Kerberos Single Sign-On on SAP BusinessObjects Mobile
Kerberos is an Authentication mechanism wherein no passwords are transmitted over the network. The server depends on a trusted ticket issued by a Ticket granting server, which the client sends in the request from the client to the server.
In order to enable Kerberos based authentication for the Mobi iOS application a few simple steps are to be done both on the iOS device and the Mobile server. Below we outline what these steps are and how they are to be done.
Supported on SAP BusinessObject Mobile 6.3 onwards(iOS only)
Supported on SAP BI Platform 4.1 (SP07 onwards) and 4.2(SP02 onwards)
(Note: This entire document is written assuming that the BI Platform is configured for Kerberos based Authentication. Kerberos SSO is supported only for normal BOE Connections from mobile. Connections involving SUP and SMP are not supported)
Configuring the WinAD Machine
Starting with iOS 10 only Constrained Credential Delegation is supported . We need to make sure the WinAD machine is configured to support the same. So if your organization has users using iOS 10 enabled devices then this step is mandatory.
A point to note is that Constrained Credential Delegation works with iOS 9 as well. So it is best to make sure you set it up even if there are no iOS 10 users.
* Open Active Directory Users and Computers.
* Choose the SAP Business Object service account. Right-click and open “properties”
* Open the “Delegation” tab from properties.
* By default option selected would be “Trust this user for delegation to any service(Kerberos only)”.Change to the 3rd option : “Trust this user for delegation to specified services only”Choose option “Use Kerberos Only “ under the above option.
Now click on “Add” button to add the specified service types.
* In the “Add Services” window, Click on button “Users or Computers”
* Enter the service account name in the text area “Enter object names to select” and click on button “Check Names”. This will add the service account name in the below format. Finish by clicking “ok”Format: service_account_name(logon name for service account)
* Click on “Select All” and “Ok”. This will choose all service types for specified “User/Computers”
* Finally “Apply” and “Ok” to apply the changes on the service account.
THE ABOVE STEPS WOULD CHANGE THE DELEGATION TO CONSTRAINED DELEGATION FOR THE SERVICE ACCOUNT)
Configuring the iOS Device
On iOS Kerberos is controlled by a configuration profile which guides iOS framework so as to how Kerberos tickets should be handled. This profile can be installed from any MDM tool. If you do not have an MDM tool then you can host the file on any application server and access the link on the safari browser. iOS will automatically detect it as a Kerberos SSO profile and will come up with the installation screen.The configuration profile should have a .mobileconfig extension. Let us look at a sample Configuration profile and check what values we are supposed to update.
- <?xml version=“1.0” encoding=“UTF-8”?>
- <!DOCTYPE plist PUBLIC “-//Apple/DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“>
- <plist version=“1.0”>
- <dict>
- <key>PayloadContent</key>
- <array>
- <dict>
- <key>PayloadDisplayName</key>
- <string>SSO Settings</string>
- <key>PayloadType</key>
- <string>com.apple.sso</string>
- <key>PayloadVersion</key>
- <integer>1</integer>
- <key>PayloadUUID</key>
- <string>d3fe4709-0cc6-4f51-afed-839c6ab1451c</string>
- <key>PayloadIdentifier</key>
- <string>com.sap.example.sso</string>
- <key>Name</key>
- <string>username@EXAMPLE.COM</string>
- <key>Kerberos</key>
- <dict>
- <key>PrincipalName</key>
- <string>username</string>
- <key>Realm</key>
- <string>EXAMPLE.COM</string>
- <key>URLPrefixMatches</key>
- <array>
- <string>https://example.com/</string>
- <string>https://example.com:443/</string>
- </array>
- <key>AppIdentifierMatches</key>
- <array>
- <string>com.apple.mobilesafari</string>
- <string>com.sap.*</string>
- </array>
- </dict>
- </dict>
- </array>
- <key>PayloadOrganization</key>
- <string>SAP</string>
- <key>PayloadDisplayName</key>
- <string>SSO for SAP</string>
- <key>PayloadVersion</key>
- <integer>1</integer>
- <key>PayloadUUID</key>
- <string>f4544183-fc96-495f-a384-435cdb66e5b9</string>
- <key>PayloadIdentifier</key>
- <string>com.sap.example.sso.profile</string>
- <key>PayloadDescription</key>
- <string>SSO Configuration profile</string>
- <key>PayloadType</key>
- <string>Configuration</string>
- </dict>
- </plist>
| Attribute | Value |
|---|---|
| PayloadDisplayName | Do not modify this string. Leave it as it is |
| PayloadType | Do not modify this string. Leave it as it is. |
| PayloadVersion | Do not modify this string. Leave it as it is. |
