Skip to Content
Author's profile photo Shruthi Annappa

SAML Authentication for BOE on Tomcat

This blog is focused on the SAML 2.0 support improvements with BI 4.2 SP05.

The support for SAML 2.0 is available today as well. Basically, application server needs to be configured as SAML service provider and BO application needs to be configured for trusted authentication. And there has to be glue code/config that picks up user information from SAML assertion response and provide that to BO in the defined format. Once that happens BO logs you in as a user.

This support is documented for SAP NetWeaver (BOE SAML with Netweaver). However, customers have struggled to set this up for other application servers as this required third-party SAML libraries and some custom code/configuration.

Key Summary of the changes

  • Support is available from BI 4.2 SP05
  • Support is available for Apache Tomcat application server
  • Tomcat application server now is bundled with spring SAML libraries, which makes the required configuration minimal for customers
  • This addresses the front-end logon via SAML Usecase. However, the same SAML ticket is not used for authentication to databases (DB SSO to HANA via SAML, to SAP BW via STS and to DBs via stored credentials would still work).

 

To use Tomcat Application Server as SAML Service Provider for BOE Web Applications

Follow the steps below:

1)Adding SAML Tomcat service provider jars.( This step is only for SAML Authentication for BOE Web Applications )

a).The spring saml service provider jars exists inside <BOE  Install  Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS. Stop Tomcat.

Copy these jars  to  <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\lib.

b).Delete  work from   <BOE  Install  Dir>\tomcat.

c).Restart tomcat.Wait for tomcat work to be populated.

 

2)Configure Trusted Authentication with WebSession

a)Add the global.properties file under the custom folder <INSTALLDIR>\SAPBusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom. In case global.properties file exists under custom folder, the trusted authentication configuration has to be appended to the existing file.

Following is the content for global.properties:

sso.enabled=true

trusted.auth.user.retrieval=WEB_SESSION

trusted.auth.user.param=UserName

b)Configures Trusted Auth in CMC

Go to CMC Application,  Authentication , Enterprise . Refer Screen below

  1. Enable Trusted Authentication.
  2. Set the Validity.
  3. Choose New Shared Secret.
  4. To download the generated shared secret, choose Download Shared Secret.

The TrustedPrincipal.conf file is downloaded.

  1. Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32
  2. Go to CMC  Authentication  Enterprise  and choose Update.
  3. Restart Tomcat.

3)User Creation on BOE .

The IDP user has to created in BOE or imported through some SDK script or export using CSV option in CMC.The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.

 

If you are using SAP Cloud Platform Identity Provider, export all the users and then import them to the BI platform. Refer How to import users in bulk from Central Management Console

To export SAP Cloud Platform users to CSV, refer Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service

4)Edit the securityContext.xml file to enable SAML Endpoints

The securityContext.xml  is located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF.

In the securityContext.xml file, locate the SAML entry point in the XML code as below. The SAML

Please see the section below

 

<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Opendocument–>
<!–<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>
</security:http>

In general, the SAML authentication can be enabled

a) For BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BI”           access=”IS_AUTHENTICATED_FULLY”/>  under SAML entry point.

b) For OpenDocument,by keeping this line uncommented <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.

c)For Fiorified BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.

Examples

1) Incase SAML authentication has to be enabled  only for Opendocument alone and not BI LaunchPad and Firoufied BILaunchpad the line <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for  BI Launchpad and FioriBI Launchpad.  In that case SAML entry point looks like below

<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>
</security:http>

2)Incase SAML authentication has to be enabled   for FioriLaunchPad and Opendocument the line <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>,<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for  BI Launchpad .  In that case SAML entry point looks like below

<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>
</security:http>

NOTE :The XML tag for Classical BI Launch Pad is enabled by default..

5)Changes in properties for WebApplications

The property is saml.enabled =true

As in any other properties’ setting, it is recommended to put this property in the /config/custom/<application>.properties file.

