Skip to Content

SSO on SAP BI Mobile Server – HTTP Header with Trusted Authentication

Read me

SAP BI Mobile Server Single Sign On Support


  • Your environment should ensure the authentication of user
  • After authentication you should provide mobile server with username in HTTP Header
  • SAP Business Objects BI platform configured for trusted authentication

First step

is to enable the Authentication Scheme

  • Copy the from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the file in custom folder
  • Un-comment line ‘TRUST_HTTP_HEADER=com.businessobjects.mobilebi.server.logon.impl.TrustedAuthHeader’
  • Save and close the file

Second Step

is to define the default SSO configuration

  • Copy the from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the file in custom folder
  • Choose your default CMS identifier
    • default.cms.identifier=abc
  • Now define your authentication scheme (the one that you have enabled in first step)
    • abc.authentication.scheme=TRUST_HTTP_HEADER
  • CMS can be provided as an Alias, IP or cluster name
    • Alias
    • IP
      • abc.aliases=
    • Cluster name
      • abc.aliases=@xyz
  • Now configure all the properties using this identifier as below
    • abc.authentication.type=secEnterprise
    • abc.product.locale=en_GB
    • abc.preferred.viewing.locale=en_GB
    • abc.trusted.auth.sharedsecret=<copy the shared secret here>
    • abc.authentication.type=secEnterprise
  • You need to additionally configure the header name that you shall be using to provide the user ID
    • abc.trusted.auth.user.param=userIdentifier
    • abc.trusted.auth.user.retrieval=HTTP_HEADER
  • Save the file.

Third Step

is to now deploy the MobileBIService again after changes mentioned above. Once done, you can validate if your SSO has been setup correctly by executing following URL from browser

http://<server>:<port>/MobileBIService/MessageHandlerServlet?message=CredentialsMessage&requestSrc=ipad&data=<logon logonViaSSO=”true”/>

Note: While executing the URL in browser, you should be sending a HTTP Header with name ‘userIdentifier‘ and value as user id.

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document

You must be Logged on to comment or reply to a post.
  • about Third Step.

    can explain what value for param,value.
    when I post data=<logon logonViaSSO=”true”/>

    I got the error,Log-on error: User as Header is missing from request (MOB00920).

    • Hi Sabrina,

      You need to add an additional HTTP header (this you can do via plugins available when using chrome browser) with the configured name i.e. userIdentifier as key and value as the user name i.e. say ‘123456’.

      Then if all configurations are correct. this would work for you. Also, would be happy to know for whom you are trying to setup SSO.



      • Hi Ashutosh,

        Thanks for your response.

        I did try to add the HTTP header,userIdentifier and the user name.
        But I still got the same error.Could not figure it out.

        • Hi Sabrina,

          This has already been configured and tested by some customers, hence i know definitely that it works. Probably you are doing something wrong.

          For whom are you trying to set-up this environment. Do you already have an OSS message created for the same?



  • Hello Ashutosh,

    We are try to do SSO on mobile via trust authentication and did all 3 steps as above and works like a charm.  The test via chrome is good.  When we try to connect via the mobile app it is giving the MOB00920 (missing header). 

    Now the question is how do we pass/set the header information in BI41 so the mobile app can detect it.  We want to use the windows account. 

    We are on the BI41 Windows 2008 x64


    • That should be the responsibility of your web server administrator. You can look for documentation on web on how to add headers to an existing request.

      Having said that, can you also tell how is the user Information coming from the mobile client. And what is the authentication you are using, where does your users reside – Note that trusted authentication can only be used for secEnterprise users.



      • Thanks for the response.

        We use a corp-wifi and authenticate via windows account. The BI41 is integrated/setup with Window Accounts and Trust Authentication.  So a user(smithM) will to logon to our wifi and BI41 with the same account.  That is working great.

        On the mobile, we are using windows authentication but since the password expiry it cause confusion for the user as they are not technical.  Thus we want SSO with trust authentication.

        Note: Saving the password on the mobile is not an option.