| PayloadUUID |
This should be a unique Id which can be generated from the following website |
| PayloadIdentifier |
This should be modified so that it reflects your company domain. Example: com.<your company name>.mobi.sso |
| Name | Any name for the Profile which you are creating |
| PrincipalName | Principal name the winAD user name with which the Kerberos login happens. |
| Realm |
This should be the Kerberos Realm. In the case of Active Directory, that’s usually going to be an AD domain. |
| URLPrefixMatches |
This is the URL to which iOS will append the service ticket. It can have multiple entries. Of these entries at least one of them should be of the following format. http://<Host Name FQDN>:<Port> of the Mobile Server FQDN is the fully qualified domain name. |
| AppIdentifierMatches | This is the list of applications which are eligible to use Kerberos based Authentication. No changes are to be made here since we already have com.sap.* which includes the Mobi iOS application for which the app id is com.sap.mobi |
| PayloadOrganization | Your organization name. |
| PayloadDisplayName | Name for this SSO payload. Any string can be given here |
| PayloadVersion | Do not modify this string. Leave it as it is |
| PayloadUUID |
This should be a unique id which can be generated from the following website |
| PayloadIdentifier |
This should be modified so that it reflects your company domain. Example: com.<your company name>.mobi.sso.profile |
| PayloadDescription | Any description of the payload profile. |
| PayloadType | Do not modify this string. Leave it as it is. |
This configuration profile must be modified carefully before deploying since this is the single source which tells iOS how and when to append the Kerberos service ticket. Utmost care should be taken while providing values for Name, PrincipalName, Realm and URLPrefixMatches.
Configuring the Import Connection Server
SSO connections in SAP BusinessObjects Mobile can be setup only using Import server URL. Following connection configuration need to be done on MOBI configuration server (MOBIServer) in the server.properties file.
SSO_Kerberos.DisplayName – This can be any string which will be your connection name
SSO_Kerberos.BOBJ_MOBILE_URL – This is the mobile server url. The url given here and the url given in the URLPrefixMatches of the iOS configuration profile prescribed in the previous section must be the same. (URL’s should be FQDN*)
SSO_Kerberos.BOBJ_MOBILE_CMS – This should be CMS cluster name or FQDN hostname running the BI Platform CMS.
SSO_Kerberos.BOBJ_MOBILE_SSO_ENABLED – Do not change the value! Let it be true
SSO_Kerberos.BOBJ_MOBILE_SSO_TYPE– Do not change the value. Let it be kerberos.
Configuring the Mobile Server
Last but not the least the mobile server must be enabled for kerberos based authentication. You will be required to carry the following three steps in order
*Stop tomcat server
*Modify sso.properties, authscheme.properties and web.xml
*Clean start tomcat server.
Let us see the changes to be made for the three files mentioned above.
Changes for sso.properties
- Uncomment default.cms.identifier and assign it the value 1
- Uncomment aliases and give it the value which you gave for SSO_Kerberos.BOBJ_MOBILE_CMS described in the previous section.
- Uncomment authentication.scheme and assign it the value KERBEROS.
Changes for authscheme.properties
Uncomment the KERBEROS property as highlighted in the above image.
Configuring web.xml
Replace the Web.xml which exists in MobileBIService with the attached web.xml file! ( Make sure you pick the right XML which is suitable for you. We have one for 4.1 and one for 4.2) A few parameters mentioned below should be provided with values which are specific to your environment.
<init-param>
<param-name>sso.enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>siteminder.enabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>vintela.enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.realm</param-name>
<param-value>{your-realm-name-here}</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>{your-principal-name-here}</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
</init-param>
The values for each of these keys can be found in global.properties which would be created when setting up BI Platform with kerberos. global.properties can be found under installation folder\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties.
Note: If you have made the changes described in the first section of the blog to enable Constrained Credential Delegation then you must add the following configuration to the web.xml as well to make sure mobile server can work with your WinAD machine.
