Skip to Content

In BI 4.0, a new service has been introduced to offer Single Sign On capability to connect to SAP BW data sources, called STS (Security Token Service).

The STS Token Service :

0.1. Replaces what was done with server side trust in XI 3.1

0.2. Allows for token to be generated – for example for a WAD app hosted in BusinessObjects Enterprise

0.3. Allows for scheduling with Single Sign On as the token can be generated

STS is based on a Web service allowing you to use Single Sign-On (SSO) in heterogeneous system landscapes. It acts as a token broker. It exchanges security tokens, which identify the users of consumer systems for security tokens. Then, provider systems can evaluate the security tokens.* </p><p class=”Body”>Note* : the previous mechanism, SNC (Secure Network Communication) is still valid in most of the situations.

As an overview of the situations where the Security Token Service will apply, below are examples of different scenarios, based on the following configuration : Single Sign On implemented by mapping Active Directory Users to SAP aliases – and using STS as the Single Sign On mechanism between BI 4.0 and SAP datasource :

Client Tools|  |

Crystal Reports Designer 2011|  |

Crystal Reports Designer Next Generation|   | Create : X

Refresh : X | Create : Y

Refresh : Y |

Server Tools|  |

* Webi Legacy Universe (unv)</p></td><td style=”background-color: #a6b7fb;” valign=”top”><p>Webi New universe (unx)</p></td><td style=”background-color: #a6b7fb;” valign=”top”><p>Crystal Report 2011 in InfoView </p></td><td style=”background-color: #a6b7fb;” valign=”top”>Crystal Reports for Enterprise in InfoView</td></tr><tr><td> *|  Refresh : X

Schedule : X | Refresh : Y

Schedule : Y |  Refresh : X

Schedule : X |  Refresh : Y

Schedule : Y |

1. Creation/Import of certificates

1.1 On BusinessObjects Enterprise server side (Central Management Server CMS)

*java –jar PKCS12Tool.jar –alias BI4 –keystore BI4_193_IWX.p12 –storepass <password> <br />-dname “CN=BI4_193” –cert BI4_193_IWX.der

—- you can choose a naming convention with no special character</li></ul><ul><li>The 2 following files are generated and stored in the same location :  <ul><li>BI4_193_IWX.p12</li><li>BI4_193_IWX.der*For next steps :


The keystore file .p12 has to be imported in Bi4.0 Central Management Console on SAP Authentication Option tab.0.1.

The certificate file .der has to be imported in SAP Netweaver with STRUSTSSO2 transaction. *Notes *:


The option Alias is optional.0.1.

CN name  MUST BE UNIQUE* *   

1.2 On BW Server side 

0.1. Prerequisite : make sure the .der file generated in 1.1 can be accessible from a local / shared drive during this workflow.

0.2. Login to your SAP ABAP BW system as user with administrative privileges via SAP GUI, by using the same id client that on your BW system where you want to configure STS.


In SAP GUI execute STRUSTSSO2 (and not STRUSTSSO)0.1.

In the Certificate Tab click on the *import certificate (green arrow) *


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

    1. Former Member Post author
      Hello Peter,

      you seem to refer to an ERP system. Since integration is between Business Objects and SAP Netweaver, what is the patching level of your Netweaver system?

  1. Former Member

    Hi David

    We are currently implementing XI 4.0. (SP2 Patch 6). After some trouble, I have manged to get SSO working from Web Intelligence to SAP BW when logged in using SAP authentication. When I login with AD authentication SSO is not possible. SAP and AD usernames are the same and I have enabled simple username format in the registry.

    So Im wondering: Is SSO using STS possible when logged in via AD?



  2. Former Member

    Hi David,

    We are currently trying to implement STS for a BI 4.0 Web Intelligence document connecting to a SAP ERP system (function module). I was able to get STS working and logging in correctly the first time but subsequent connections (from different AD users) seemed to re-use the same (original) SAP user account when running the function module.

    We need the SAP ERP function module to run as the current user in BI Launchpad. I have checked and the AD – SAP user mapping is correct.

    Is there any additional configuration that I can use to achieve this?

    Many thanks,



Leave a Reply