        • So based on the information that you have provided so far, I understand the following

          – You are using WIN-AD authentication for Enterprise

          – BOE is configured for trusted authentication for launchpad via HTTP Header

          Now, can you confirm if the WIN-AD users are same as the secEnterprise aliases in BOE. This is required for trusted authentication to work on mobile. As, currently we do not support alias mapping



          • Hi Ashutosh,

            I am brain-storming on the security now, correct me if I am wrong.  Basically the tomcat “MobileBIService” app is accessible for everyone and no-authentication is perform. In order to force authenticated user to access “MobileBIService” from the mobile App, there must be some change to the web.xml to allow only authenticated user. From the authenticated user, I can get the remote_user’s ID. I’ve searched SAP forum to for some setting on that but found none and thus 3rd party plugin.  The only thing that come close is your post on SAML and trust authentication.



          • MobileBIService, will definitely be behind proxy and any communication from external to mobile server should be protected at the web server/reverse proxy level by checking the presence of authentication ticket (kerberos ticket) in this case.



          • Did you find a solution for your Win AD SSO scenario? I am looking for a similar approach having SSO with Mobi App and Win AD (possibly via Enterprise Auth/Trusted Auth) just with the App, a VPN, an MDM solution and Standard Tomcat Install of MobileServer.

            Any ideas on that? Thanks!


    • Yes, that’s correct. As you said this is already working for BI41, it should be configured in a similar way on tomcat server where Mobile BI Service is deployed.



  • Hi Ashutosh Rastogi ,

    I am trying to configure trusted with HTTP header along with form based authentication with X502. However my approach got stuck on SAP KBA: 2038165 – SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920

    Hence could you help me following queries:

    1. We have Trusted working with HTTP header in BI Launchpad, hence just for SSO via mobile, could we configure form based authentication and provide a X502 certificate in mobile device, rather than configuring the whole BI Launchpad / Web server with X502.

    2. As per your documentation the above approach should work, however as per the KBA, this is being investigated by the developers ? So has this issue been fixed in the latest versions for both IOS and Android apps ?


    Sarvjot Singh

    • Mobile BI client cannot be directly configured for sending user as HTTP header. This needs to be achieved by in-between systems i.e. reverse proxy, web server etc.



      • Hi Ashutosh,

        I use Apache server to rewrite url.

        When the client connect to MobileBIService and don’t have http header, I will rewrite this url to my login page.

        But I will get error below

        Internal server error occurred while processing the login request; contact your administrator (MOB 07010)

        Internal server error occurred while processing the version request; contact your administrator (MOB 07009)

        Could you explain how to use web server to set Http header ?

  • Hi Ashutosh,

    When I push the sap mobile app logout button,  I don’t logout the sso.

    How do I connect the app logout and sso logout?

    Are there any setting ?



  • Hi Ashutosh,

    I use Fiddler to trace the connection.

    I find that when I use login via SSO (HTTP Header), the SAP app will send about 4-5 times post requests to the SAP server and then send one Get request to SAP server and at this time SAP app will redirect to SSO login page.

    All login process like below:

    SAP app  —> post request to SAP server –>  loading image

                    —> post request to SAP server –> loading image

                    —> post request to SAP server –> loading image

                     —> post request to SAP server –>  loading image

                     —> get request to SAP server –>  show login page on app  –> input login username and password  –> login ok —>  click “Back” button and login again –> app login –> all reports page

    This process expenses to much time and users can’t understand why they need to click “Back” button and login again.

    Is it possible to change the process like below?

    SAP app  —> get request to SAP server –>  show login page on app  –> input login username and password  –> login ok —> return to all reports page

    Or are there any settings to let sap app show sso login page quickly ?



  • Does this feature work with BOE 4.1 SP3.  I have completed the setup and when testing using Chrome with the header added, I am getting an fwb 00009 error saying the feature has been disabled.

    Does that mean a X509 cert is required to use this function.

    • Hello Rick,

      Please raise a SAP incident. This should be working as SSO support exists from 4.1 SP02.

      SAP BusinessObjects Mobile supports 2 Factor authentication through BASIC, FORM or X509 certificate. If through these methods you are able to pass the required user name as HTTP header server can do a trust based login to BusinessObjects Platform.