Skip to Content

This document summarizes the planned enhancements in the next SAP BI 4.2 Support Package 5 for New Fiori BI Launchpad. As the SAP BI 4.2 SP5 content is still subject to change, please consider the below legal disclaimer statement:

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.


Cloud applications are HTTP friendly as almost everything happens on that protocol. And hence, same is true for C4C, BOC, FLP which all support SAML as authentication mechanism.

Now, BOBJ Platform does support SAML on Netweaver. In the past,to support SAML on tomcat , a lot of custom implementation is required. Basically, a customer is required to configure the tomcat application server to work as SAML service provider , they need incorporate third-party saml libraries like shibboleth, since Tomcat does not come with  service provider implementation by default. This third-party service provider libraries would handle all the request and challenge for authentication in case it’s not there. Once the authenticated SAML response reaches BI Applications, custom code (need to be written by customer) would parse the SAML repsonse to pick up the user and would logon via trusted authentication.


Our new implementation supports SAML on Tomcat for BOBJ Platform with minimalistic configuration. Customer need not configure any service provider by themselves .Now, Tomcat comes with inbuilt libraries(using spring saml libraries) with which it acts as  Service Provider and handles SAML requests and authentication. On successful SAML authentication a trusted Auth Logon is (performed against the user principal which comes through SAML response )on the BI Application and user is logged in seamlessly.



To use Tomcat Application Server as SAML Service Provider for BOE Web Applications

Follow the steps below:


1)Adding SAML Tomcat service provider jars.( This step is only for SAML Authentication for BOE Web Applications )

a).The spring saml service provider jars exists inside <BOE  Install  Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS. Stop Tomcat.

Copy these jars  to  <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\lib.

b).Delete  work from   <BOE  Install  Dir>\tomcat.

c).Restart tomcat.Wait for tomcat work to be populated.


2)Configure Trusted Authentication with WebSession

a)Add the file under the custom folder <INSTALLDIR>\SAPBusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom. In case file exists under custom folder, the trusted authentication configuration has to be appended to the existing file.

Following is the content for




b)Configures Trusted Auth in CMC

Go to CMC Application,  Authentication , Enterprise . Refer Screen below

  1. Enable Trusted Authentication.
  2. Set the Validity.
  3. Choose New Shared Secret.
  4. To download the generated shared secret, choose Download Shared Secret.

The TrustedPrincipal.conf file is downloaded.

  1. Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32
  2. Go to CMC  Authentication  Enterprise  and choose Update.
  3. Restart Tomcat.

3)User Creation on BOE .

The IDP user has to created in BOE or imported through some SDK script or export using CSV option in CMC.The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.


If you are using SAP Cloud Platform Identity Provider, export all the users and then import them to the BI platform. Refer How to import users in bulk from Central Management Console

To export SAP Cloud Platform users to CSV, refer Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service

4)Edit the securityContext.xml file to enable SAML Endpoints

The securityContext.xml  is located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF.

In the securityContext.xml file, locate the SAML entry point in the XML code as below. The SAML

Please see the section below


<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Opendocument–>
<!–<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>

In general, the SAML authentication can be enabled

a) For BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BI”           access=”IS_AUTHENTICATED_FULLY”/>  under SAML entry point.

b) For OpenDocument,by keeping this line uncommented <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.

c)For Fiorified BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.


1) Incase SAML authentication has to be enabled  only for Opendocument alone and not BI LaunchPad and Firoufied BILaunchpad the line <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for  BI Launchpad and FioriBI Launchpad.  In that case SAML entry point looks like below

<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>

2)Incase SAML authentication has to be enabled   for FioriLaunchPad and Opendocument the line <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>,<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for  BI Launchpad .  In that case SAML entry point looks like below

<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>

NOTE :The XML tag for Classical BI Launch Pad is enabled by default..

5)Changes in properties for WebApplications

The property is saml.enabled =true

As in any other properties’ setting, it is recommended to put this property in the /config/custom/<application>.properties file.

If you do not already have any custom property file here, please create an empty <application>.property. To be sure, refer to the exact name in the /config/default directory

For example:

(Assuming custom properties file does not exist. If it already does, only need to append the property saml.enabled=true)

For Classic  BI LaunchPad, create under  <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\config\custom


For Fiorified  BI LaunchPad create under under  <BOE  Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom

For Opendocument create under under  <BOE  Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom


Add saml.enabled =true.

