlighted, the solution generally addresses any BI4.0 SDK client which interacts with an SAP BW system over RFC (Remote Function Call - SAP proprietary protocol) .

Note: Legacy C++ clients ( CR 2008, XI3.1 Webi with OLAP universes) that are migrated to run on BI4.0 platform continue to use the SNC server-side trust and Impersonation mechanism.

  • What are Assertion Tickets?
    Assertion tickets are a special kind of SAP Logon Ticket. They use the same proprietary format. While standard SAP Logon Tickets assert only source system and username (and so are accepted on any system trusted by the source system), Assertion Tickets also assert target system (and so are accepted on only one specific system). In addition, Assertion Tickets have a very short lifetime, intended for a single use only.

2. Prerequisites

  • SAP BO BI4.0 (Patch 04 for server and client) environment has to be setup.
  • SAP BW 7.01 SP6
  • Read SAP BO BI4.0 Admin Guide, chapter "Setting up single sign-on to the SAP system"

3. Steps to setup up single sign-on to the SAP system by utilizing Security Token Service

  1. Generate keystore and certificate for SAP BO BI4.0
  2. Import SAP BO BI4.0 certificate into SAP BW
  3. Setup of SAP SSO Service in SAP BO BI4.0 CMC
  4. Setup of SSO againt SAP BW for SAP BO BI4.0 BICS or JCO connections

How to setup XI3.1 WebIntelligence SSO with SAP BW
How to setup SSO against SAP BW in SBO BI4.0 for LDAP users