SAML2 implementation is not shipped by default with SAP Mobile BI Server. The reason for that is – there is no one size fits all approach. SAML2 authentication response are quite different from one customer to another, even though it conforms to SAML2 specification. SAML2 tickets are different as they have different issuers, different assertions, different certificates, different signatures, different subjects and their attributes. Hence handling each SAML2 ticket need to be implemented differently.
Before you start exploring further lets look at some pre-requisites
- It is expected that you already have your environment/infrastructure set-up to authenticate and generate SAML2 tickets for the Incoming requests.
- SAP Business Objects Enterprise Server has been enabled for Trusted Authentication (BIP Guide, Section 9.2). Note that you secEnterprise users should be enabled for logon to SAP Business Objects Enterprise Server as well.
- Your SAML2 tickets has the user account name (user ID) of secEnterprise users of your SAP Business Objects Enterprise. Trusted authentication uses this user ID along with the trusted secret key to logon to SAP Business Objects Enterprise Server
Now, we will have to configure Mobile BI Server in a way so that when SAML2 ticket reaches mobile server, it performs the following
- Validates the SAML2 tickets for expiry and authenticity
- Extracts the user (BOE enterprise alias) and add it to javax.servlet.http.HTTPSession
At run-time, when configured for SAML2 scenario, mobile server will take this user id and log you on to BOE using trusted connection.
Implementing Custom Filter
SAP Mobile BI Server ships with a custom filter [Reference implementation attached] by default which can be enabled and modified to achieve this. The steps are as follows
is to uncomment the following sections in web.xml (<WebAppsROOT>\webapps\MobileBIService\WEB-INF)
is to enable the Authentication Scheme
- Copy the authscheme.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
- Then modify the authscheme.properties file in custom folder
- Un-comment line ‘TRUST_WEB_SESSION=com.businessobjects.mobilebi.server.logon.impl.TrustedAuthSession’
- Save and close the file
is to define the default SSO configuration
- Copy the sso.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
- Then modify the sso.properties file in custom folder
- Choose your default CMS identifier
- Now define your authentication scheme (the one that you have enabled in first step)
- CMS can be provided as an Alias, IP or cluster name
- Cluster name
- Now configure all the properties using this identifier as below
- abc.trusted.auth.sharedsecret=<copy the shared secret here>
- You need to additionally configure the header name that you shall be using to provide the user ID
- abc.trusted.auth.user.param=<Key against which you would be adding user as value in HTTP Session Object>
- Save the sso.properties file
is to modify the Custom Filter
- You need to setup a web project in eclipse development environment
- Create a class with name “CustomFilter” extending “javax.servlet.Filter” inside package “com.businessobjects.mobilebi.server.filters”
- Identify the SAML2 parsing libraries that you would want to use to parse the SAML2 ticket. I have used opensaml 2.4 library in the reference implementation
- Reference the jars from your web project to resolve build dependencies
- Implement the SAML2 handling code in the CustomFilter [Reference implementation Attached]
is to deploy the CustomFilter
- You need to place the CustomFilter class in ‘<WebAppsROOT>\webapps\MobileBIService\WEB-INF\classes\com\businessobjects\mobilebi\server\filters’
- All your dependent libraries (opensaml 2.4 library in my case) should be copied to ‘<WebAppsROOT>\webapps\MobileBIService\WEB-INF\lib’. Just ensure that your libraries are not already present in that folder, if there do not replace.
is to now deploy and test the MobileBIService.
- You can download and install Chrome Browser Plugin ‘Advanced Rest Client’
- You should send your request to following URL
- In the Payload section add the “SAMLResponse” as key and your BASE64 encoded SAML2 ticket as value
- Click Send. If everything is fine you should get a valid logon response with success message, logon token, rights info, user info etc.
Please note that since this is a custom implementation this will be gone if and when you upgrade the Mobile Server to a later version. Hence, the suggestion would be to back-up the following and perform above steps on the new war file
- modified ‘sso.properties’, ‘authscheme.properties’ and web.xml
- CustomFilter.class file
- Dependent libraries (opensaml 2.4 library in my case)