Skip to Content

Read me

SAP BI Mobile Server Single Sign On Support


SAML2 implementation is not shipped by default with SAP Mobile BI Server. The reason for that is – there is no one size fits all approach. SAML2 authentication response are quite different from one customer to another, even though it conforms to SAML2 specification. SAML2 tickets are different as they have different issuers, different assertions, different certificates, different signatures, different subjects and their attributes. Hence handling each SAML2 ticket need to be implemented differently.


Before you start exploring further lets look at some pre-requisites

  • It is expected that you already have your environment/infrastructure set-up to authenticate and generate SAML2 tickets for the Incoming requests.
  • SAP Business Objects Enterprise Server has been enabled for Trusted Authentication (BIP Guide, Section 9.2). Note that you secEnterprise users should be enabled for logon to SAP Business Objects Enterprise Server as well.
  • Your SAML2 tickets has the user account name (user ID) of secEnterprise users of your SAP Business Objects Enterprise. Trusted authentication uses this user ID along with the trusted secret key to logon to SAP Business Objects Enterprise Server


Now, we will have to configure Mobile BI Server in a way so that when SAML2 ticket reaches mobile server, it performs the following

  • Validates the SAML2 tickets for expiry and authenticity
  • Extracts the user (BOE enterprise alias) and add it to javax.servlet.http.HTTPSession


At run-time, when configured for SAML2 scenario, mobile server will take this user id and log you on to BOE using trusted connection.


Implementing Custom Filter

SAP Mobile BI Server ships with a custom filter [Reference implementation attached] by default which can be enabled and modified to achieve this. The steps are as follows


First step

is to uncomment the following sections in web.xml (<WebAppsROOT>\webapps\MobileBIService\WEB-INF)

<!– <filter>

            <filter-name>CustomFilter</filter-name>

            <filter-class>com.businessobjects.mobilebi.server.filters.CustomFilter</filter-class>

</filter> –>

<!– <filter-mapping>

        <filter-name>CustomFilter</filter-name>

        <servlet-name>MobiServlet</servlet-name>

        <dispatcher>REQUEST</dispatcher>

        <dispatcher>FORWARD</dispatcher>

</filter-mapping> –>


Second step

is to enable the Authentication Scheme

  • Copy the authscheme.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the authscheme.properties file in custom folder
  • Un-comment line ‘TRUST_WEB_SESSION=com.businessobjects.mobilebi.server.logon.impl.TrustedAuthSession’
  • Save and close the file


Third step

is to define the default SSO configuration

  • Copy the sso.properties from default folder in to custom folder (<WebAppsROOT>\webapps\MobileBIService\WEB-INF\config)
  • Then modify the sso.properties file in custom folder
  • Choose your default CMS identifier
    • default.cms.identifier=abc
  • Now define your authentication scheme (the one that you have enabled in first step)
    • abc.authentication.scheme=TRUST_WEB_SESSION
  • CMS can be provided as an Alias, IP or cluster name
    • Alias
      • abc.aliases=boe.xyz.corp:6400
    • IP
      • abc.aliases=10.10.10.10:6400
    • Cluster name
      • abc.aliases=@xyz
  • Now configure all the properties using this identifier as below
    • abc.authentication.type=secEnterprise
    • abc.product.locale=en_GB
    • abc.preferred.viewing.locale=en_GB
    • abc.trusted.auth.sharedsecret=<copy the shared secret here>
  • You need to additionally configure the header name that you shall be using to provide the user ID
    • abc.trusted.auth.user.param=<Key against which you would be adding user as value in HTTP Session Object>
    • abc.trusted.auth.user.retrieval=WEB_SESSION
  • Save the sso.properties file


Fourth step

is to modify the Custom Filter

  • You need to setup a web project in eclipse development environment
  • Create a class with name “CustomFilter” extending “javax.servlet.Filter” inside package “com.businessobjects.mobilebi.server.filters”
  • Identify the SAML2 parsing libraries that you would want to use to parse the SAML2 ticket. I have used opensaml 2.4 library in the reference implementation
  • Reference the jars from your web project to resolve build dependencies
  • Implement the SAML2 handling code in the CustomFilter [Reference implementation Attached]


Fifth step

is to deploy the CustomFilter

  • You need to place the CustomFilter class in ‘<WebAppsROOT>\webapps\MobileBIService\WEB-INF\classes\com\businessobjects\mobilebi\server\filters’
  • All your dependent libraries (opensaml 2.4 library in my case) should be copied to ‘<WebAppsROOT>\webapps\MobileBIService\WEB-INF\lib’. Just ensure that your libraries are not already present in that folder, if there do not replace.

