Page tree
Skip to end of metadata
Go to start of metadata

Editorial Note:

XI3.1 Integration for SAP Solutions Install and Admin guide has been used as reference for this article

Product versions: XI 3.1


1. Understanding of what is XI3.1 (FP1.8 or SP2) Single Sign On (SSO) with SAP Authentication

  • User logs into Windows Desktop machine with his/her LDAP/AD credentials and than launches/logs into XI3.1 InfoView. He/she is not prompted to enter Business Objects Enterprise XI3.1 user ID and password.
  • User is able to create/run webi reports against SAP InfoProvider and he/she is not prompted for SAP user ID/password.
  • The suggested solution is for WebIntelligence workflows.
  • The suggested solution is using server-side trust ( setup with SAP Crypto library for Windows AD/SAP user mapping and SSO to SAP BW) for WebIntelligence server processes and SAP Authentication (user/password) for CMS server process
  • The suggested solution covers following workflow:
    1) Log into InfoView by using Windows AD user account
    2) Create webi report based on the universe. The universe is created on top of the SAP InfoProvider. The connection object for the universe is setup to be SSO.
    3) Run report and get data

2. Prerequisites

  • Reader of this article should be familiar with Integration for SAP Solutions Install and Admin guide. "How to setup XI3.1 WebIntelligence SSO with SAP BW" article covers only WebIntelligence workflow and it is hand-on approach.
  • BOE XI3.1 CMS server process has to run under domain user account if BOE XI3.1 deployment is on Windows platform (in this case "xiad" user account that is defined on domain).
  • BOE XI3.1 + FP1.8 or SP2 are used for this setup.
  • Universe connection is set as SSO connection
  • CRYSTAL_ENTITLEMENT SAP role has to exist in SAP system, refer to this page for instructions : How to create CRYSTAL_ENTITLEMENT SAP role
    (Note: The name CRYSTAL_ENTITLEMENT has been chosen base on Integration for SAP Solutions Install and Admin guide document page 79 which covers all workflows. This article covers only WebIntelligence workflow, so reader can choose different name which fit his/her needs.)
  • SAP authorizations required for this role are described in XI3.1 Integration for SAP Solutions Install and Admin guide
    Chapter 5 / Configuring SAP authentication for BusinessObjects Enterprise / page 80
  • SAP user CRYSTAL has to be created on SAP system and CRYSTAL_ENTITELMENT SAP role has to be assigned to CRYSTAL user.
  • BusinessObjects XI 3.1 Integration (FP1.8 or SP2) for SAP Solutions has to be installed on XI 3.1 (FP1.8 or SP2) BO server machine
  • SAP GUI 710 has to be installed on XI 3.1 BO server machine
  • SAP Java Connector DLLs and jar files from have to be installed on the same XI 3.1 BO server machine (Copy the sapjcorfc.dll and librfc32.dll files into %WINDOWS%\System32, Copy the sapjco.jar file into ...\Business Objects\Tomcat\shared\lib . Create ..\shared\lib folder structure if does not exist. Can be found at
  • If you are planning to integrate with BI7 system, your SAP Java Connector must be version 2.1.6 at a minimum because BI 7 allows passwords that are longer than 8 characters and this requires at a minimum the version 2.1.6 from the SAP JavaConnector
  • The SAP Cryptographic Library and PSE maintenance tool have been downloaded and expanded on the host on which Business Objects Enterprise XI3.1 processing servers run. The "SAP Cryptographic Library" (SAPCRYPTOLIB) is available on SAP Service Marketplace ( - Then choose "Download" - "SAP Cryptographic Software" ) for downloading software (export control, see Note 397175)

3. How to achieve XI3.1 SSO with SAP Authentication

  • Setup ONE of the Business Objects Enterprise XI 3.1 authentications (LDAP, AD, NT - see below image). This article will not focus on this topic. It is assumption that reader already knows how to do this setup. In this example we will use Windows AD.
  • "Configuring SAP Server-Side Trust" (Please refer XI3.1 Integration for SAP Solutions Install and Admin guide for SAP Server-Side Trust overview, Chapter 6 page 94). Server-side trust involves password-less impersonation. Server-side trust is enabled by using the free SAP crypto library. To enable server-side trust for Business Objects Enterprise XI3.1 using the free SAP crypto library, you must run the relevant XI3.1 servers under credentials that are authenticated using a registered Secure Network Communication (SNC - see NOTE 1) provider. These credentials are configured within SAP to be allowed to impersonate without a password. There are different security software (cerified with SAP) that can be used but two most common for deploying SNC (use one of them to deploy SNC):
    a) Microsoft NTLMSSP Crypto library - only Windows platform
    b) SAP Crypto - across the OS platforms, including Windows (Please refer to Configuring SAP server-side trust with SAP crypto library)
  • Configuring Business Objects Enterprise XI3.1 for server-side trust.

    1) Preparing BOE XI3.1 environment for SNC and generating the PSE certificate.
    Please refer to

    How to prepare BOE XI3.1 environment for SNC and generate PSE

    2) Configure SAP Authentication and SNC in BOE XI3.1 CMC to import SAP Roles (they become BOE
     XI3.1 user groups). Please refer to

    How to configure SNC in XI3.1 CMC

    3) Mapping SAP accounts as aliases to BOE XI3.1 authentication accounts (LDAP/AD/NT accounts) in
     BOE XI3.1 CMC. Please refer to

    How to assign SAP aliases to users in XI 3.1 CMC

  • Known issues

    Incomplete logon data when SAP Crypto is used with XI3.1

    NOTE 1

    SNC is a software layer in the SAP system architecture that provides an interface to external security product. SNC provides security at the application level. This means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) is guaranteed, regardless of the communication link or transport medium. You therefore have a secure network connection between two SNC-enabled communication partners.
    There are two types of SNC. Server and client. Specific XI3.1 servers require the different type of SNC for particular areas of responsibility. Please refer XI3.1 Integration for SAP Solutions Install and Admin guide (Chapter 6, pages 95,96) for more info.

please include links to relevant articles here