Skip to Content

This blog is focused on the SAML 2.0 support improvements with BI 4.2 SP05.

The support for SAML 2.0 is available today as well. Basically, application server needs to be configured as SAML service provider and BO application needs to be configured for trusted authentication. And there has to be glue code/config that picks up user information from SAML assertion response and provide that to BO in the defined format. Once that happens BO logs you in as a user.

This support is documented for SAP NetWeaver (BOE SAML with Netweaver). However, customers have struggled to set this up for other application servers as this required third-party SAML libraries and some custom code/configuration.

Key Summary of the changes

  • Support is available from BI 4.2 SP05
  • Support is available for Apache Tomcat application server
  • Tomcat application server now is bundled with spring SAML libraries, which makes the required configuration minimal for customers
  • This addresses the front-end logon via SAML Usecase. However, the same SAML ticket is not used for authentication to databases (DB SSO to HANA via SAML, to SAP BW via STS and to DBs via stored credentials would still work).


To use Tomcat Application Server as SAML Service Provider for BOE Web Applications

Follow the steps below:

1)Adding SAML Tomcat service provider jars.( This step is only for SAML Authentication for BOE Web Applications )

a).The spring saml service provider jars exists inside <BOE  Install  Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS. Stop Tomcat.

Copy these jars  to  <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\lib.

b).Delete  work from   <BOE  Install  Dir>\tomcat.

c).Restart tomcat.Wait for tomcat work to be populated.


2)Configure Trusted Authentication with WebSession

a)Add the file under the custom folder <INSTALLDIR>\SAPBusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom. In case file exists under custom folder, the trusted authentication configuration has to be appended to the existing file.

Following is the content for




b)Configures Trusted Auth in CMC

Go to CMC Application,  Authentication , Enterprise . Refer Screen below

  1. Enable Trusted Authentication.
  2. Set the Validity.
  3. Choose New Shared Secret.
  4. To download the generated shared secret, choose Download Shared Secret.

The TrustedPrincipal.conf file is downloaded.

  1. Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32
  2. Go to CMC  Authentication  Enterprise  and choose Update.
  3. Restart Tomcat.

3)User Creation on BOE .

The IDP user has to created in BOE or imported through some SDK script or export using CSV option in CMC.The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.


If you are using SAP Cloud Platform Identity Provider, export all the users and then import them to the BI platform. Refer How to import users in bulk from Central Management Console

To export SAP Cloud Platform users to CSV, refer Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service

4)Edit the securityContext.xml file to enable SAML Endpoints

The securityContext.xml  is located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF.

In the securityContext.xml file, locate the SAML entry point in the XML code as below. The SAML

Please see the section below


<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Opendocument–>
<!–<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>

In general, the SAML authentication can be enabled

a) For BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BI”           access=”IS_AUTHENTICATED_FULLY”/>  under SAML entry point.

b) For OpenDocument,by keeping this line uncommented <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.

c)For Fiorified BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.


1) Incase SAML authentication has to be enabled  only for Opendocument alone and not BI LaunchPad and Firoufied BILaunchpad the line <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for  BI Launchpad and FioriBI Launchpad.  In that case SAML entry point looks like below

<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>

2)Incase SAML authentication has to be enabled   for FioriLaunchPad and Opendocument the line <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>,<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for  BI Launchpad .  In that case SAML entry point looks like below

<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>

NOTE :The XML tag for Classical BI Launch Pad is enabled by default..

5)Changes in properties for WebApplications

The property is saml.enabled =true

As in any other properties’ setting, it is recommended to put this property in the /config/custom/<application>.properties file.

If you do not already have any custom property file here, please create an empty <application>.property. To be sure, refer to the exact name in the /config/default directory

For example:

(Assuming custom properties file does not exist. If it already does, only need to append the property saml.enabled=true)

For Classic  BI LaunchPad, create under  <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\config\custom


For Fiorified  BI LaunchPad create under under  <BOE  Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom

For Opendocument create under under  <BOE  Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom


Add saml.enabled =true.

NOTE: It is mandatory to uncomment  the specific endpoint and also add saml.enabled =true properties in custom properties file for the respective webapp  to enable SAML Authentication

6)Configurations in the deployment descriptor – web.xml

 A new filter has been introduced for SAML. The relevant section in the web.xml will be kept commented by default.

Enable filters in web.xml of BOE webapp by uncommenting the SAML section(s).

Web.xml file path:   <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF web.xml .

Uncomment the sections which have  SAML Comment as Shown in the Images below.

1.    Uncomment the listener and context param

Commented listener and context param

After uncommenting the listener and context param web.xml looks as below

2.Uncomment the SAML filters and mapping

Commented SAML filters and mapping


After Uncommenting the SAML filters and mapping


3.Save the web.xml with these changes.