<init-param>
<param-name>idm.allowS4U</param-name>
<param-value>true</param-value>
</init-param>
Changes to Web.xml for Lumira 2.0 add on
If you have installed the Lumira 2.0 add on then we need a few more modifications to the attached web.xml (Irrespective of whether the xml is for 4.1 or 4.2)
- Find the line “<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyZenServlet</servlet-class>” and replace with “<servlet-class>com.businessobjects.lumirastudio.mobi.ZenMobiServlet</servlet-class>“
- Find the line “<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyUI5ResourceServlet</servlet-class>” and replace with “<servlet-class>com.businessobjects.lumirastudio.mobi.ZenUI5ResourceProxyServlet</servlet-class>“
- Add the following at the end of the xml file just before the </web-app> tag
<servlet-mapping>
<servlet-name>LumxNativeServlet</servlet-name>
<url-pattern>/lumx</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LumxNativeServlet</servlet-name>
<servlet-class>com.sap.teamserver.mobile.addon.LimoRequestHandler</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LumiraHTMLServlet</servlet-name>
<url-pattern>/zen/view.do</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LumiraHTMLServlet</servlet-name>
<servlet-class>com.businessobjects.lumirastudio.mobi.LumiraHTMLMobiServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>PJSServlet</servlet-name>
<url-pattern>/sap/lumira/prompt</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>PJSServlet</servlet-name>
<url-pattern>/sap/service/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>PJSServlet</servlet-name>
<servlet-class>com.businessobjects.teamserver.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>VizExtBundleServlet</servlet-name>
<url-pattern>/sap/vizext/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>VizExtBundleServlet</servlet-name>
<servlet-class>com.businessobjects.teamserver.servlet.VizExtBundleServlet</servlet-class>
</servlet>
Troubleshooting and Help
- How to setup Kerberos with BI Platform – http://scn.sap.com/docs/DOC-26314
- Apple’s support for Kerberos –https://developer.apple.com/videos/wwdc/2013/
- Kerberos SSO does not seem to work on iPad – This might be due to a variety of reasons
But it would be good to check the following few things on the device before investigating further
User’s DNS server settings details must be included from where the ticket-granting
server needs to provide the ticket to iPad. This includes adding the entries in DNS
and Search Domains Under the IP address settings of the Wi-Fi network connected.
If you get a Username/Password Authentication popup while trying to connect to a
kerberos connection try restarting the iPad since the profile installed on the iPad
requires a restart at times.
- Understand more about Kerberos- http://scn.sap.com/community/sso/blog/2013/09/18/mobile-single-sign-on-from-ios-7-to-sap-netweaver
- If you are using Apache Tomcat 8.0.21, in catalina.properties add the parameter org.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH = true
Attachments
4.1 Web.xml
<?xml version="1.0" encoding="utf-8"?>
<web-app id="MobileBIService" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>MobileBIService</display-name>
<context-param>
<description>This is The Version of Mobile Server</description>
<param-name>internal.version</param-name>
<param-value>4.0</param-value>
</context-param>
<context-param>
<param-name>enable.pnr</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>mobile.server.configuration.location</param-name>
<param-value>boe</param-value>
</context-param>
<filter>
<filter-name>RequestResponseFilter</filter-name>
<filter-class>com.businessobjects.mobilebi.server.filters.RequestResponseFilter</filter-class>
</filter>
<!--
<filter>
<filter-name>CustomFilter</filter-name>
<filter-class>com.businessobjects.mobilebi.server.filters.CustomFilter</filter-class>
</filter>
-->
<filter>
<filter-name>AuthFilter</filter-name>
<filter-class>com.businessobjects.mobilebi.server.filters.AuthFilter</filter-class>
</filter>
<filter>
<filter-name>CompressionFilter</filter-name>
<filter-class>com.businessobjects.datadiscovery.web.servletfilters.CompressionFilter</filter-class>
<init-param>
<param-name>ignoredContentType</param-name>
<param-value>flash</param-value>
</init-param>
</filter>
<filter>
<filter-name>KerberosFilter</filter-name>
<filter-class>com.businessobjects.mobilebi.server.filters.KerberosFilter</filter-class>
<init-param>
<param-name>sso.enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>siteminder.enabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>vintela.enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.realm</param-name>
<param-value>CIETEAM.COM</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>biservice02224</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>KerberosFilter</filter-name>
<servlet-name>VintelaServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>RequestResponseFilter</filter-name>
<servlet-name>MobiServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<!--
<filter-mapping>
<filter-name>CustomFilter</filter-name>
<servlet-name>MobiServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
-->
<filter-mapping>
<filter-name>AuthFilter</filter-name>
<servlet-name>MobiServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>CompressionFilter</filter-name>
<servlet-name>ExplorerServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<listener>
<listener-class>com.businessobjects.mobilebi.server.listeners.MobiListener</listener-class>
</listener>
<listener>
<listener-class>com.businessobjects.datadiscovery.web.listeners.LoggingConfigurationListener</listener-class>
</listener>
<listener>
<listener-class>com.businessobjects.datadiscovery.web.listeners.DataDiscoveryHttpSessionListener</listener-class>
</listener>
<listener>
<listener-class>com.sap.xcelsius.mobi.server.listener.XcelsiusListener</listener-class>
</listener>
<servlet>
