SAP BI Mobile Server Single Sign On Support
Increasingly users have been asking for applications to support Single Sign On on Mobile Devices. SAP Business Objects Mobile Server supports single sign on starting from
- Aurora 4.1 SP02 on-wards
- Aurora 4.0 SP08 on-wards
[Update – Dec, 2015] Note that For Win AD customers, Kerberos SSO from Mobile BI App (IOS devices only, since 6.3 release of App) is Supported from Aurora 4.1 SP07 on-wards. No support for 4.2 platform yet. [Details]
More than a feature, single sign on functionality is a deployment scenario. Mobile server is just one of the pieces of that landscape, hence one needs to understand their landscape well in order to setup SSO for mobile server. SSO support on mobile server implies that it now supports different ways in which it can be configured to receive user information from the Incoming request.
Single Sign On Mobile Server typically involves
- SAP BI Mobile Client (IOS, Android etc.)
- Deployment Environment (Tomcat, Reverse Proxy, Web logic, SUP, SMP, Auth Service etc.)
- SAP BI Mobile Server (Java Web App)
- SAP Business Objects Enterprise
- … there could be more like SAPR3 in case of MYSAPSSO2 cookie.
Courtesy: Gowda Timma Ramu
Single Sign on Support on Mobile server essentially means
- If mobile server receives a valid authentication ticket, then it will use the same ticket to create a session while connecting to BOE
- SSO via Siteminder Cookie
- SSO via MYSAPSSO2 Cookie
- Else if we establish a trust between mobile server and BOE, then mobile server can simply create a session while connecting to BOE as long as a valid user identity is provided by any of the following means
- extract user from HTTP Header
- extract user from Cookie
- extract user from X509 certificate
Single Sign on Support on Mobile client means
- You can provide the user context from mobile client primarily in the following ways
- X509 Certificate
- Form Authentication (user is presented with a Pre-Configured form)
- Basic Authentication (user is presented with Basic Auth Challenge)
Note 1: It should be noted all the following mechanisms, although supported, are disabled by default. Customers can choose to enable any of the mechanisms based on their deployment scenarios.
Enabling SSO for Mobile BI
- Win AD Authentication
- Siteminder Authentication using LDAP
- Landscape using SAP R3 users in BOE
- X509 certificates with Trusted Authentication
- HTTP Header with Trusted Authentication
- SAML2 Implementation using HTTP Web Session with Trusted Authentication
- Custom Implementation with Trusted Authentication
- … More combinations are possible, Post below what you are looking for.
Offline Access for SSO Connections
While working in Offline mode, if a user tries to access an SSO connection, he/she will be denied access. This is restricted due to security reasons as there is no way to validate user credentials in SSO scenario.
However, an administrator can bypass this by configuration in client settings, “feature.sso.offline.access.enabled” property should be set to “true” in order to allow offline access for SSO connections. Mobile Application will let the user in without any validation.
- MYSAPSSO2 cookie scenario – As on today Mobile Server can only be configured only for one SID and Client (SAP System). Hence, when a customer has SAP users imported in BOE from different SAP systems, he cannot setup SSO using multiple SAP systems as the Identity provider
- X509 Certificate scenario – When the X509 certificate is received on mobile server as “SSL_CLIENT_CERT” header then we do not handle that scenario. One such case is when you are connecting to mobile server via SUP/SMP. However, this can be achieved by “Custom Implementation with Trusted Authentication” approach.
[Update: Both the limitations mentioned above are addressed now. For more information refer “Enhancement to SSO support” section in What is new in SAP BusinessObjects Mobile 6.1 (iOS)]
- Kerberos Single Sign-On on SAP BusinessObjects Mobile
- SAP Mobile BI WinAD SSO – Kerberos
- Creating SSO connections in SAP Mobile BI
- Managing connections using SAP BI Links in Mobile BI
- Creating connections using Import Option in SAP Mobile BI
- How to trace SAP BI Mobile using Fiddler?
- SAP BusinessObjects Mobile 5.1: Ensure That The Mobile Server is Trusted
- Single Sign On Configuration for SAP BusinessObjects Mobile with SUP/SMP And SAP Logon Tickets
Ps: Thanks to Gowda Timma Ramu for all the images in this blog.
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document
Thank you for bringing this in.
Thanks a lot for bringing this up and sharing it.
We would like to use SAP Afaria/SAP mobile Secure instead of the complete SUP/SMP. What's your take on that as an insider?
Have responded on your other thread.
We are using a SSO connection and have also enabled the property "feature.sso.offline.access.enabled" (refer screenshot 1) to true in the CMC. Still can't access the BI content in offline mode (refer screenshot 2). Is the behavior described above still true for SAP mobile BI 6.1.18
Where did you read about this property 'feature.sso.offline.access.enabled'
As far as I know there is no such property implemented as on today in the App. Hence, this is possibly not working.
I was referring to the below :
Have i misunderstood something ?
Ah ... right. I forgot about that, wrote this long back. Ya, in this case this should be working for you. Please raise support ticket if this does not work for you.
We have already raised a support ticket with High Priority, still waiting for it to be resolved 🙁 .
Can you send me the ticket number on my official mail id?
Thanks for your help.
Were you able to solve this issue?
Issue is still pending with SAP Support 🙁
Have you implemented SSO on mobile successfully ?
can you list out the steps you have performed ?
We want to implement single sign-on for LDAP authentication and we are on BI 4.2 SP1. Is it possible to integrate a VPN and SAP BI app bundle together and have the user login once ?
Thanks in advance.
This has not been validated internally but this would be possible.
This would require some more understanding of your setup and what you are trying to do.
Let me know how can we collaborate more on this.
Thanks Vikas. We are using LDAP authentication and need user to login only once (VPN) which enables the user to login SAP BI App without any credentials.
Please update your email address in the profile to reach out with more information.
There are many ways to do a single sign on on mobile. Which one you are trying to setup?
We are currently able to access Business Object through Internet Explorer using SSO. We are looking at implementing a solution with XenMobile (Worx Home). We have packaged the SP BusinessObjects Mobile application and are able to install from Worx Home. We are able to manually enter credentials to log in (Windows AD) and access reports. We are able to SSO in for Worx Web. The issue is that SSO is not working for the SAP BusinessObject Mobile application. We had presented to our SAP administrator the instructions listed above under "enabling SSO for Mobile BI". He said that we didn't need to do that. Would you be able to confirm if we do or do not need to perform those steps?
I'm trying to find documentation on how to setup SSO for SAP Business Objects Mobile application in ios/android using SAP Authenticator but couldnt really find anything. Can anyone please point me to the right direction? Appreciate your help.
Does someone know what is the default authentication protocol used for BI SSO.