Skip to end of metadata
Go to start of metadata

Product versions: SAP BO BI4.0

1. Steps required for setting SAP SSO Service in SAP BO BI4.0 CMC

  1. Log into SAP BO BI4.0 CMC as Administrator,
  2. Go to Authentication -> SAP
    Setup Entitlement Systems
  3. Import Roles
  4. Check if SAP Authentication is enabled on the Option tab
  5. Import keystore keystore.p12 file
    The message No key store file has been uploaded indicates no previous uploads

    (Please refer to Generate keystore and certificate for SAP BO BI4.0 for more details about how to create keystore)
  6. Setup Key Store/Private Key password, Private Key Alias and System ID
    System ID is PALM in this example. It has been defined when certificate is imported in SAP BW.
    Please refer to Import SAP BO BI4.0 certificate into SAP BW for more details
    (In below example the password is the same for both . It is admin1)
  7. Setup Security Token Service
    The Security Token Service is running as part of Adaptive Processing Server (APS)
    Go to CMC -> Servers and check if APS has Security Token Service

    If not, stop APS and add Security Token Service, then start APS

How to setup SSO against SAP BW with SAP BO BI4.0 Common Semantic Layer (UNX) or BICS
Import SAP BO BI4.0 certificate into SAP BW
Setup of SSO againt SAP BW for SAP BO BI4.0 BICS or JCO connections
Generate keystore and certificate for SAP BO BI4.0

  • No labels


  1. Unknown User (aunv69m)

    Hi Sinisa,

    Thanks for the information. Great post but in first screenshot on post, you are using BI40 as username to logon Application server. What must this users roles? How we should configure it? If you enlight me on that subject I'll be appreciated.

    Thanks and Regards
    David Ocean

  2. Sinisa, these posts have been a great help in trying to learn this new functionality within BOE. Is there a way to remove the keystore from the CMC once a file has been uploaded?



  3. So SNC is not required anymore?

  4. Hi Sinisa,

    I have multiple APS services running in my environment, each with a different sub-services (BEx, MDAS, etc.). Do I have to assign Security Token Service to all of them?



  5. Andreas, the SAP SSO service in BI4.0 is not a replacement for SNC. SNC is still used for pre-existing 3.1 technologies, i.e older universes, crystal++. 

    Erik, only the APS' running the DSL bridge would need the security token service also running.

  6. Unknown User (xsedcel)

    I have the same question as Josh. I've imported the key store, but now want to remove it. If I empty all the fields, I can't update the page.

    How can I do this?

    UPDATE: Note 1651327 specifically says removing the key store is not possible (dated Nov 2011).

    This article describes how to remove the STS service from the APS, which should mean that the key store is no longer used.

  7. That is correct David. I wrote that article after finding it is not possible. There is an idea place submission on this if you'd like to vote for it, however at the current time it is not possible to simply remove the keystore. Removing the STS service is the only way possible to ensure STS is not being called.

  8. Former Member

    Hello, Sinisa,

    I would like to recommend you to update point two about link to the post and for example SAP Note 1680005. I miss it, here.

    Update: I am not able to find, what has to be a type of CRYSTAL user. Could you append here the SAP Note regarding this? Thank you.

  9. Dear all,

    What is the procedure to setup SSO to multiple BW systems, say a DEV and a PRD system ?




  10. From a single BI system you would just add the certificate to any BW systems you wish to connect to, you'll also need to create the ACL entry, no work on the BI side though only the BW sides.



  11. You can use IDT to verify if the SSO is working fine.

    1. Create a BICS connection in the IDT.
    2. Select the “Use Single Sign on” authentication mode.
    3. Enter the BW system details (Client, System ID and application server details). BW system details can be obtained by selecting SystemProperties from SAP Logon.

    4. Click on “Test Connection”.

  12. @Guest from June 20, 2011: this user is used to retrieve the user details and roles from the target system. He is NOT used for authentication or data fetching during query runtime.


  13. Former Member



    I assume that only one BW system can be connected to SAP BO BI as an SSO system

    since we don't have any administration for different storefiles!? etc..

    Customer wants test bw and prod bw on SAP BO BI 4.1 DEV as SSO connectivity.


    Wobi, wondering

  14. Former Member


    Thanx Ladislav - I remembered that we can't manage several keyfiles: but it's not necessary at BO side - BW can handle this!

    "From a single BI system you would just add the certificate to any BW systems you wish to connect to, you'll also need to create the ACL entry, no work on the BI side though only the BW sides." as Josh explains some lines above!

    So its possible!


  15. Former Member

    What I would add is: usually I get  a BW user from a different clientnumber than the 000 - so my bw users coming form Client 100 had Trouble with Desginstudio SSO

    We had to add the ACL also for Client 100 to get Designstudio SSO finally to work -



  16. Former Member

    Well this time it seems we had to keep the ALIAS in CAPITAL Letters - that was the best info from SAP Support -

    • wobi
  17. Dear All,

    we have configure SSO as mentioned we need to test SSO from BW system BO.