Skip to Content

SSO on SAP BI Mobile Server – X509 certificates with Trusted Authentication

Read me

SAP BI Mobile Server Single Sign On Support


  • SAP Business Objects BI platform configured for trusted authentication
  • Customer should already have valid X509 certificate for the end users
  • SSL Setup i.e. Web server should be setup to challenge incoming request for X509 certificate
  • The required server certificates installed on the BI platform key store and Mobile Server key store

First step

is to enable the Authentication Scheme

  • Copy the from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the file in custom folder
  • Un-comment line ‘TRUST_X509=com.businessobjects.mobilebi.server.logon.impl.TrustedAuthX509’
  • Save and close the file

Second Step

is to define the default SSO configuration

  • Copy the from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the file in custom folder
  • Choose your default CMS identifier
    • default.cms.identifier=abc
  • Now define your authentication scheme (the one that you have enabled in first step)
    • abc.authentication.scheme=TRUST_X509
  • CMS can be provided as an Alias, IP or cluster name
    • Alias
    • IP
      • abc.aliases=
    • Cluster name
      • abc.aliases=@xyz
  • Now configure all the properties using this identifier as below
    • abc.authentication.type=secEnterprise
    • abc.product.locale=en_GB
    • abc.preferred.viewing.locale=en_GB
    • abc.trusted.auth.sharedsecret=<copy the shared secret here>

    • abc.trusted.auth.user.retrieval=X509

    • abc.authentication.type=secEnterprise

  • Save the file.

Note: Mobile server picks up ‘CN’ name as user name from the X509 certificate.

Third Step

is to now deploy the MobileBIService again after changes mentioned above. Once done, you can validate if your SSO has been setup correctly by executing following URL from browser

http://<server>:<port>/MobileBIService/MessageHandlerServlet?message=CredentialsMessage&requestSrc=ipad&data=<logon logonViaSSO=”true”/>

Note: While executing the URL in browser, you should be sending a valid X509 certificate with it. Also, note that the CN name in the X509 certificate should be same as the user Id for the end user in Business Objects Enterprise.

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document

You must be Logged on to comment or reply to a post.
    • Hi Doug,

      before answering that I would like to know what is the use case you are trying to achieve, that information will help in answer you better – are you taking about cms host names i.e. alias values of same destination or different ones.



      • Odd question, but ok.  BOE is a product that can cluster, ie: multiple CMS hosts.  Since the mobile product cannot use a cluster name to address the cluster of CMS hosts, we need to specify a specific host or hosts for it to attempt to communicate with on its first communication attempt.  Once it does this, I would hope, it would pull back the clustermembers list and handle balancing from that point forward.  But, on that first attempt, if we can only specify a single hostname and port for the cms connection, that cms needs to be online for this to work.  So that is why I ask, can you specify multiple cms names in a list of some kind?  Alternatively, can you specify the cluster name and its members (as you can in the other web apps) so that the clusters can be identified by clustername.

  • Hi Ashutosh

    I’m new to the subject and have some questions about the prerequisites.

    If we use x509 certificates on the SAP BI Mobile app. The businessobjects system musst running with https?

    What is the meaning for ‘configured for trusted authentication’?

    And have you more Information for the server installed certificate (key store)

    Regards Stefan

    • Hi Stefan,

      I could not interpret your questions clearly, However still would try to answer the way i got them

      – SAP BI Mobile App connects to mobile server (Mobile BI Service), and Yes mobile server is expected to run on HTTPS. Support for HTTP will soon be completely deprecated.

      – BOE should be configured for trusted authentication i.e. BOE should be enabled to accept trusted connections that provide shared secret. Following link should help

      – I think this question is about certificate for server to configure it for HTTPS. If yes, then you need to obtain this certificate from your organization’s CA. This would be machine certificate



      • Hi Ashutosh

        Thanks for your quick reply.

        My questions about the certificates come from this information:

        The required server certificates installed on the BI platform key store and Mobile Server key store -> Which certificate is the meaning here? Do you mean the https zertificate?

        About hte x509 certificate, this one is not clear for me. If made the connection over this x509 certificate, then the BO Mobile server must run with https or it can be run also with http?

        Regards Stefan

        • Hi Stefan,

          First – I mean the machine certificates signed by the Organization’s CA or any other CA that is used within the Org for signing X509 certs.

          Yes, for X509 mobile server need to run on HTTPS. Infact, irrespective of any method you must run mobile server on HTTPS. Support for connecting to non-HTTPS servers will soon be deprecated



          • Hi Ashutosh,

            I think your support is very helpfull.

            In my customer’s organization there is a MDM structure (called “mobile iron”)  and there is already a certificate into all mobile device to connect to company wi-fi. So what I want to introduce is the x509 automatic certificate for BI Mobile App (BOE and BO Mobile infrastructure is in ramp-up now) who allows SSO on mobile device.

