I have a customer request recently who needs to configure OneLogin’s SAML SSO into BusinessObjects for BILaunchPad access.  Below I try to document the configurations steps for this integrations. 

Background on OneLogin according to Wiki:

OneLogin’s Open Source SAML Toolkits now used by over 70 SaaS vendors to make their apps more secure and over 300 app vendors.

This is not the first time that I have use OneLogin’s.  I have use it as IDP for my other SAML integration tests.  I have used OneLogin SSO successfully integrated into Hana.  I like the product because its fairly easy to use and an IDP that I can leverage free (limited to 3 app).  

As disclaimer BusinessObjects supports SSO for SAML only as Trusted Authentication via HTTPHeader.  For this integration we are doing a bit more as I have written the code to create trusted principal behind the scene thus eliminates the Header requirement = more secure.

Step 1: Download the OneLogin Java Toolkit: https://github.com/onelogin/java-saml

https://www.onelogin.com/resources/saml-toolkitshttps://www.onelogin.com/resources/saml-toolkits

https://www.onelogin.com/resources/saml-toolkits

For reference as how the SAML- Toolkits is built

https://www.onelogin.com/resources/saml-toolkitshttps://www.onelogin.com/resources/saml-toolkits

https://developers.onelogin.com/saml/javahttps://developers.onelogin.com/saml/java

Once the toolkit has been downloaded, I recommend using MAVEN to built the installation package which will pull all dependent library that the ToolKit requires.  I pull down v1.1.2 package as during validation discover a bug #48; which got resolve quickly by OneLogin support.

Step 2: Configure BusinessObjects to use Trusted Authentications

Modify the global.properties file to have as we don’t need update the parameter for trusted.auth.user.param nor trusted.auth.user.retrieval because we will be creating logonToken via API call.


sso.enabled=true

The steps below are not new.  There are tons of material on SCN or notes including service.sap.com/sap/support/notes/1833968

scn_CMC_Authentications.png

1) Login as Administrator account to CMC
2) Authentication Tab
3) Enterprise
4) New Shared Secret
5) Download Shared Secret
6) Copy the TrustedPrinicpal.conf file to the

AIX: <BOBJ INSTALLDIR>/sap_bobj/enterprise_xi40/aix_rs6000_64/

Win: <BOBJ INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64

Step 3: Configure OneLogin SSO using the SAML Test Connector:

SCN_OneLogin.jpg

SCN_OneLogin Consumer Updates.png

Modify the above target URL by the app id (571972:

OneLoginSAMLSSOConfig.png

Update the OneLogin consumer.jsp:

x509Cert Update.png

Step 4: Develop the BOBJ Trusted Authentication Token generate that is base off OneLogin SAML UID


Why use the classic Enterprise SDK?  Its more secure for doing Trusted Authentication vs. Restful WebServices; If Restful WS was used to create logonToken using WinAD then this is as acceptable alternative.  Below is sample code and I do not support this.

<%@ page language=“java” contentType=“text/html; charset=ISO-8859-1”

    pageEncoding=“ISO-8859-1”%>

<%@ page import = “com.crystaldecisions.sdk.framework.CrystalEnterprise”%>

<%@ page import = “com.crystaldecisions.sdk.framework.ISessionMgr”%>

<%@ page import = “com.crystaldecisions.sdk.framework.IEnterpriseSession”%>

<%@ page import = “com.crystaldecisions.sdk.occa.security.ILogonTokenMgr”%>

<%@ page import = “com.crystaldecisions.sdk.framework.ITrustedPrincipal” %>

<%@ page import = “com.crystaldecisions.sdk.exception.SDKException” %>

<%

String cmsName = “xxxxx.phl.sap.corp”;

String auth = “secEnterprise”;

String sharedSecret = “efbfbd2649efbfbd32efbfbd13efbfbdefbfbd0cefbfbd07d686efbfbd555a0108efbfbd660fefbfbdefbfbd44efbfbd44781464efbfbd4befbfbdefbfbdd99a69efbfbdd6b1e7a798efbfbd3429e5a988efbfbdca886b55472aefbfbdefbfbd67efbfbd1cefbfbdefbfbd”;

String UID = (String) session.getAttribute(“UID”);

//test output System.out.println(“UID=” + UID);

if (UID==null)

  {

  out.println(“SSO Fail in UID”);

  return;

  }

String token = “”;

//=======================================================================

// Java launchPad URL

//=======================================================================

String port = “8080”;

String launchPad = “/BOE/BI/logon/start.do?”;

//=======================================================================

// Logon to Enterprise, create Token, and redirect to OpenDocument

//=======================================================================

IEnterpriseSession enterpriseSession = null;

if (enterpriseSession == null)

{

    try

    {

  //_BEGINSNIPPET_:CodeBlock_setLogonVariablesJAVA.txt

        // Attempt logon. Create an Enterprise session

        // manager object.

        ISessionMgr sm = CrystalEnterprise.getSessionMgr();

        // Log on to BusinessObjects Enterprise

        ITrustedPrincipal trusted  = sm.createTrustedPrincipal(UID, cmsName, sharedSecret);

        enterpriseSession = CrystalEnterprise

                .getSessionMgr().logon(trusted);

      

      

        // hardcode test enterpriseSession = sm.logon(UID, “Welcome2”,cmsName, auth);

        String logonToken = enterpriseSession.getLogonTokenMgr()

                .createLogonToken(“”, 10, 5);

        //test output out.println(launchPad + “ivsLogonToken=” + logonToken);

        response.sendRedirect(launchPad + “ivsLogonToken=” + logonToken);

    }

    catch (SDKException e)

    {

        out.println(“ERROR” + e.getDetailMessage());

    }

}

Step 5: Update your Java Library from BusinessObjects Install

You can retrieve these files under \<BOEInstallPath>\SAP BusinessObjects Enterprise XI 4.0\java\lib and \<BOEInstallPath>\SAP BusinessObjects Enterprise XI 4.0\java\lib\ext.

SDK

Deployment in en, de, es, fr, it, ja, nl, ru, tr, zh_CN

Resources for Additional Languages

Core JAR Files

Dependent JAR Files

SAP BusinessObjects Business Intelligence platform Java SDK

  • bcm.jar
  • biarengine.jar
  • ceaspect.jar
  • cecore.jar
  • celib.jar
  • ceplugins_core.jar
  • cesession.jar
  • corbaidl.jar
  • ebus405.jar
  • logging.jar
  • TraceLog.jar
  • activation-1.1.jar
  • aspectjrt.jar
  • axiom-api-1.2.5.jar
  • axiom-impl-1.2.5.jar
  • axis2-adb-1.3.jar
  • axis2-kernel-1.3.jar
  • axis2.saaj-1.3.jar
  • backport-util-concurrent-2.2.jar
  • certFIPS.jar
  • com.sap.js.passport.api.jar
  • commons-logging-1.1.jar
  • cryptojFIPS.jar
  • derby.jar
  • freessl201.jar
  • log4j.jar
  • ssljFIPS.jar
  • stax-api-1.0.1.jar
  • wsdl4j-1.6.2.jar
  • wxts-asl-3.2.1.jar
  • XmlSchema-1.3.2.jar

Note: Starred items indicate JAR files required when using SSL between the web tier and the backend servers, as well as between backend servers.

  • ceresprops_xx.jar
  • cecore_xx.jar
  • celib_xx.jar

Note: Include these files in addition to the JAR files listed in the previous columns. Replace xxwith the appropriate language code.

Thats all… whew.. I hope this helps in your OneLogin SAML SSO integration with BOBJ

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply