SAML Authentication Rest Endpoint for BOE on Tomcat
This document summarizes the planned enhancements in the next SAP BI 4.2 Support Package 5 for New Fiori BI Launchpad. As the SAP BI 4.2 SP5 content is still subject to change, please consider the below legal disclaimer statement:
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
The SAML REST API can be invoked by any client which mimics the behavior of a web browser for SAML Authentication.
The rest end point for SAML Authentication is (http://host:<port>/biprws/v1/logon/saml), takes no query parameters. It reads the user principal from the HTTP request object and does a trusted authentication for that user principal and returns the serialized token.
To configure SAML for REST end point, follow the procedure below:
1.Configure Trusted Authentication for Rest Webservices on Tomcat with Websession as the option.
- Configure Shared Secret on CMC.
- Go to CMC Application, Authentication , Enterprise . Refer Screen below
- Enable Trusted Authentication.
- Set the Validity.
- Choose New Shared Secret.
- To download the generated shared secret, choose Download Shared Secret.
The TrustedPrincipal.conf file is downloaded.
- Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32
- Go to CMC Authentication Enterprise and choose Update.
2.Modify the file in below location: <BOE Install Dir>\tomcat\webapps\biprws\WEB-INF/config/custom/biprws.properties as shown in screen shot below
2)User Creation on BOE .
The IDP user has to created in BOE or imported through some SDK script or export using CSV option in CMC.The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.
If you are using SAP Cloud Platform Identity Provider, export all the users and then import them to the BI platform. Refer How to import users in bulk from Central Management Console
To export SAP Cloud Platform users to CSV, refer Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service
3)Configurations in the deployment descriptor – web.xml.
A new filter has been introduced for SAML. The relevant section in the web.xml will be kept commented by default.
Enable filters in web.xml of RestWebServices by uncommenting the SAML section(s).
Web.xml file path: <BOE Install Dir>\tomcat\webapps\biprws\WEB-INF web.xml .
1.Uncomment the listener , context param, filter and filter mapping for SAML.
1.Web.XML before changes looks like as shown in screenshot below.
2.Web.XML after uncommenting SAML section(s) looks as shown in screenshot below
2.Delete the work folder under biprws in <BOE Install Dir>\tomcat\work.
4.Update IDP Metadata
To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\tomcat\webapps\biprws\WEB-INF and rename it to idp-meta-downloaded.xml . For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration
If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.
i.e <value type=”java.io.File”>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=”java.io.File”>\WEB-INF\idp-meta-downloaded.xml</value> .
This step is optional applicable only if you want to use your own keystore file.
SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019.sampletestKeystore.jks has an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:
- Navigate to <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
keytool -genkeypair -alias TestAlias -keypass AliasPassword -keystore sampleKeystore.jks -validity 735 .
b.Run the command: keytool -genkeypair -alias aliasname -keypass password -keystore samplekeystore.jks -validity numberofdays
|-alias||Enter the alias name of the certificate|
|-keypass||Enter the certificate’s password|
|-keystore||Name of the keystore file|
|-validity||Validity of the certificate|
|numberofdays||Number of days for which the self-signed certificate is valid.|
- The following questions are prompted after executing the command:
- Enter keystore password: *****(Password1)
- Re-enter new password: *****(Password1)
- What is your first and last name? : Rohit Prasad
- What is the name of your organizational unit? : BusinessObjects
- What is the name of your organization? : SAP
- What is the name of your city and locality? : BLR
- What is the name of your State and Province? : KA
- What is the two-letter country code for this unit? : IN
- Stop the Tomcat application server.
The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
- Move the keystore file to <INSTALLDIR>\tomcat\webapps\biprws\WEB-INF
- Edit the xmlfile located at <INSTALLDIR>\tomcat\webapps\biprws\WEB-INF with the new alias name, password, and keystore file name. Refer the XML code below:
<bean id=”keyManager” class=”org.springframework.security.saml.key.JKSKeyManager”> <constructor-arg value=”/WEB-INF/sampleKeystore.jks”/><constructor-arg type=”java.lang.String” value=”Password1″/><constructor-arg><map><entry key=” TestAlias ” value=”AliasPassword”/></map></constructor-arg><constructor-arg type=”java.lang.String” value=” TestAlias “/></bean>
|Refer the table below for understanding the arguments:|
|<constructor-arg value=”/WEB-INF/sampleKeystore.jks”/>||Locates the keystore file.|
|<constructor-arg type=”java.lang.String” value=”Password1″/>||Password for the keystore file.|
|<entry key=” TestAlias ” value=” AliasPassword”/>||Alias password|
|<constructor-arg type=”java.lang.String” value=” TestAlias “/>||Alias of the default certificate|
Note: SP metadata has to be generated everytime this keystore file is changed.Our sample sp metadata will be working only with our sample keystore certificate.
6)Restart the Tomcat application server.
7)Generate and upload the service provider metadata.
Go to http://host:tomcatport/biprws/v1/logon/saml/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider. Upload this in IDP using the relevant IDP’s feature support.
A pre-generated service Provider (SP) metadata file is shipped by default. You can edit and upload the same metadata file. In <BOE Install Dir>\tomcat\webapps\biprws\WEB-INF spring_saml_metadata.xml, replace the XML tags <replace_withip> with the IP address or hostname of the machine depending on your network, and <replace_withport> with the Tomcat port number.
For example for HCP as IDP , Please follow following steps
SP metadata should be uploaded on creation of a SAML application in HCP.
1.Create a new app underapplications
2. Upload SP metadata as shown in screenshot.
- If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
- Restart the Tomcat application server.