sap #bobj #bi 4.1 upgrade webcast series 6: user authentication and sso

© 2012 SAP AG. All rights reserved. 1

SAP BusinessObjects BI 4.1 Upgrade

Webinar Series

BI 4.1 User Authentication and Single

Sign-On

Presenter: Tim Ziemba

SAP Global Support Group

Brought to you by the Customer Experience Group


We bring to you all that you need

to successfully upgrade to the

SAP BusinessObjects BI Platform

4.1.

You can find a BI 4.1 Upgrade

Overview page on SCN at:

http://scn.sap.com/docs/DOC-

56525

Webinars also complement these

published resources:

http://scn.sap.com/docs/DOC-

56308

SAP BusinessObjects BI Platform 4.1 Upgrade

Enablement

http://scn.sap.com/docs/DOC-56525







BI4 Authentication and SSO


Log on to the Web Tier

• The following major logon methods are supported, with various methods of SSO:

• Windows AD

SSO achieved through Kerberos, using the Dell Java SSO plug-in

Web application server can run on any platform; however, the Central Management Server MUST be on a Windows for full AD integration (as of SP05 CMS on unix/Linux will support using the plugin combined with trusted authentication to achieve SSO

• LDAP

SSO is supported via trusted authentication to virtually any 3rd party products

• SAP

SSO achieved by configuring SAP mySAPSSO2 tickets

• Enterprise

Native BI authentication SSO can also be achieved through “Trusted Authentication.”


More About Kerberos SSO

• Active Directory (AD) SSO into the BI portal or manually logging in with AD

username and password allows for SSO to the database; however, there

are a few limitations to keep in mind:

Scheduling a report will not carry forward the Kerberos ticket (no SSO), even if you

choose to “schedule now”

It is not possible to set up Kerberos SSO for offline scheduling

The CMS and processing servers must be on Windows

• View time refresh will perform AD SSO to some supported DB’s

• http://service.sap.com/sap/support/notes/1631734

• http://service.sap.com/sap/support/notes/1869952

http://service.sap.com/sap/support/notes/1631734





LDAP Front-End SSO

• LDAP SSO can be attained using Trusted Authentication

• Incoming trusted auth users cannot be used for any further SSO to

database; front door entry only

Secondary credentials or mix with SAP SSO methods for data access


Web Services

• Setting up Web services SSO for Windows Active Directory is required to

enable SSO for the following clients:

LiveOffice

Query as a Web Services

BI Widgets

Crystal Reports for Enterprise

Dashboard Designer

Analysis for Office

Design Studio

• Setup is similar to configuring BI Launchpad, see SAP Note 1646920


Trusted Authentication

With BI’s native Enterprise authentication, it is possible to enable trusted

authentication

With “Trusted” authentication, BI is TRUSTING underlying application server to

perform the authentication

The application server passes a shared secret, and a user ID to BI. If the user ID

exists in the BI system, a logon session for that user is created

This allows most other external authentication methods to be used to logon to BI,

such as X.509, SAML, SecureID, SAP Netweaver SSO etc.

Important Note: none of the desktop client tools support Trusted Authentication


Configuring Trusted Authentication

• There are a number of ways to pass user information in trusted

authentication

Web Session

HTTP Header

URL Query

User Principal (new method using JAAS authentication)

Remote User (new method using JAAS authentication)

Cookies not recommended, supported for legacy

• It is possible to bind a different incoming user ID to an existing user in the

BI system using trusted.auth.user.namespace.enabled

• Will require the user to manually log on first, which will bind their incoming assertion user

ID with whatever BI account they log on as

• Remember, you are TRUSTING the application server, so you must secure

the Web application on your app server


New Semantic Layer Connectivity (.unx)

• Kerberos SSO

MS SQL Server

Oracle DB

SAP HANA

• Security Token Service (STS, SNC)

SAP NetWeaver BW

• Applicable to the following clients:

Crystal Reports for Enterprise

Web Intelligence

Dashboards

Explorer

OLAP Analysis


Legacy Semantic Layer (.unv)

• Kerberos SSO

MS SQL Server

Oracle DB

• Server STS, SNC

SAP NetWeaver BW

• Stored user credentials

All other databases

• Applicable to the following clients:

Crystal Reports 2011

Web Intelligence


Propagating Additional Security

Leverage additional information from your IDP like region, department

and apply in universe security.

Full overview on SCN http://scn.sap.com/community/bi-

platform/blog/2012/07/05/user-attribute-mapping-in-bi4

http://scn.sap.com/community/bi-platform/blog/2012/07/05/user-attribute-mapping-in-bi4













Mobile

• Mobile currently uses

username and password

only

• The username and

password can be saved

locally on the device


SAP HANA: What Are My Options?