            My customer give a question to me:” can I use my certificate both for wi-fi and SAP BI Mobile? if not, what information I’ve to put into a new SAP BI Mobile certificate?” they give to me a SCEP diagram with some parameters and they said to me to put inside parameters for BO, what do you think about this question? certificate content for BI Mobile is transparent or needs a specific generation process?

            Thanks thousand.


          • Hi Andrea,

            IOS does not allows mobile bi app to access certificates from its key chain. Only apple apps are able to access those certificates i.e. safari browser would be able to access them, or even apple store but not Mobile BI App.

            Having said that, if the same certificate is deployed manually in the SAP mobile BI app. Then that can be used for trusted SSO provided the CN name in the certificate is same as the enterprise user in BOE.



          • Dear Ashutosh,

            thank you so much for your reply.

            So Certificate should send manually to device and this is not stored to device key-chan?

            How user can use this certificate if this is not always on the device?

            Could you provide me some tutorial-links-usefull notes about this configuration (maybe a step-by-step guide)?

            This is the format of wi-fi certificate actually installed on the device (actually on android mobile phone, the mobile bi app certificate will be installed on 300 iPads) :


            We are in Windows AD auth-landscape, the CN is the same of the BOE environement.

            Thanks a lot for your time Ashutosh!


          • Hi Andrea,

            The X509 cert need to be installed once within the Mobi App, and then it will always be available for user while connecting from App. It’s just that IOS runs app in a snadbox like environment and does not allow them to access the device key chain. Apps can have their own storage to store certs.

            I don’t have step-by-step tutorial at hand. However, you can definitely look into guides available at SAP BusinessObjects Mobile for iOS – SAP Help Portal Page

            IPads and Android devices both can be used in similar way. BOE need to have enterprise user aliases and trusted authentication should be enabled.

            You can definitely post your questions in the forums here. However if you need more specific help then raise this to SAP support they will be more than happy to help you.



  • Dear Ashutosh,

    Thanks for the document, we have succesfully achived a SSO with SSL with your documentation against the Enterprise user.

    However, we are checking other options to do the SSO because currently we are not working with Enterprise users.My question is:

    is it possible to achieve SSO to BO Mobile with X509 with users of secSAPR3 ?

    changing the parameter to the following:

    • abc.authentication.type=secSAPR3

    and transfering the appropriate value in the certificate (CN) so it will match the secSAPR3 user ?

    Kind regards,


    • Hi Dima,

      Since its a trust based SSO for certificates by Reading the CN value, you will need to have Enterprise Alias for your SAP users with the same alias as CN.

      Trust based SSO is only for enterprise users, so you will require enterprise alias.



      • Hi Vikas,

        Thanks for the answer. So the trusted SSO is based on Enterprise users.

        We currently have only SAPSR3 users in the system.

        If we don’t want to create enterprise users for our SAPSR3 users, How can I achieve SSO certificate to BO SAPSR3 users ? (we don’t want to use the SSOTicket configuration)

        Kind regards,


  • Hi Ashutosh,

    Thanks for valuable information , can you suggest and guide me HowToSetup X.509 for BI sever not BI Mobile  Server ,  “Is works for my context also” ?



    • Hi Sankara,

      A similar approach would work for BI Server as well, however with BI you need to code on how to validate and pick up the user name from the X509 certificate.


  • Hello Ashutosh,

    In other hand we’ re trying to leverage ” Enterprise  Authentication  ” in cmc for trusted

    authentication  with X.509 , please see below our post  as per BI admin guide ”

    my query is for your context,  X.509 cert resolving from /BI mobile  server/ custom / etc folders and

    trying to figure out for my contact ??? For info my BI version is 4.2.



  • Hi;

    Thanks for your helpful blog.

    We are trying to complete sso settings for BO – Ipad connection.

    Firstly we are trying it via browser on a computer.

    We have some questions about the settings for sso.

    At third step there is a note:

    Note: While executing the URL in browser, you should be sending a valid X509 certificate with it. Also, note that the CN name in the X509 certificate should be same as the user Id for the end user in Business Objects Enterprise.

    While executing the URL in browser, how can we  send a valid X509 certificate with it? Installing the user certificate into browser is enough? We have installed the user certificate with p12 extension. Is it ok or not?

    When we try the sso with link

    http://<server>:<port>/MobileBIService/MessageHandlerServlet?message=CredentialsMessage&requestSrc=ipad&data=<logon logonViaSSO=”true”/>


    browser tells us

    <?xml version=”1.0″ encoding=”UTF-8″?>

    <Result status=”failure“>User name or Password is missing from request (MOB00910)</Result>

    Could you please help us to find the missing or fault points at our settings?

    Best regards





    • Hi Noyan,

      I am not involved with Mobile BI for quite sometime now, hence do not remember these in detail. I have forwarded your query to my colleagues.

      In the mean time I would recommend you to raise a SAP support ticket.



      • Oops that error was due to wrong double quote(“) for true – <logon logonViaSSO=”true”/>. We get different error now after corrected it. Thanks.