5.Update IDP Metadata

To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF and rename it to idp-meta-downloaded.xml . For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration



If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.

i.e <value type=””>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=””>\WEB-INF\idp-meta-downloaded.xml</value> .


6).KeyStore Generation

This step is optional applicable only if you want to use your own keystore file.

SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019.sampletestKeystore.jks has an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:

  1. Navigate to <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.


keytool -genkeypair -alias TestAlias -keypass AliasPassword -keystore sampleKeystore.jks -validity 735 .

b.Run the command: keytool -genkeypair -alias aliasname -keypass password -keystore samplekeystore.jks -validity numberofdays

Command Description
-alias Enter the alias name of the certificate
-keypass Enter the certificate’s password
-keystore Name of the keystore file
-validity Validity of the certificate
numberofdays Number of days for which the self-signed certificate is valid.
  1. The following questions are prompted after executing the command:
    • Enter keystore password: *****(Password1)
    • Re-enter new password: *****(Password1)
    • What is your first and last name? : Rohit Prasad
    • What is the name of your organizational unit? : BusinessObjects
    • What is the name of your organization? : SAP
    • What is the name of your city and locality? : BLR
    • What is the name of your State and Province? : KA
    • What is the two-letter country code for this unit? : IN
  2. Stop the Tomcat application server.

The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.

  1. Move the keystore file to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF
  2. Edit the xmlfile located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF with the new alias name, password, and keystore file name. Refer the XML code below:

<bean id=”keyManager” class=””>  <constructor-arg value=”/WEB-INF/sampleKeystore.jks”/><constructor-arg type=”java.lang.String” value=”Password1″/><constructor-arg><map><entry key=” TestAlias ” value=”AliasPassword”/></map></constructor-arg><constructor-arg type=”java.lang.String” value=” TestAlias “/></bean>

 Refer the table below for understanding the arguments:
XML Tag Description
<constructor-arg value=”/WEB-INF/sampleKeystore.jks”/> Locates the keystore file.
<constructor-arg type=”java.lang.String” value=”Password1″/> Password for the keystore file.
<entry key=” TestAlias ” value=” AliasPassword”/> Alias password
<constructor-arg type=”java.lang.String” value=” TestAlias “/> Alias of the default certificate


Note: SP metadata has to be generated everytime this keystore file is changed.Our sample sp metadata will be working only with our sample keystore certificate.

7)Restart the Tomcat application server.

8)Generate and upload the service provider metadata.

Go to http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider.  Upload this in IDP using the relevant IDP’s feature support.




You can use the default service provider metadata file spring_saml_metadata.xml located at<INSTALLDIR>\tomcat\webapps\BOE\WEB-INF instead of generating it manually. You must replace the XML tag <replace_withip> with the IP address of the machine and <replace_withport> with port number of the Tomcat application server. Replace HTTP with HTTPS if you have enabled HTTPS in Tomcat.


For example for HCP as IDP , Please follow following steps

SP  metadata should be uploaded on creation of a SAML application in HCP.

1.Create a new app underapplications

App Creation


2. Upload SP metadata as shown in screenshot.


  1. If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
  2. Restart the Tomcat application server.

Tip:To check if SAML integration is successful, once you launch the SAML configured application (BI launch pad, Fiorified BI launch pad or OpenDocument), you are redirected to the IDP.

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

    1. Analytics Consultores


      I have a question, in the case where I am using MS ADFS, how should I do in step “3) User Creation on BOE”? I have all the process clear but that step does not.

      Could you help me please.
      Thanks in advance.


    2. Shruthi Annappa
      Post author

      Hi ,

      Since every idp requires certain set of specific  configuration.We observed that support for ADFS needs some more configuration changes, which will be supported for 4.2 SP06 onwards officially.




  1. Former Member

    Nice post…

    Of course in the real word you would make teh changes to the warfiles location and not directly in the Tomcat\webapps folders – Just so any patching/re-deploying keeps the changes




  2. Ivan Yin

    Hi Shruthi,

    Does it support for BI Mobile now? Can I do similar changes in MobileBIService warfiles to achieve SAML for BI Mobile?


      1. Harald Anton Mueller


        Hi Shruthi,


        can you tell, when this is planned to be available for the Mobile use-case? Thanks!

        From my technical point of view, this should be straight forward to be setup for the MobileBIService too, isn’t it?



  3. Jaume Moreno

    Hi Shruthi Annappa

    Using this guide, we have configured SAML between BO SP05 and IDP Novell (Access Manager), but when we are trying to test the SAML Authentication, this message appears in the browser:

    “Unable to complete request at this time. (Request was from an untrusted provider-521979AE010AD7A7)”

    Navigating into the logs in IDP Novell (Access Manager) we can see the error below:

    <b>System Event Time:</b> 2018-02-08 18:13:19 <b>Age:</b> 1M 38S 776Ms <b>Level:</b> Functional Loss
    Unable to validate SAML2 Trusted Service Provider. The trusted relationship with this entity will not be functional!
    Error Validating X509 Certificate of Trusted Provider
    Trusted Provider Type: SAML2 Trusted Service Provider
    Trusted Provider Id: http://XxxxxxXxxXX:8080/BOE/saml/metadata
    Error Validating X509 Signing Certificate
    X509 Certificate Version: 3
    X509 Certificate Subject: CN=Shruthi Annappa OU=SAP O=SAP L=BAN ST=KA C=IN
    X509 Certificate Issuer: CN=Shruthi Annappa OU=SAP O=SAP L=BAN ST=KA C=IN
    X509 Certificate Serial Number: XxXxXxXxX
    X509 Certificate Start Date: 2017-10-13 07:03:56
    X509 Certificate Expiration Date: 2019-10-18 07:03:56
    X509 Certificate Validation Root Exception: com.novell.nidp.NIDPException: Unable to find certificate chain. Root Cause: Unable to find certificate chain.

    We dont understand it, why appears your name as Subject and Issuer ?

    Where is the chain certificate ?

    Thanks a lot !!



  4. Former Member

    Hi Shruthi,


    Is SAML SSO authentication in BI4.2 SP4 P3 using Microsoft Azure AD Premium possible ?

    as per the above link it says SAML SSO works only with BI4.2 SP5 only.




  5. Chenghao Huang


    2)Configure Trusted Authentication with WebSession

    1. Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32  => this should be win32_x86?




  6. Former Member

    Hi Shruthi,

    we have a working SAML2 setup with BI 4.2 SP05 against a NetIQ Network Access Manager.

    Now we want to additionally use DNS aliases for accessing the BI server.

    In the SAP AS JAVA SAML2 wizard this is done via Trusted Provider->Authentication Requirements->Authentication Response-> Assertion Consumer Service-> “Application URL”.

    Any idea where to find this in BI 4.2 SP5 ?



  7. Former Member


    Hi, can we get LDAP users authentication through SSO once above steps are configured? Or is the above process only for Enterprise users?

  8. Former Member

    Thanks Shruti for the blog, grat information. We are trying to implement SSO between SalesForce and BOBJ to access embedded BOBJ reports in Salesforce. 1) Can it be done?  2) Our BOBJ userid id are SAP aliases & NOT enterprise, your blog describes process for enterprise id, how can we implement SAML with SAP aliases?

  9. Former Member

    Hi Shruti ,

    After implementing WEBSSO in BI 4.2 SP5 I am getting error in tomcat logs


    17-Apr-2018 15:38:06.320 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
    Context initialization failed
    org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from ServletContext resource [/WEB-INF/applicationContext.xml]; nested exception is Could not open ServletContext resource [/WEB-INF/applicationContext.xml]
                    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(
                    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(
    please help
  10. Sagar Ghamandi

    Hello Shruti & Fellow Coders,

    We are trying to accomplish the same for SAP BO MOBILE  landscape by using.

    Usecase in a nuttshell: The Mobile iOS client hits the Mobile BO TOMCAT app server, TOMCAT then should redirect the request to an ID provider ( we are using PING authenticator for 2 factor authentication). User would then enter their Win AD credentials for PING to authenticate the user against the AD groups, Then the user is authenticated and logged in with SSO to BOBJ cms to obtain the content access.

    With the above being said, we are trying to accomplish the first step by exchanging of the Metadata between Mobile Tomcat Server ( as SP) and PING Server( as ID provider). spring_saml_metadata.XML ( from SP to IDP) and idp-metadownloaded.xml ( from IDP to SP). As a result of this I am expecting to get redirected to the ID provider login URL when a Client request for access is sent to the SP. I get the below error after having completed all the steps mentioned on this blog:

    HTTP Status 500 – Internal Server Error

    Type Exception Report

    Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP

    Description The server encountered an unexpected condition that prevented it from fulfilling the request.


    javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP$VirtualFilterChain.doFilter($VirtualFilterChain.doFilter($VirtualFilterChain.doFilter($VirtualFilterChain.doFilter($VirtualFilterChain.doFilter($VirtualFilterChain.doFilter($VirtualFilterChain.doFilter($VirtualFilterChain.doFilter(
    Any words of advice is appreciated.
  11. Tobias Spägele


    Hi all


    We’ve implemented using SAML for the BO-Server 4.2 SP5, with using a SAP webdispatcher. (Like SAP-Note: It’s working so fine.

    Now we connect the SAP webdispatcher with an other Server address (external Access). When accessing with this external Address we’re getting a 404 Error Page and in the log I can find the following message: “InResponseToField of the Response doesn’t correspond to sent message“.

    Is there any possibility to fill the Attribut AssertionConsumerURL dynamic ?
    Or any other Idea how to get this running without any the 404 Error Page


    Tobias Spaegele


Leave a Reply