Skip to Content

Read me

SAP BI Mobile Server Single Sign On Support


Prerequisites

  • Your environment should ensure the authentication of user
  • After authentication you should provide mobile server with username in HTTP Header
  • SAP Business Objects BI platform configured for trusted authentication


First step

is to enable the Authentication Scheme

  • Copy the authscheme.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the authscheme.properties file in custom folder
  • Un-comment line ‘TRUST_HTTP_HEADER=com.businessobjects.mobilebi.server.logon.impl.TrustedAuthHeader’
  • Save and close the file


Second Step

is to define the default SSO configuration

  • Copy the sso.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the sso.properties file in custom folder
  • Choose your default CMS identifier
    • default.cms.identifier=abc
  • Now define your authentication scheme (the one that you have enabled in first step)
    • abc.authentication.scheme=TRUST_HTTP_HEADER
  • CMS can be provided as an Alias, IP or cluster name
    • Alias
      • abc.aliases=boe.xyz.corp:6400
    • IP
      • abc.aliases=10.10.10.10:6400
    • Cluster name
      • abc.aliases=@xyz
  • Now configure all the properties using this identifier as below
    • abc.authentication.type=secEnterprise
    • abc.product.locale=en_GB
    • abc.preferred.viewing.locale=en_GB
    • abc.trusted.auth.sharedsecret=<copy the shared secret here>
    • abc.authentication.type=secEnterprise
  • You need to additionally configure the header name that you shall be using to provide the user ID
    • abc.trusted.auth.user.param=userIdentifier
    • abc.trusted.auth.user.retrieval=HTTP_HEADER
  • Save the sso.properties file.

Third Step

is to now deploy the MobileBIService again after changes mentioned above. Once done, you can validate if your SSO has been setup correctly by executing following URL from browser

http://<server>:<port>/MobileBIService/MessageHandlerServlet?message=CredentialsMessage&requestSrc=ipad&data=<logon logonViaSSO=”true”/>

Note: While executing the URL in browser, you should be sending a HTTP Header with name ‘userIdentifier‘ and value as user id.



Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document

To report this post you need to login first.

25 Comments

You must be Logged on to comment or reply to a post.

  1. Sabrina Lin

    about Third Step.

    can explain what value for param,value.
    when I post data=<logon logonViaSSO=”true”/>

    I got the error,Log-on error: User as Header is missing from request (MOB00920).

    (0) 
    1. Ashutosh Rastogi Post author

      Hi Sabrina,

      You need to add an additional HTTP header (this you can do via plugins available when using chrome browser) with the configured name i.e. userIdentifier as key and value as the user name i.e. say ‘123456’.

      Then if all configurations are correct. this would work for you. Also, would be happy to know for whom you are trying to setup SSO.

      Regards,

      Ashutosh

      (0) 
      1. Sabrina Lin

        Hi Ashutosh,

        Thanks for your response.

        I did try to add the HTTP header,userIdentifier and the user name.
        But I still got the same error.Could not figure it out.

        (0) 
        1. Ashutosh Rastogi Post author

          Hi Sabrina,

          This has already been configured and tested by some customers, hence i know definitely that it works. Probably you are doing something wrong.

          For whom are you trying to set-up this environment. Do you already have an OSS message created for the same?

          Regards,

          Ashutosh

          (0) 
  2. r s

    Hello Ashutosh,

    We are try to do SSO on mobile via trust authentication and did all 3 steps as above and works like a charm.  The test via chrome is good.  When we try to connect via the mobile app it is giving the MOB00920 (missing header). 

    Now the question is how do we pass/set the header information in BI41 so the mobile app can detect it.  We want to use the windows account. 

    We are on the BI41 Windows 2008 x64

    Thanks

    (0) 
    1. Ashutosh Rastogi Post author

      That should be the responsibility of your web server administrator. You can look for documentation on web on how to add headers to an existing request.

      Having said that, can you also tell how is the user Information coming from the mobile client. And what is the authentication you are using, where does your users reside – Note that trusted authentication can only be used for secEnterprise users.

      Regards,

      Ashutosh

      (0) 
      1. r s

        Thanks for the response.

        We use a corp-wifi and authenticate via windows account. The BI41 is integrated/setup with Window Accounts and Trust Authentication.  So a user(smithM) will to logon to our wifi and BI41 with the same account.  That is working great.

        On the mobile, we are using windows authentication but since the password expiry it cause confusion for the user as they are not technical.  Thus we want SSO with trust authentication.

        Note: Saving the password on the mobile is not an option.

        Thanks

        (0) 
        1. Ashutosh Rastogi Post author

          So based on the information that you have provided so far, I understand the following

          – You are using WIN-AD authentication for Enterprise

          – BOE is configured for trusted authentication for launchpad via HTTP Header

          Now, can you confirm if the WIN-AD users are same as the secEnterprise aliases in BOE. This is required for trusted authentication to work on mobile. As, currently we do not support alias mapping

          Regards,

          Ashutosh

          (0) 
          1. r s

            That is exactly correct.  The Id for both Enterprise and Win-AD users are the same name. Now, I am looking at “Waffle  http://dblock.github.com/waffle/” to config tomcat and from there to extract the user’s id somehow. 

