SAP BI Mobile Server Single Sign On Support

Increasingly users have been asking for applications to support Single Sign On on Mobile Devices. SAP Business Objects Mobile Server supports single sign on starting from

• Aurora 4.1 SP02 on-wards
• Aurora 4.0 SP08 on-wards

[Update – Dec, 2015] Note that For Win AD customers, Kerberos SSO from Mobile BI App (IOS devices only, since 6.3 release of App) is Supported from Aurora 4.1 SP07 on-wards. No support for 4.2 platform yet. [Details]

More than a feature, single sign on functionality is a deployment scenario. Mobile server is just one of the pieces of that landscape, hence one needs to understand their landscape well in order to setup SSO for mobile server. SSO support on mobile server implies that it now supports different ways in which it can be configured to receive user information from the Incoming request.

Single Sign On Mobile Server typically involves

• SAP BI Mobile Client (IOS, Android etc.)
• Deployment Environment (Tomcat, Reverse Proxy, Web logic, SUP, SMP, Auth Service etc.)
• SAP BI Mobile Server (Java Web App)
• SAP Business Objects Enterprise
• … there could be more like SAPR3 in case of MYSAPSSO2 cookie.

Courtesy: Gowda Timma Ramu  

Single Sign on Support on Mobile server essentially means

• If mobile server receives a valid authentication ticket, then it will use the same ticket to create a session while connecting to BOE
  • SSO via Siteminder Cookie
  • SSO via MYSAPSSO2 Cookie
• Else if we establish a trust between mobile server and BOE, then mobile server can simply create a session while connecting to BOE as long as a valid user identity is provided by any of the following means
  • extract user from HTTP Header
  • extract user from Cookie
  • extract user from X509 certificate

Single Sign on Support on Mobile client means

• You can provide the user context from mobile client primarily in the following ways
  • X509 Certificate
  • Form Authentication (user is presented with a Pre-Configured form)
  • Basic Authentication (user is presented with Basic Auth Challenge)
    

Note 1: It should be noted all the following mechanisms, although supported, are disabled by default. Customers can choose to enable any of the mechanisms based on their deployment scenarios.

Enabling SSO for Mobile BI

• Win AD Authentication
  • [ Details]
  • SAP Mobile BI WinAD SSO – Kerberos
• Siteminder Authentication using LDAP
  • [Server], [Client]
• Landscape using SAP R3 users in BOE
  • [Server], [Client]
• X509 certificates with Trusted Authentication
  • [Server], [Client]
• HTTP Header with Trusted Authentication
  • [Server], [Client]
• SAML2 Implementation using HTTP Web Session with Trusted Authentication
  • [Server], [Client]
• Custom Implementation with Trusted Authentication
  • [Server], [Client]
• … More combinations are possible, Post below what you are looking for.

Offline Access for SSO Connections

While working in Offline mode, if a user tries to access an SSO connection, he/she will be denied access. This is restricted due to security reasons as there is no way to validate user credentials in SSO scenario.

However, an administrator can bypass this by configuration in client settings, “feature.sso.offline.access.enabled” property should be set to “true” in order to allow offline access for SSO connections. Mobile Application will let the user in without any validation.

Known Limitations

• MYSAPSSO2 cookie scenario –  As on today Mobile Server can only be configured only for one SID and Client (SAP System). Hence, when a customer has SAP users imported in BOE from different SAP systems, he cannot setup SSO using multiple SAP systems as the Identity provider
• X509 Certificate scenario – When the X509 certificate is received on mobile server as “SSL_CLIENT_CERT” header then we do not handle that scenario. One such case  is when you are connecting to mobile server via SUP/SMP. However, this can be achieved by “Custom Implementation with Trusted Authentication” approach.

[Update: Both the limitations mentioned above are addressed now. For more information refer “Enhancement to SSO support” section in What is new in SAP BusinessObjects Mobile 6.1 (iOS)]

Useful Links

• Kerberos Single Sign-On on SAP BusinessObjects Mobile
• SAP Mobile BI WinAD SSO – Kerberos
• Creating SSO connections in SAP Mobile BI
• Managing connections using SAP BI Links in Mobile BI
• Creating connections using Import Option in SAP Mobile BI
• How to trace SAP BI Mobile using Fiddler?
• SAP BusinessObjects Mobile 5.1: Ensure That The Mobile Server is Trusted
• Single Sign On Configuration for SAP BusinessObjects Mobile with SUP/SMP And SAP Logon Tickets

Ps: Thanks to Gowda Timma Ramu for all the images in this blog.

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document