<servlet-name>MessageServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.controller.MessageServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>MobiServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.http.MobiServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>SupServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.http.SUPHandlerServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>AgnosticServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.AgnosticServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ZenServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyZenServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>LIMAServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyLimaServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ResourceServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyUI5ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>XcelsiusServlet</servlet-name>
<servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>XcelsiusFileServlet</servlet-name>
<servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusFileServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ExplorerServlet</servlet-name>
<servlet-class>com.businessobjects.datadiscovery.web.servlets.CommandDispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ICrystalServlet</servlet-name>
<servlet-class>com.sap.crystalreports.web.CrystalReportWebServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>LumiraServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.LumiraProxyServlet</servlet-class>
</servlet>
<servlet>
<description>HandleKerberosLogon</description>
<servlet-name>VintelaServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.http.VintelaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>MessageServlet</servlet-name>
<url-pattern>/MessageHandlerServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SupServlet</servlet-name>
<url-pattern>/SUP/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MobiServlet</servlet-name>
<url-pattern>/mobi</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AgnosticServlet</servlet-name>
<url-pattern>/agnostic</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/zen</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/zen/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/int.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/ZenServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/ZenMobiServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LIMAServlet</servlet-name>
<url-pattern>/lima</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LIMAServlet</servlet-name>
<url-pattern>/lima/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ResourceServlet</servlet-name>
<url-pattern>/resources/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>XcelsiusServlet</servlet-name>
<url-pattern>/xcelsius</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>XcelsiusFileServlet</servlet-name>
<url-pattern>/xcelsius/mxp/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ExplorerServlet</servlet-name>
<url-pattern>/explorer</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ICrystalServlet</servlet-name>
<url-pattern>/icrystal</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LumiraServlet</servlet-name>
<url-pattern>/lumira</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>VintelaServlet</servlet-name>
<url-pattern>/VintelaServlet</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
</web-app>
4.2 Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:javaee="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" id="MobileBIService" version="2.4">
<display-name>MobileBIService</display-name>
<context-param>
<description>This is The Version of Mobile Server</description>
<param-name>internal.version</param-name>
<param-value>4.0</param-value>
</context-param>
<context-param>
<param-name>mobile.server.configuration.location</param-name>
<param-value>boe</param-value>
</context-param>
<context-param>
<param-name>enable.pnr</param-name>
<param-value>false</param-value>
</context-param>
<filter>
<filter-name>RequestResponseFilter</filter-name>
<filter-class>com.businessobjects.mobilebi.server.filters.RequestResponseFilter</filter-class>
</filter>
<filter>
<filter-name>AuthFilter</filter-name>
<filter-class>com.businessobjects.mobilebi.server.filters.AuthFilter</filter-class>
</filter>
<filter>
<filter-name>CompressionFilter</filter-name>
<filter-class>com.businessobjects.datadiscovery.web.servletfilters.CompressionFilter</filter-class>
<init-param>
<param-name>ignoredContentType</param-name>
<param-value>flash</param-value>
</init-param>
</filter>
<filter>
<filter-name>KerberosFilter</filter-name>
<filter-class>com.businessobjects.mobilebi.server.filters.KerberosFilter</filter-class>
<init-param>
<param-name>sso.enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>siteminder.enabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>vintela.enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.realm</param-name>
<param-value>CIETEAM.COM</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>BOEXI40SIADEWDFWADEPT1514/bo.service.CIETEAM.COM</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>KerberosFilter</filter-name>
<servlet-name>VintelaServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>RequestResponseFilter</filter-name>
<servlet-name>MobiServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>AuthFilter</filter-name>
<servlet-name>MobiServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>CompressionFilter</filter-name>
<servlet-name>ExplorerServlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<listener>
<listener-class>com.businessobjects.mobilebi.server.listeners.MobiListener</listener-class>
</listener>
<listener>
<listener-class>com.businessobjects.datadiscovery.web.listeners.LoggingConfigurationListener</listener-class>
</listener>
<listener>
<listener-class>com.businessobjects.datadiscovery.web.listeners.DataDiscoveryHttpSessionListener</listener-class>
</listener>
<listener>
<listener-class>com.sap.xcelsius.mobi.server.listener.XcelsiusListener</listener-class>
</listener>
<servlet>
