OneLogin SSO to BusinessObjects
I have a customer request recently who needs to configure OneLogin’s SAML SSO into BusinessObjects for BILaunchPad access. Below I try to document the configurations steps for this integrations.
Background on OneLogin according to Wiki:
OneLogin’s Open Source SAML Toolkits now used by over 70 SaaS vendors to make their apps more secure and over 300 app vendors.
This is not the first time that I have use OneLogin’s. I have use it as IDP for my other SAML integration tests. I have used OneLogin SSO successfully integrated into Hana. I like the product because its fairly easy to use and an IDP that I can leverage free (limited to 3 app).
As disclaimer BusinessObjects supports SSO for SAML only as Trusted Authentication via HTTPHeader. For this integration we are doing a bit more as I have written the code to create trusted principal behind the scene thus eliminates the Header requirement = more secure.
Step 1: Download the OneLogin Java Toolkit: https://github.com/onelogin/java-saml
For reference as how the SAML- Toolkits is built
Once the toolkit has been downloaded, I recommend using MAVEN to built the installation package which will pull all dependent library that the ToolKit requires. I pull down v1.1.2 package as during validation discover a bug #48; which got resolve quickly by OneLogin support.
Step 2: Configure BusinessObjects to use Trusted Authentications
Modify the global.properties file to have as we don’t need update the parameter for trusted.auth.user.param nor trusted.auth.user.retrieval because we will be creating logonToken via API call.
The steps below are not new. There are tons of material on SCN or notes including service.sap.com/sap/support/notes/1833968
|1)||Login as Administrator account to CMC|
|4)||New Shared Secret|
|5)||Download Shared Secret|
|6)||Copy the TrustedPrinicpal.conf file to the|
AIX: <BOBJ INSTALLDIR>/sap_bobj/enterprise_xi40/aix_rs6000_64/
Win: <BOBJ INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64
Step 3: Configure OneLogin SSO using the SAML Test Connector:
Modify the above target URL by the app id (571972:
Update the OneLogin consumer.jsp:
Step 4: Develop the BOBJ Trusted Authentication Token generate that is base off OneLogin SAML UID
Why use the classic Enterprise SDK? Its more secure for doing Trusted Authentication vs. Restful WebServices; If Restful WS was used to create logonToken using WinAD then this is as acceptable alternative. Below is sample code and I do not support this.
<%@ page language=“java” contentType=“text/html; charset=ISO-8859-1”
<%@ page import = “com.crystaldecisions.sdk.framework.CrystalEnterprise”%>
<%@ page import = “com.crystaldecisions.sdk.framework.ISessionMgr”%>
<%@ page import = “com.crystaldecisions.sdk.framework.IEnterpriseSession”%>
<%@ page import = “com.crystaldecisions.sdk.occa.security.ILogonTokenMgr”%>
<%@ page import = “com.crystaldecisions.sdk.framework.ITrustedPrincipal” %>
<%@ page import = “com.crystaldecisions.sdk.exception.SDKException” %>
String cmsName = “xxxxx.phl.sap.corp”;
String auth = “secEnterprise”;
String sharedSecret = “efbfbd2649efbfbd32efbfbd13efbfbdefbfbd0cefbfbd07d686efbfbd555a0108efbfbd660fefbfbdefbfbd44efbfbd44781464efbfbd4befbfbdefbfbdd99a69efbfbdd6b1e7a798efbfbd3429e5a988efbfbdca886b55472aefbfbdefbfbd67efbfbd1cefbfbdefbfbd”;
String UID = (String) session.getAttribute(“UID”);
//test output System.out.println(“UID=” + UID);
out.println(“SSO Fail in UID”);
String token = “”;
// Java launchPad URL
String port = “8080”;
String launchPad = “/BOE/BI/logon/start.do?”;
// Logon to Enterprise, create Token, and redirect to OpenDocument
IEnterpriseSession enterpriseSession = null;
if (enterpriseSession == null)
// Attempt logon. Create an Enterprise session
// manager object.
ISessionMgr sm = CrystalEnterprise.getSessionMgr();
// Log on to BusinessObjects Enterprise
ITrustedPrincipal trusted = sm.createTrustedPrincipal(UID, cmsName, sharedSecret);
enterpriseSession = CrystalEnterprise
// hardcode test enterpriseSession = sm.logon(UID, “Welcome2”,cmsName, auth);
String logonToken = enterpriseSession.getLogonTokenMgr()
.createLogonToken(“”, 10, 5);
//test output out.println(launchPad + “ivsLogonToken=” + logonToken);
response.sendRedirect(launchPad + “ivsLogonToken=” + logonToken);
catch (SDKException e)
out.println(“ERROR” + e.getDetailMessage());
Step 5: Update your Java Library from BusinessObjects Install
You can retrieve these files under \<BOEInstallPath>\SAP BusinessObjects Enterprise XI 4.0\java\lib and \<BOEInstallPath>\SAP BusinessObjects Enterprise XI 4.0\java\lib\ext.
Deployment in en, de, es, fr, it, ja, nl, ru, tr, zh_CN
Resources for Additional Languages
Core JAR Files
Dependent JAR Files
SAP BusinessObjects Business Intelligence platform Java SDK
Note: Starred items indicate JAR files required when using SSL between the web tier and the backend servers, as well as between backend servers.
Note: Include these files in addition to the JAR files listed in the previous columns. Replace xxwith the appropriate language code.
Thats all… whew.. I hope this helps in your OneLogin SAML SSO integration with BOBJ