Page tree
Skip to end of metadata
Go to start of metadata

Purpose

In order to enable SAP Netweaver AS Java users to access SAP Business Intelligence platform content through Single Sign On (SSO), a mechanism for authorizing access to those applications must be established. This document describes how to establish trusted authentication between Netweaver AS Java and Business Intelligence.

Scope – The scope of this document is not for setting up SAML authentication, as IDP may vary from vendor to vendor. For this please refer to vendor specific document.

The configuration is divided into following

  1. Configure SAML authentication for SAP Netweaver server.
  2. Setting up trusted authentication for BIP.

Prerequisite

 

  • SAP Netweaver server is configured for SAML 2.0 authentication as Service Provider.
  • SAML 2.0 certificates of SP and IDP are exchanged to configure the trust between SP and IDP.

     For more details on Enabling SAML service provider see below link.

     http://help.sap.com/saphelp_nw73ehp1/helpdata/en/91/d9c2b72e5d4a50a5218cc96b38bdbb/content.htm

  • We will take example of NW user “samltest”. Assume “samltest” is created in NW and is configured for SAML.
  • It is also required to have same user (samltest) created as enterprise user in BOE application.

Setting up trusted authentication for BIP

 

  1. Generating BI web application using Wdeploy.

             Open command and navigate to wdeploy directory. By default directory is

             C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\wdeploy

       2.   Run the following command to generate BOE.sca (in this doc we will generate only BOE.sca)

             wdeploy.bat sapappsvr73 -DAPP=BOE predeploy

       3.   Generated BOE.sca default output location is

              C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\wdeploy\workdir\sapappsvr73\application

Enabling trusted authentication

        You now have to enable the authentication by editing the above generated BOE.sca file using wdeploy.

        Use third party tool ex – WinRAR and extract the BOE.sca file

        Open the BOE.sca file

        Note – Before making any changes make a copy of it.

        Navigate to the DEPLOYARCHIVES directory and open the BOE.ear archive.

       

         From within the BOE.ear archive, open the BOE war archive.

        

         Go to WEB-INF

         

          

When trying to get BOE working in a SAML or JAAS environment, one of the necessary steps is turning on the web based authentication module in the application server so that the application can be protected against unauthorized access.

Use the USER_PRINCIPAL method of user retrieval when setting up trusted authentication with this.

To protect the BOE application on NW, you must first add the following lines to the web.xml from the BOE.war file.

To add the security constraint to the web.xml, you need to add the roles named in the code sample below to NetWeaver

Ex - j2ee-admin

      j2ee-guest

      j2ee-special

And assign them to the used group/user (ex – samltest user in our case). Otherwise, a 404 (Page not Found) error will be generated when not logged in, or a 403 (Forbidden) error will be generated if logged in.

Web.xml file                            

<security-constraint>    

<web-resource-collection>

 <web-resource-name>InfoView</web-resource-name>    
<url-pattern>*</url-pattern>    
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>j2ee-admin</role-name>
<role-name>j2ee-guest</role-name>
<role-name>j2ee-special</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>InfoView</realm-name>
</login-config>
<security-role>
<description>Assigned      to the SAP J2EE Engine System Administrators</description>
<role-name>j2ee-admin</role-name>
</security-role>
<security-role>
<description>Assigned to all users</description>
<role-name>j2ee-guest</role-name>
</security-role>
<security-role>
<description>Assigned      to a special group of users</description>
<role-name>j2ee-special</role-name>
</security-role>   

 Add the above to the bottom of the web.xml file just before </web-app> line.

Afterward you will need to include another xml file called web-j2ee-engine.xml to the same location where the web.xml resides in the BOE.war file. The content of the web-j2ee-engine.xml file is as follows...       

<?xml     version="1.0" encoding="UTF-8"?>

<web-j2ee-engine xsi:noNamespaceSchemaLocation="web-j2ee-engine.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<security-role-map>   

    <role-name>j2ee-admin</role-name>

    <server-role-name>administrators</server-role-name>

</security-role-map>

<security-role-map>
      <role-name>j2ee-guest</role-name>
      <server-role-name>guests</server-role-name>
</security-role-map>
<security-role-map>
      <role-name>j2ee-special</role-name>
      <server-role-name>all</server-role-name>
</security-role-map>
 <login-module-configuration>
      <security-policy-domain>/irj</security-policy-domain>
 </login-module-configuration>
</web-j2ee-engine>  

Save the web-j2ee-engine.xml file.

Drag the file into the WEB-INF folder of the BOE.war archive.

Enabling SSO in BIP - USER PRINCIPAL, shared secret – Trustedprincipal.conf

We will enable sso by using USER PRINCIPAL method to pass the NW username and Trustedprincipal.conf file to pass shared secret.

Generating shared secret

Enabling Trusted Authentication and Generating Shared Secret

1. Go to CMC > Authentication > Enterprise

2. Enable Trusted Authentication

3. Click "Create new shared secret"

4. Click "Download shared secret" - save it in your BOE machine

5. Copy the TrustedPrincipal.conf file to your Netweaver host directory (see default locations table below)

Default Locations
  • Windows: <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ AND \win64_x64\
  • AIX: <INSTALLDIR>/sap_bobj/enterprise_xi40/aix_rs6000_64/
  • Solaris: <INSTALLDIR>/sap_bobj/enterprise_xi40/solaris_sparc/
  • HP_UX: <INSTALLDIR>/sap_bobj/enterprise_xi40/hpux_pa-risc/
  • Linux: <INSTALLDIR>/sap_bobj/enterprise_xi40/linux_x86 AND /linux_x64/

6. Click "Update" (Do not click update until the file has been copied to one of the locations from Step 5)

7. In the BOE.war/web-inf/config/default/folder, extract the following files to the BOE.war/web-inf/config/custom/folder

 - global.properties

8. Add the following in global.properties 

sso.enabled=true   

trusted.auth.user.retrieval=USER_PRINCIPAL


9. Update and close the archive file

10. After doing the above steps in BOE.sca file, now deploy on Netweaver.

Once you have successfully deployed BOE.sca verify by launching.

http://nw-machine:<port>/BOE/BI

As the BASIC authentication is declared in web.xml you will have browser pop up for authentication.

To resolve browser pop up and use SAML authentication instead follow the below steps.

1.Log on to NWA at http://<host>:<port>/nwa and navigate to Configuration -> Security -> Authentication and Single Sign-On.

2. Locate the policy configuration of the BI application, e.g. “sap.com/BOEWEBAPPJAVA*BOE” (it is of type “Web” so either change the “Type” in the table to “Web” or just delete it when you do the search).

3. Switch to Edit mode

4. In the “Authentication Stack” tab make sure that “Used Template” is blank

5. Add “SAML2LoginModule” to the stack at position 1 and with flag “SUFFICIENT”

6. Save the changes

What is important is that the login module that performs the selected SSO type be there. This is what ensures single sign-on.

Once all the above configurations steps are completed. Now verify the configuration to check SAML authentication and SSO to BIP is working.

Verification

Launch BI Launchpad using

http://nwmachine:<port>/BOE/BI

There will be login required to the idp, as in this example it is not configured to accept anything other than Basic username and password. You can also configure for auto-detection. It may vary in customer system.

Enter NW user credentials (ex-“samltest” in our case) and logon.

If login is successful, you will be redirect to http://nwmachine:<port>/BOE/BI

And auto login should occur.

 

 

 

 

  • No labels