Final Step

is to now deploy and test the MobileBIService.

  • You can download and install Chrome Browser Plugin ‘Advanced Rest Client’
  • You should send your request to following URL

        http://<server>:<port>/MobileBIService/MessageHandlerServlet?message=CredentialsMessage&requestSrc=ipad&data=<logon logonViaSSO=”true”/>

  • In the Payload section add the “SAMLResponse” as key and your BASE64 encoded SAML2 ticket as value
  • Click Send. If everything is fine you should get a valid logon response with success message, logon token, rights info, user info etc.

Important Note

Please note that since this is a custom implementation this will be gone if and when you upgrade the Mobile Server to a later version. Hence, the suggestion would be to back-up the following and perform above steps on the new war file

  • modified ‘sso.properties’, ‘authscheme.properties’ and web.xml
  • CustomFilter.class file
  • Dependent libraries (opensaml 2.4 library in my case)
To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Stefan Sinzig

    Hi Ashutosh

    May I ask how and where you added your opensaml 2.4 library? Is it really possible to get SAML working with just Tomcat the way it is installed when you do a standard install? Or is there a need to add an apache server to get this to work? The blog is somewhat vague in that regard. You only mention opensaml 2.4 library at the very end of your blog but you never mentioned where it comes into play?

    I’m just struggling to understand the true requirements to get this working with Google SAML which we have available at our company.

    So to sum up my question: Can we get SAML working with the standard install or do we have to add Apache and shibboleth as well?

    Thanks for your blog! Much appreciated as the whole documentation around SAML is rather vague indeed.

    Stefan

    (0) 
    1. Ashutosh Rastogi Post author

      Hi Stefan,

      opensaml 2.4 library was added along with the jars of mobile server deployment as i tried to code within Mobile BI Service App. These libraries assist you in parsing the SAML assertion ticket and extract the relevant username that you would use for trusted authentication.

      However, note that this does not eliminated the need of have an application server that needs to act as the service provider. Following link should he helpful here. Yes, you got it fairly right that you need to have Apache and Shibboleth as well.

       

      Regards,

      Ashutosh

      (0) 
      1. Stefan Sinzig

        Hi Ashutosh

        I appreciate your feedback. It has helped me a great deal and I’ll have another go at configuring it all over the coming weeks.

        Regards

        Stefan

         

        (0) 
  2. Ronald van Amelsvoort

    We configured SAML2 for the BI Launchpad as described in the blog https://blogs.sap.com/2015/07/21/apache-shibboleth-sso-with-tomcat-for-bi-platform-using-trusted-authentication/

    For the parameter rusted.auth.user.retrieval REMOTE_USER is used.

    Our IPD is Iwelcome, and this works. The user gets redirected to the identity provider (Iwelcome). Here we enter the user and password, the we are redirected to the BO platform and BI Launchpad is started.

    Now we want to implement SAML2 authentication For the Mobileserver of the BO platform, because we want to use the SAP BI app on IOS and Android devices.

    We have done the configuration as shown above in this blog.

    When we try to login with the SAP Bi app we get the error message “Your request is invalid: verify the connection details or contact your administrator (MOB06009) (HTTP 404).

     

    Is we test with the test url http://<server&gt;:<port>/MobileBIService/MessageHandlerServlet?message=CredentialsMessage&requestSrc=ipad&data=<logon logonViaSSO=”true”/>in a browser, we get redirected to the idententy provider (Iwelcome). Here we enter the user and password, the we are redirected to the BO platform, and get the error message

    “”Expecting SAML2 authentication payload with request””

    When we test the Mobileserver: http://servername:port/MobileBIService/MessageHandlerServlet?message=GetVersion

    The we get the following result:

    <Result status=”success”><info><version productVersion=”14.2.2.1975″ internalVersion=”4.0″ lumira.version=”1.31″/></info></Result>

    Anyone idea’s what is wrong, and how to configure this?

     

    (0) 
    1. Ashutosh Rastogi Post author

      Hello,

      I would recommend that you reach out to SAP support. Looks like this needs some debugging to understand what’s going wrong.

      I have changed roles, not close to Mobile BI code anymore and hence would not be able to answer this right away.

      Regards

      Ashutosh

      (0) 

Leave a Reply