Skip to end of metadata
Go to start of metadata

Pre-Requisites

The BI Platform web applications are capable of utilizing SAML assertions to create an Enterprise session; however, they are not fully SAML compatible.  The current implementation utilizes the Spring SAML libraries to validate an assertion from a trusted Identity Provider (IdP), then utilizes Trusted Authentication to create an Enterprise session. 

This workflow does have pre-requisites for a successful implementation, which include

  • SAP BusinessObjects BI Platform 4.2 SP07+ or later (including all 4.3 releases)
  • Supported Web application server (SAML wizard currently supports Tomcat)
  • NameID of the user passed in IdP assertion must match an existing user account in the BI Platform
    • Users cannot be created dynamically

This wiki shows a user who has the mapped name ID of Administrator, which will work on any default implementation.  For an end-user, the account can be manually created or can be imported from any plugin.  The only requirement is that the NameID from the assertion match the Account Name of the BI Platform user.

SAML Wizard – Generating the SAML configuration

  1. Launch the BI Platform support tool and access the Authentication Wizards screen


  2. Expand the SAML bar and select the Launch SAML Wizard button


  3. Review the details on the first page and select Next to start the wizard


  4. Enter the requested details to generate the expected BI Launchpad URL


  5. Verify that the generated BI Launchpad URL matches what will be used by end-users and click Accept to enable the Next button. Click Next to proceed

    NOTE: This is the scheme, host, and port combination that end-users must use to access BI web applications.  Access via other endpoints may cause assertion validation issues, resulting in HTTP 404 errors.

  6. Select the check box next to the Max Authentication Age property and adjust the value to a time slightly longer than the IdP session timeout (contact your Identity Provider administrator for this value)

    See KBA 2672379 for more details on this configuration

  7. [Optional] Select the check box to customize any other listed ServiceProvider properties. Click Next to proceed.
    • Web Server OS: Windows or Linux/Unix
    • EntityID: Identifier for ServiceProvider (certain characters restricted)
    • Keystore: Values used in creation of SAML specific keystore

  8. Review the details of the Trusted Authentication screen, which are also covered below:
    • The SAML workflow for the BI Platform web application utilizes Trusted Authentication for Enterprise session creation
    • This step of the wizard connects to the CMS to see if Trusted Authentication is already enabled
      1. If TA is enabled: the current shared secret is retrieved
      2. If TA is not currently enabled: TA is enabled, new shared secret is generated and committed to the CMS database.

  9. [Optional] Prior to the CMS connection the wizard can be configured to update Trusted Authentication specific properties
    • Shared Secret Validity (days): Number of days newly generated shared secret is valid
    • Trusted logon request timeout:

  10. Click Connect to launch the CMS Login Dialog

    NOTE: The login is restricted to the default Enterprise Administrator account as this is required for Trusted Authentication configurations. See KBA 2244362 for more information.

  11. After the workflow has completed, a results screen will show. Below is an example of a successful configuration on a newly installed environment


  12. Click OK in the dialog and then Next when returned to the wizard to proceed:


  13. To enable SAML in the web applications, the specific <application>.properties files must be customized.
    • If these .properties files have already been customized, they can be imported to the wizard and the values persisted.
      1. Click the Import button
      2. Review the listed information in the dialog, Click OK
      3. Navigate to the custom directory of the BOE application
        • <WEBAPP_DIR>/BOE/WEB-INF/custom
      4. Hold the ctrl key on the keyboard and select all .properties files to be imported
      5. Click open
    • If no customization exists or to generate new <application>.properties files, do not click the Import button. Instead, manually select the checkboxes next to the applications to be configured


  14. After either importing existing <application>.properties or selecting those to be configured, click Next to proceed

  15. To establish the required trust, the IdentityProvider metadata must be imported to the ServiceProvider configuration. Click the Metadata button and select the XML file containing the IdP metadata
    • This IdP metadata must be retrieved from your Identity Provider team
    • This example will use SAP Identity Authentication Service as an IdP, which has provided the metadata as sap-ias-meta.xml


  16. With the IdP metadata selected, Click Open to start the metadata verification workflow.

  17. Upon completion, a dialog will display. Click OK to proceed


  18. [Optional] Most IdPs will provide all required certificates as part of the metadata. Additional file-based certificates can be imported by clicking the Import button (multi-select required)

  19. Click Next to proceed

  20. At this point, all necessary information has been provided. To generate the package of files to be implemented for the configuration, click the Generate button.
    • Select a path for the .ZIP file to be generated, to later be moved to the web application server


  21. Upon a successful completion, the following screen will be seen


 

SAML Wizard – Implementing the SAML configuration
NOTE: Additional information and detailed instructions are included in the INSTRUCTIONS.txt of each generated package

  1. Stop the Tomcat service
  2. Backup any existing configuration for the BOE web application
    • <webapps>/BOE/WEB-INF
  3. Copy the ZIP file created from the SAML wizard to the web application server hosting the BOE application
  4. Extract the ZIP file to a generic temporary location


  5. Copy the extracted files to their proper locations:
    • [PRE 4.2 SP07 ONLY]
      1. Copy web.xml in PRE-CONFIG folder to ‘webapps/BOE/WEB-INF’
      2. Migrate the required libraries (see INSTRUCTIONS.txt)
    • Copy contents of unzipped WEB-INF folder to the deployed WEB-INF folder of the BOE application
      1. <WEBAPP_DIR>/BOE/WEB-INF
      2. Overwrite files, if prompted
    • Copy the TrustedPrincipal.conf file to the correct directory:
      1. Windows: <BOE_Install_Dir>\SAP BusinessObjects Enterprise XI 4.0\win32_x86
      2. Linux: <BOE_Install_Dir>\SAP BusinessObjects Enterprise XI 4.0\linux_x86

  6. BI 4.3 (with support tool version 2.1.11) only
    • Add the following to the samlEntryPoint, as shown below:
           <security:csrf disabled="true" />
           <security:headers>
                 <security:frame-options disabled="true"></security:frame-options>
           </security:headers>



  7. Start the Tomcat service
  8. Send the BIP_SAML_METADATA.xml file to your Identity Provider administrator to be imported.

At this point, SAML is enabled for the BOE web application; however, all access to the BOE applications will fail until the Identity Provider has imported the provided metadata file.  This IdP side import allows the IdP to trust this application and provides it the details it needs to process SAML requests (Assertion Consumer Service URL, bindings, etc).


The image below shows the application created in an instance of the SAP Identity Authentication service, which is used for the Idp in this scenario.  This will be unique to each IdP.


Testing

  1. Open a supported browser on a client system
  2. Access the now SAML-enabled BI Launchpad using the URL generated earlier (http://server:port/BOE/BI)
    1. User session should now be forwarded to the IdP for authentication
  3. Login with IdP credentials, when prompted
  4. Upon successful IdP authentication, the user session should be forwarded to the AssertionConsumerService (ACS) URL -- http://server:port/BOE/saml/SSO
    • If the assertion fails this validation, the user will see an error (e.g. HTTP 404)
    • If the assertion is validated successfully, the user will be forwarded back to the BI Launchpad application where an Enterprise session will be created


  • No labels