            Is this the right path?

            Thanks

            (0) 
              1. r s

                Hi Ashutosh,

                I am brain-storming on the security now, correct me if I am wrong.  Basically the tomcat “MobileBIService” app is accessible for everyone and no-authentication is perform. In order to force authenticated user to access “MobileBIService” from the mobile App, there must be some change to the web.xml to allow only authenticated user. From the authenticated user, I can get the remote_user’s ID. I’ve searched SAP forum to for some setting on that but found none and thus 3rd party plugin.  The only thing that come close is your post on SAML and trust authentication.

                Thanks

                -rs

                (0) 
                1. Ashutosh Rastogi Post author

                  MobileBIService, will definitely be behind proxy and any communication from external to mobile server should be protected at the web server/reverse proxy level by checking the presence of authentication ticket (kerberos ticket) in this case.

                  regards,

                  Ashutosh

                  (0) 
                2. Harald Anton Mueller

                  Did you find a solution for your Win AD SSO scenario? I am looking for a similar approach having SSO with Mobi App and Win AD (possibly via Enterprise Auth/Trusted Auth) just with the App, a VPN, an MDM solution and Standard Tomcat Install of MobileServer.

                  Any ideas on that? Thanks!

                  Harald

                  (0) 
  3. r s

    Hi Ashutosh,

    When you said web server administrator, are you referring to the tomcat server?

    Thanks

    (0) 
    1. Ashutosh Rastogi Post author

      Yes, that’s correct. As you said this is already working for BI41, it should be configured in a similar way on tomcat server where Mobile BI Service is deployed.

      Regards,

      Ashutosh

      (0) 
  4. Sarvjot Singh

    Hi Ashutosh Rastogi ,

    I am trying to configure trusted with HTTP header along with form based authentication with X502. However my approach got stuck on SAP KBA: 2038165 – SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920


    Hence could you help me following queries:


    1. We have Trusted working with HTTP header in BI Launchpad, hence just for SSO via mobile, could we configure form based authentication and provide a X502 certificate in mobile device, rather than configuring the whole BI Launchpad / Web server with X502.


    2. As per your documentation the above approach should work, however as per the KBA, this is being investigated by the developers ? So has this issue been fixed in the latest versions for both IOS and Android apps ?


    Regards,

    Sarvjot Singh



    (0) 
    1. Ashutosh Rastogi Post author

      Mobile BI client cannot be directly configured for sending user as HTTP header. This needs to be achieved by in-between systems i.e. reverse proxy, web server etc.

      Regards,

      Ashutosh

      (0) 
      1. Yi-Shan Tsao

        Hi Ashutosh,


        I use Apache server to rewrite url.

        When the client connect to MobileBIService and don’t have http header, I will rewrite this url to my login page.

        But I will get error below

        Internal server error occurred while processing the login request; contact your administrator (MOB 07010)

        Internal server error occurred while processing the version request; contact your administrator (MOB 07009)


        Could you explain how to use web server to set Http header ?


        (0) 
  5. Yi-Shan Tsao

    Hi Ashutosh,


    When I push the sap mobile app logout button,  I don’t logout the sso.

    How do I connect the app logout and sso logout?

    Are there any setting ?



    Regards,

    Yi-shan

    (0) 
  6. Yi-Shan Tsao

    Hi Ashutosh,


    I use Fiddler to trace the connection.

    I find that when I use login via SSO (HTTP Header), the SAP app will send about 4-5 times post requests to the SAP server and then send one Get request to SAP server and at this time SAP app will redirect to SSO login page.


    All login process like below:


    SAP app  —> post request to SAP server –>  loading image

                    —> post request to SAP server –> loading image

                    —> post request to SAP server –> loading image

                     —> post request to SAP server –>  loading image

                     —> get request to SAP server –>  show login page on app  –> input login username and password  –> login ok —>  click “Back” button and login again –> app login –> all reports page


    This process expenses to much time and users can’t understand why they need to click “Back” button and login again.


    Is it possible to change the process like below?


    SAP app  —> get request to SAP server –>  show login page on app  –> input login username and password  –> login ok —> return to all reports page


    Or are there any settings to let sap app show sso login page quickly ?


    Regards,

    Yi-shan

    (0) 
  7. Rick Kruyf

    Does this feature work with BOE 4.1 SP3.  I have completed the setup and when testing using Chrome with the header added, I am getting an fwb 00009 error saying the feature has been disabled.

    Does that mean a X509 cert is required to use this function.

    (0) 
    1. Vikas Kumar Yadav

      Hello Rick,

      Please raise a SAP incident. This should be working as SSO support exists from 4.1 SP02.

      SAP BusinessObjects Mobile supports 2 Factor authentication through BASIC, FORM or X509 certificate. If through these methods you are able to pass the required user name as HTTP header server can do a trust based login to BusinessObjects Platform.

      Regards

      Vikas

      (0) 

Leave a Reply