NOTE: It is mandatory to uncomment  the specific endpoint and also add saml.enabled =true properties in custom properties file for the respective webapp  to enable SAML Authentication

6)Configurations in the deployment descriptor – web.xml

 A new filter has been introduced for SAML. The relevant section in the web.xml will be kept commented by default.

Enable filters in web.xml of BOE webapp by uncommenting the SAML section(s).

Web.xml file path:   <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF web.xml .

Uncomment the sections which have  SAML Comment as Shown in the Images below.

1.    Uncomment the listener and context param

Commented listener and context param

After uncommenting the listener and context param web.xml looks as below

2.Uncomment the SAML filters and mapping

Commented SAML filters and mapping


After Uncommenting the SAML filters and mapping


3.Save the web.xml with these changes.


5.Update IDP Metadata

To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF and rename it to idp-meta-downloaded.xml . For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration



If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.

i.e <value type=””>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=””>\WEB-INF\idp-meta-downloaded.xml</value> .


6).KeyStore Generation

This step is optional applicable only if you want to use your own keystore file.

SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019.sampletestKeystore.jks has an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:

  1. Navigate to <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.


keytool -genkeypair -alias TestAlias -keypass AliasPassword -keystore sampleKeystore.jks -validity 735 .

b.Run the command: keytool -genkeypair -alias aliasname -keypass password -keystore samplekeystore.jks -validity numberofdays

Command Description
-alias Enter the alias name of the certificate
-keypass Enter the certificate’s password
-keystore Name of the keystore file
-validity Validity of the certificate
numberofdays Number of days for which the self-signed certificate is valid.
  1. The following questions are prompted after executing the command:
    • Enter keystore password: *****(Password1)
    • Re-enter new password: *****(Password1)
    • What is your first and last name? : Rohit Prasad
    • What is the name of your organizational unit? : BusinessObjects
    • What is the name of your organization? : SAP
    • What is the name of your city and locality? : BLR
    • What is the name of your State and Province? : KA
    • What is the two-letter country code for this unit? : IN
  2. Stop the Tomcat application server.

The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.

  1. Move the keystore file to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF
  2. Edit the xmlfile located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF with the new alias name, password, and keystore file name. Refer the XML code below:

<bean id=”keyManager” class=””>  <constructor-arg value=”/WEB-INF/sampleKeystore.jks”/><constructor-arg type=”java.lang.String” value=”Password1″/><constructor-arg><map><entry key=” TestAlias ” value=”AliasPassword”/></map></constructor-arg><constructor-arg type=”java.lang.String” value=” TestAlias “/></bean>

 Refer the table below for understanding the arguments:
XML Tag Description
<constructor-arg value=”/WEB-INF/sampleKeystore.jks”/> Locates the keystore file.
<constructor-arg type=”java.lang.String” value=”Password1″/> Password for the keystore file.
<entry key=” TestAlias ” value=” AliasPassword”/> Alias password
<constructor-arg type=”java.lang.String” value=” TestAlias “/> Alias of the default certificate


Note: SP metadata has to be generated everytime this keystore file is changed.Our sample sp metadata will be working only with our sample keystore certificate.

7)Restart the Tomcat application server.

8)Generate and upload the service provider metadata.

Go to http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider.  Upload this in IDP using the relevant IDP’s feature support.




You can use the default service provider metadata file spring_saml_metadata.xml located at<INSTALLDIR>\tomcat\webapps\BOE\WEB-INF instead of generating it manually. You must replace the XML tag <replace_withip> with the IP address of the machine and <replace_withport> with port number of the Tomcat application server. Replace HTTP with HTTPS if you have enabled HTTPS in Tomcat.


For example for HCP as IDP , Please follow following steps

SP  metadata should be uploaded on creation of a SAML application in HCP.

1.Create a new app underapplications

App Creation


2. Upload SP metadata as shown in screenshot.


  1. If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
  2. Restart the Tomcat application server.

Tip:To check if SAML integration is successful, once you launch the SAML configured application (BI launch pad, Fiorified BI launch pad or OpenDocument), you are redirected to the IDP.

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Tim Nightingale

    Nice post…

    Of course in the real word you would make teh changes to the warfiles location and not directly in the Tomcat\webapps folders – Just so any patching/re-deploying keeps the changes




  2. Ivan Yin

    Hi Shruthi,

    Does it support for BI Mobile now? Can I do similar changes in MobileBIService warfiles to achieve SAML for BI Mobile?



Leave a Reply