<servlet-name>MessageServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.controller.MessageServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>MobiServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.http.MobiServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>SupServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.http.SUPHandlerServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>AgnosticServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.AgnosticServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ZenServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyZenServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>LIMAServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyLimaServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ResourceServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyUI5ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>XcelsiusServlet</servlet-name>
<servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>XcelsiusFileServlet</servlet-name>
<servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusFileServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ExplorerServlet</servlet-name>
<servlet-class>com.businessobjects.datadiscovery.web.servlets.CommandDispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ICrystalServlet</servlet-name>
<servlet-class>com.sap.crystalreports.web.CrystalReportWebServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>LumiraServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.addon.LumiraProxyServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>PushNotificationServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.pushnotification.controller.PushNotificationServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>VintelaServlet</servlet-name>
<servlet-class>com.businessobjects.mobilebi.server.http.VintelaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>PushNotificationServlet</servlet-name>
<url-pattern>/push</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MessageServlet</servlet-name>
<url-pattern>/MessageHandlerServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SupServlet</servlet-name>
<url-pattern>/SUP/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MobiServlet</servlet-name>
<url-pattern>/mobi</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AgnosticServlet</servlet-name>
<url-pattern>/agnostic</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/zen</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/zen/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/int.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/ZenServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ZenServlet</servlet-name>
<url-pattern>/ZenMobiServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LIMAServlet</servlet-name>
<url-pattern>/lima</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LIMAServlet</servlet-name>
<url-pattern>/lima/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ResourceServlet</servlet-name>
<url-pattern>/resources/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>XcelsiusServlet</servlet-name>
<url-pattern>/xcelsius</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>XcelsiusFileServlet</servlet-name>
<url-pattern>/xcelsius/mxp/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ExplorerServlet</servlet-name>
<url-pattern>/explorer</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ICrystalServlet</servlet-name>
<url-pattern>/icrystal</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LumiraServlet</servlet-name>
<url-pattern>/lumira</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>VintelaServlet</servlet-name>
<url-pattern>/VintelaServlet</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
</web-app>
Very Good Wrtie Up.
Thank you for the very goog write up.
Do you know if Kerberos SSO for SAP BO Mobile will be supported on BI 4.2 SP2 as well?
Hello Tobias
Kerberos SSO is supported on BI 4.2 SP2 for SAP BO Mobile 🙂
Hello Pavan,
thank you. Very good news 🙂
How does this look from the client device? Does IOS pop up an id/password dialog each time?
You get a popup initially where you will have to enter the Win AD password to get the service token. After this the subsequent logins will happen without any pop un until the obtained service token expires.
Great - thank you!
Adding to Pavan's reply, Kerberos tokens in iOS devices are inter-operable between apps, which means Say for App-1 having kerberos auth enabled, you have already signed in and if the kerberos token is still valid(Whatever ben set by Admin on WinAD) , the same token can be used in App-2 but this time, its a direct SSO without Auth challenge. That;s the beauty of Kerberos and well implemented in iOS and apps consumption.
Hi,
I am trying to setup this feature but I have a question (the guide document is not clear).
in the mobileconfig file I put the windows ad username for the user so I should create a mobileconfig for each user ? or I put the princ mentionned in global.properties.
Regads
If you leave the username empty in mobile.config file , then in your iOS device, It will prompt for the username as well along with password when first time kerberos expects username/Password
Thanks Pavan,
This article is very useful and your configuration works!
However it is very disappointing to see that users get a pop up 10 hours after the initial log in (due to the expiration of the obtained service token) and they need to enter their Win AD password again in their iPads. This expiration time for service tokens normally is a corporate global policy setting and cannot be changed easily due to security reasons.
This solution would work if SAP BI Mobile stored the initial password and re-used for token renewal. This way users should enter their passwords once and maximum every 3 months when they changed, but not every day.
Would there be a setting for this or is there any solution for not having to re-type passwords every day?
Many thanks in advance for your thoughts.
Best Regards,
kerberos in Bi platform is supported not just in 4.1 SP 07 ONWARDS but as well from 4.2 SP 02 onwards (This is the first version under GA IN 4.2)
You could also refer to this blog below which is written after setting up kerberos for IOS devices. This is based on the setup experience.
http://scn.sap.com/community/mobile/businessobjects/blog/2016/05/09/sap-mobile-bi-winad-sso--kerberos
Also normally profiles are pushed by MDM tools and could vary from user to user.
Regards
Vikas