SSO on SAP BI Mobile Server – Custom with Trusted Authentication

Read me

SAP BI Mobile Server Single Sign On Support

This is a specific case where mobile server does not support what you want. This option allows you to write your own java class which implements the method “public String getUser(HttpServletRequest request)“. At run-time, when configured for custom scenario, mobile server will call this method of given class and provide it with HTTP Servlet Request. In this method you can write your custom code to parse the request and return the user id back. Mobile server will take this user id and log you on to BOE using trusted connection.

[Sample class attached]

The class can be packaged and deployed as follows

You need to place the class in respective package inside <WebAppsROOT>\webapps\MobileBIService\WEB-INF\classes
If you have any dependent libraries you should copy them to <WebAppsROOT>\webapps\MobileBIService\WEB-INF\lib. Just ensure that your libraries are not already present in this folder.
You must note that, when you upgrade mobile server. You need to backup the class and respective libraries that you had copied and apply the changes again to make SSO work.

Now, lets see how to configure mobile server for this scenario

Prerequisites

Your environment should ensure the authentication of user
After authentication is done, your custom class is responsible for parsing the request and provide user Id
SAP Business Objects BI platform configured for trusted authentication

First step

is to enable the Authentication Scheme

Copy the authscheme.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
Then modify the authscheme.properties file in custom folder
Un-comment line ‘TRUST_CUSTOM=com.businessobjects.mobilebi.server.logon.impl.TrustedCustom’
Save and close the file

Second Step

is to define the default SSO configuration

Copy the sso.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
Then modify the sso.properties file in custom folder
Choose your default CMS identifier
- “default.cms.identifier=abc“
Now define your authentication scheme (the one that you have enabled in first step)
- abc.authentication.scheme=TRUST_CUSTOM

CMS can be provided as an Alias, IP or cluster name
- Alias
  - abc.aliases=boe.xyz.corp:6400
- IP
  - abc.aliases=10.10.10.10:6400
- Cluster name
  - abc.aliases=@xyz

Now configure all the properties using this identifier as below
- abc.authentication.type=secEnterprise
- abc.product.locale=en_GB
- abc.preferred.viewing.locale=en_GB
- abc.trusted.auth.sharedsecret=<copy the shared secret here>
- abc.authentication.type=secEnterprise
You need to additionally configure the header name that you shall be using to provide the user ID
- abc.trusted.auth.user.param=<fully qualified name of your custom class>
- abc.trusted.auth.user.retrieval=CUSTOM
Save the sso.properties file.

Third Step

is to now deploy the MobileBIService again after changes mentioned above. Once done, you can validate if your SSO has been setup correctly by executing following URL from browser

http://<server>:<port>/MobileBIService/MessageHandlerServlet?message=CredentialsMessage&requestSrc=ipad&data=<logon logonViaSSO=”true”/>

Note: While executing the URL in browser, you should be sending the request with the authentication data that you expect your custom class to parse.

9 Comments

You must be Logged on to comment or reply to a post.

r s March 31, 2015 at 1:15 pm

Hi Ashutosh

I’ve try your process on SSO via trust authentication via header, as outline in the link

SSO on SAP BI Mobile Server – HTTP Header with Trusted Authentication

Everything seem to be working fine except the header information contain extra information. So I try this approach to remove the extra information but got the error below.

‘getEnterpriseSession’. (MOB 00930)Cause

Due to Invalid parameters, Class unable to invoke method ‘getEnterpriseSession’

I search and found no reference to what is the cause. Env. BI41 SP5 (x64)

Any suggestion?

Thanks

like (0)
1. Ashutosh Rastogi Post authorMarch 31, 2015 at 4:35 pm
  
  Hi,
  
  Can you share the authscheme.properties and sso.properties? You can mask part the sensitive info in the files.
  
  Regards,
  
  Ashutosh
  
  like (0)
  1. r s March 31, 2015 at 5:00 pm
    
    Here are the field that enabled.
    
    On the SSO
    
    # Header with Custom
    
    abc.trusted.auth.user.param=ExtractUser
    
    abc.trusted.auth.user.retrieval=CUSTOM
    
    On Auth Scheme are enable
    
    TRUST_HTTP_HEADER=com.businessobjects.mobilebi.server.logon.impl.TrustedAuthHeader
    
    # allows you to configure Remote User with Trusted connection to BOE
    
    TRUST_REMOTE_USER=com.businessobjects.mobilebi.server.logon.impl.TrustedAuthIIS
    
    TRUST_CUSTOM=com.businessobjects.mobilebi.server.logon.impl.TrustedCustom
    
    If you want the full file I can email that you you?
    
    like (0)
    1. Ashutosh Rastogi Post authorMarch 31, 2015 at 5:07 pm
      
      Yes, that is required. You send me a direct message and I will respond with my mail ID.
      
      Regards,
      
      Ashutosh
      
      like (0)
      1. r s March 31, 2015 at 5:25 pm
        
        Can sent you a direct message, it is block because we are not connected.
        
        Is there another way?
        
        -rs
        
        like (0)
    2. Ashutosh Rastogi Post authorApril 1, 2015 at 3:29 am
      
      I would suggest that you raise an OSS ticket in that case.
      
      Regards.,
      
      Ashutosh
      
      like (0)
Yi-Shan Tsao October 1, 2015 at 3:30 am

Hi Ashutosh

I got the same error message as rs.

“failed to invoke method getEnterpriseSession (MOB00930)”

Auth Scheme are enable

TRUST_CUSTOM=com.businessobjects.mobilebi.server.logon.impl.TrustedCustom

On the OSS

TEST.authentication.type=secEnterprise

TEST.authentication.scheme=TRUST_CUSTOM

TEST.trusted.auth.sharedsecret=xxxxxxxx

TEST.trusted.auth.user.param=ExtractUser

TEST.trusted.auth.user.retrieval=CUSTOM

I’ve try your process on SSO via trust authentication via header and everything seem to be working fine.

I want to use custom login page in mobile, so I change to use sso via custom.

But I have no ideal to redirect to custom login page and return the request to ExtactUser.getUser.

Any suggestion?

Thank you.

like (0)
1. Ashutosh Rastogi Post authorOctober 1, 2015 at 4:09 am
  
  Hi,
  
  Can you provide your use case in detail? I see that you have been able to use trusted authentication via header successfully. Now, you want to attempt custom approach, any specific reasons?
  
  Regards.
  
  Ashutosh
  
  like (0)
  1. Yi-Shan Tsao October 1, 2015 at 5:13 am
    
    Hi Ashutosh
    
    I have a web service to authenticate the user name and password, so I want to use my custom login page to input the user data and call the web service.
    
    But I don’t know how to redirect sap to this custom login page, and then return back to sap mobile server.
    
    I don’t know if I use authentication via header, where the login page url should I set?
    
    Do you have any suggestion?
    
    like (0)