Increasingly users have been asking for applications to support Single Sign On on Mobile Devices. SAP Business Objects Mobile Server supports single sign on starting from

  • Aurora 4.1 SP02 on-wards
  • Aurora 4.0 SP08 on-wards

[Update – Dec, 2015] Note that For Win AD customers, Kerberos SSO from Mobile BI App (IOS devices only, since 6.3 release of App) is Supported from Aurora 4.1 SP07 on-wards. No support for 4.2 platform yet. [Details]

More than a feature, single sign on functionality is a deployment scenario. Mobile server is just one of the pieces of that landscape, hence one needs to understand their landscape well in order to setup SSO for mobile server. SSO support on mobile server implies that it now supports different ways in which it can be configured to receive user information from the Incoming request.


Single Sign On Mobile Server typically involves

  • SAP BI Mobile Client (IOS, Android etc.)
  • Deployment Environment (Tomcat, Reverse Proxy, Web logic, SUP, SMP, Auth Service etc.)
  • SAP BI Mobile Server (Java Web App)
  • SAP Business Objects Enterprise
  • … there could be more like SAPR3 in case of MYSAPSSO2 cookie.


SSO Support.JPG

Courtesy: Gowda Timma Ramu  


Single Sign on Support on Mobile server essentially means

  • If mobile server receives a valid authentication ticket, then it will use the same ticket to create a session while connecting to BOE
    • SSO via Siteminder Cookie
    • SSO via MYSAPSSO2 Cookie
  • Else if we establish a trust between mobile server and BOE, then mobile server can simply create a session while connecting to BOE as long as a valid user identity is provided by any of the following means
    • extract user from HTTP Header
    • extract user from Cookie
    • extract user from X509 certificate

Single Sign on Support on Mobile client means

  • You can provide the user context from mobile client primarily in the following ways
    • X509 Certificate
    • Form Authentication (user is presented with a Pre-Configured form)
    • Basic Authentication (user is presented with Basic Auth Challenge)

Note 1: It should be noted all the following mechanisms, although supported, are disabled by default. Customers can choose to enable any of the mechanisms based on their deployment scenarios.


Enabling SSO for Mobile BI


Offline Access for SSO Connections

While working in Offline mode, if a user tries to access an SSO connection, he/she will be denied access. This is restricted due to security reasons as there is no way to validate user credentials in SSO scenario.

However, an administrator can bypass this by configuration in client settings, “feature.sso.offline.access.enabled” property should be set to “true” in order to allow offline access for SSO connections. Mobile Application will let the user in without any validation.

Known Limitations

  • MYSAPSSO2 cookie scenario –  As on today Mobile Server can only be configured only for one SID and Client (SAP System). Hence, when a customer has SAP users imported in BOE from different SAP systems, he cannot setup SSO using multiple SAP systems as the Identity provider
  • X509 Certificate scenario – When the X509 certificate is received on mobile server as “SSL_CLIENT_CERT” header then we do not handle that scenario. One such case  is when you are connecting to mobile server via SUP/SMP. However, this can be achieved by “Custom Implementation with Trusted Authentication” approach.

[Update: Both the limitations mentioned above are addressed now. For more information refer “Enhancement to SSO support” section in What is new in SAP BusinessObjects Mobile 6.1 (iOS)]

Useful Links


Ps: Thanks to Gowda Timma Ramu for all the images in this blog.


Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document

To report this post you need to login first.

21 Comments

You must be Logged on to comment or reply to a post.

    1. Steve Otieno

      Thanks a lot for bringing this up and sharing it.

      We would like to use SAP Afaria/SAP mobile Secure instead of the complete SUP/SMP. What’s your take on that as an insider?

      (0) 
  1. Robin Patel

    Hi Ashutosh,


    We are using a SSO connection and have also enabled the property “feature.sso.offline.access.enabled(refer screenshot 1) to true in the CMC. Still can’t access the BI content in offline mode (refer screenshot 2). Is the behavior described above still true for SAP mobile BI 6.1.18


    Screenshot 1

    Capture.JPG

    Screenshot 2


    Capture.JPG


    Regards

    Robin

    (0) 
    1. Ashutosh Rastogi Post author

      Hi Robin,

      Where did you read about this property ‘feature.sso.offline.access.enabled’

      As far as I know there is no such property implemented as on today in the App. Hence, this is possibly not working.

      Regards,

      Ashutosh

      (0) 
        1. Ashutosh Rastogi Post author

          Ah … right. I forgot about that, wrote this long back. Ya, in this case this should be working for you. Please raise support ticket if this does not work for you.

          Regards,

          Ashutosh

          (0) 
  2. Raj k

    HI Robin,

    Have you implemented SSO on mobile successfully ?

    can you list out the steps you have performed  ?

    Thanks!

    (0) 
  3. Veeraraghavan Vijayarajan

    Hi Ashutosh,

    We want to implement single sign-on for LDAP authentication and we are on BI 4.2 SP1. Is it possible to integrate a VPN and SAP BI app bundle together and have the user login once ?

    Thanks in advance.

    (0) 
    1. Vikas Kumar Yadav

      Hello,

      This has not been validated internally but this would be possible.

      This would require some more understanding of your setup and what you are trying to do.

      Let me know how can we collaborate more on this.

      Regards

      Vikas

      (0) 
      1. Veeraraghavan Vijayarajan

        Thanks Vikas. We are using LDAP authentication and need user to login only once (VPN) which enables the user to login SAP BI App without any credentials.

        Please update your email address in the profile to reach out with more information.

        (0) 
  4. Tim King

    Hi All,

    We are currently able to access Business Object through Internet Explorer using SSO.  We are looking at implementing a solution with XenMobile (Worx Home).  We have packaged the SP BusinessObjects Mobile application and are able to install from Worx Home.  We are able to manually enter credentials to log in (Windows AD) and access reports.  We are able to SSO in for Worx Web.  The issue is that SSO is not working for the SAP BusinessObject Mobile application.  We had presented to our SAP administrator the instructions listed above under “enabling SSO for Mobile BI”.  He said that we didn’t need to do that.  Would you be able to confirm if we do or do not need to perform those steps?

    Best Regards,

    Tim

    (0) 
  5. Sheryl Lopez

    Hi everyone,

    I’m trying to find documentation on how to setup SSO for SAP Business Objects Mobile application in ios/android using SAP Authenticator but couldnt really find anything. Can anyone please point me to the right direction? Appreciate your help.

    Thanks
    Sheryl

    (0) 

Leave a Reply