• If you are running BI on any OS (Windows, Linux, Unix)

Logon to BI Lauchpad in any way (SSO or manual)

— SSO at view time or scheduling using SAML SSO to HANA

• If you are running BI on Windows:

Set up Windows SSO to BI Portal, or manually log on using AD credentials

— SSO at view time using Exploration view, Semantic Layer (Web Intelligence, Crystal

Reports), OLAP Analysis

— Still no scheduling SSO using Kerberos

• If you are running BI on SUSE 11 Linux:

Configure LDAP connectivity for MS AD

Enable Kerberos authentication from your LDAP authentication plug-in

Manually log on, then SSO to database possible

• Any platform, all clients:

Set up user database credentials for Direct DB authentication, exposed through CMC

Can be scripted


Reporting on HANA Client and Connectivity Options Using

Kerberos SSO

JDBC JDBC ODBC

SAP HANA Database

JDBC ODBC

Web

Intelligence

Dashboards Crystal Reports for

Enterprise

Semantic Layer

(relational universe UNX)

Exp

lore

r

CR

2

01

1


HANA SSO Summarized

Authentication Internal

(Direct)

External

(Kerberos

Delegated)

SAML Trust

(with BI 4.1)

Explorer Y Y (1) Y

Dashboards Y Y (1) Y

Web Intelligence Y Y (1) Y

Crystal Reports

2011

Y Y (1) Y

Crystal Reports for

Enterprise

Y Y (1) Y

Analysis, Edition for

Office

Y Y (1) Y

Analysis, Edition for

OLAP

Y N Y

(1) Support on Linux and Windows platforms only


New option to configure HANA SSO

• Accessible under Applications, “HANA

Authentication”

• Based on trust configured between BI and HANA

• Less work to setup than kerberos

• User ID’s must match between HANA & BI system

• Works with any type of authentication to BOE:

Enterprise, AD, LDAP, SAP, and supports all

platforms.

• Based on system trust. HANA trusts BI to do the

authentication. Once a user is authenticated to BI,

BI creates SAML assertions on behalf of users to

pass to HANA for SSO

• Supported with all BI Clients except ZEN and A-

Office. ETA SP1 (requires Web service SDK

support).


Configuration in the CMC

Enter HANA server details

Generate a certificate on the BI

side to import into the HANA

server. (copy & paste)

Once both systems are setup, user

can test connection from CMC

directly to validate setup.


HANA certificate import

Import Certificate into HANA (SPS5)


User authenticates against BOE server with one of the mechanisms supported by BOE

1. BOE securely forwards the user identity to SAP HANA with one of the following methods

– User name/password

o SAP HANA database user name/password stored in BOE server

o Manual synchronization

– Kerberos (As of SP4) SAP Note 1837331 & 1813724 HANA.

o Users must log on to BOE server using Active Directory authentication

o BOE server must run on Linux or Microsoft Windows

– SAML (NEW with 4.1)

oBOE server acts as identity provider

oBOE server generates SAML ticket for the user, sends it to the

SAP HANA database to validate -> if valid session will be

established for this user

• Protocol (SAML) is irrelevant here. Just think of trust

between systems.

oUsing SSL transport security between BOE and HANA is highly

recommended

SAP

HANA

Database

BOE

Server

Individual

end users

Summary of HANA authentication


Database Credentials

• It is possible to save database

credentials to use for SSO using

the database’s native

authentication

• These can be automatically

captured if the user manually logs

on through a configuration option

in the authentication plug-in


Web Intelligence: Review Your Options

• Reporting from SQL Server, Oracle DB

Kerberos SSO (Windows only)

Saved credentials (all platforms)

Predefined credentials (shared user) – (all platforms)

• Reporting from SAP HANA

Kerberos SSO (Windows/Linux only)

SAML SSO (all platforms)



• Reporting from SAP NetWeaver BW

STS (all platforms –.unx, CR4E, analysis, dashboards)

SNC (all platforms – .unv, CR 2011)

Saved credentials

— If logging on to BI with SAP credentials, these can be used for view time refresh

(SSO)


OLAP ANALYSIS: Review Your Options

• Reporting from Microsoft Analysis Services

Kerberos SSO (Windows only) – Requires user to log on manually using AD or to have

SSO setup



• https://websmp230.sap-ag.de/sap/support/notes/1688079 *

• Reporting from SAP NetWeaver BW

STS (all platforms)

* Requires login credentials to the SAP Service Marketplace

https://websmp230.sap-ag.de/sap/support/notes/1688079





Java Desktop Client Tools – Kerberos SSO

The new Information design tool is written in Java

This means we need some java magic to get AD SSO working

• Krb5.ini, bscLogin.conf on the client side

Referenced in “C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects

Enterprise XI 4.0\win32_x86\InformationDesignTool.ini

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

-Djava.security.krb5.conf=C:\WINNT\krb5.ini

• See SAP Note 1621106


SAP BusinessObjects BI 4.1 Upgrade

Webinar Series

BI 4.1 User Authentication and Single

Sign-On

Q & A

Brought to you by the Customer Experience Group

Thank you

sap #bobj #bi 4.1 upgrade webcast series 6: user authentication and sso

Technology