If you do not already have any custom property file here, please create an empty <application>.property. To be sure, refer to the exact name in the /config/default directory

For example:

(Assuming custom properties file does not exist. If it already does, only need to append the property saml.enabled=true)

For Classic  BI LaunchPad, create BIlaunchpad.properties under  <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\config\custom

 

For Fiorified  BI LaunchPad create fioriBI.properties under under  <BOE  Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom

For Opendocument create OpenDocument.properties under under  <BOE  Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom

 

Add saml.enabled =true.

NOTE: It is mandatory to uncomment  the specific endpoint and also add saml.enabled =true properties in custom properties file for the respective webapp  to enable SAML Authentication

6)Configurations in the deployment descriptor – web.xml

 A new filter has been introduced for SAML. The relevant section in the web.xml will be kept commented by default.

Enable filters in web.xml of BOE webapp by uncommenting the SAML section(s).

Web.xml file path:   <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF web.xml .

Uncomment the sections which have  SAML Comment as Shown in the Images below.

1.    Uncomment the listener and context param

Commented listener and context param

After uncommenting the listener and context param web.xml looks as below

2.Uncomment the SAML filters and mapping

Commented SAML filters and mapping

 

After Uncommenting the SAML filters and mapping

 

3.Save the web.xml with these changes.

 

5.Update IDP Metadata

To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF and rename it to idp-meta-downloaded.xml . For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration

 

 

If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.

i.e <value type=”java.io.File”>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=”java.io.File”>\WEB-INF\idp-meta-downloaded.xml</value> .

 

6).KeyStore Generation

This step is optional applicable only if you want to use your own keystore file.

SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019.sampletestKeystore.jks has an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:

  1. Navigate to <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.

Example

keytool -genkeypair -alias TestAlias -keypass AliasPassword -keystore sampleKeystore.jks -validity 735 .

b.Run the command: keytool -genkeypair -alias aliasname -keypass password -keystore samplekeystore.jks -validity numberofdays

Command Description
-alias Enter the alias name of the certificate
-keypass Enter the certificate’s password
-keystore Name of the keystore file
-validity Validity of the certificate
numberofdays Number of days for which the self-signed certificate is valid.
  1. The following questions are prompted after executing the command:
    • Enter keystore password: *****(Password1)
    • Re-enter new password: *****(Password1)
    • What is your first and last name? : Rohit Prasad
    • What is the name of your organizational unit? : BusinessObjects
    • What is the name of your organization? : SAP
    • What is the name of your city and locality? : BLR
    • What is the name of your State and Province? : KA
    • What is the two-letter country code for this unit? : IN
  2. Stop the Tomcat application server.

The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.

  1. Move the keystore file to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF
  2. Edit the xmlfile located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF with the new alias name, password, and keystore file name. Refer the XML code below:

<bean id=”keyManager” class=”org.springframework.security.saml.key.JKSKeyManager”>  <constructor-arg value=”/WEB-INF/sampleKeystore.jks”/><constructor-arg type=”java.lang.String” value=”Password1″/><constructor-arg><map><entry key=” TestAlias ” value=”AliasPassword”/></map></constructor-arg><constructor-arg type=”java.lang.String” value=” TestAlias “/></bean>

 Refer the table below for understanding the arguments:
XML Tag Description
<constructor-arg value=”/WEB-INF/sampleKeystore.jks”/> Locates the keystore file.
<constructor-arg type=”java.lang.String” value=”Password1″/> Password for the keystore file.
<entry key=” TestAlias ” value=” AliasPassword”/> Alias password
<constructor-arg type=”java.lang.String” value=” TestAlias “/> Alias of the default certificate

 

Note: SP metadata has to be generated everytime this keystore file is changed.Our sample sp metadata will be working only with our sample keystore certificate.

7)Restart the Tomcat application server.

8)Generate and upload the service provider metadata.

Go to http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider.  Upload this in IDP using the relevant IDP’s feature support.

 

 

Note

You can use the default service provider metadata file spring_saml_metadata.xml located at<INSTALLDIR>\tomcat\webapps\BOE\WEB-INF instead of generating it manually. You must replace the XML tag <replace_withip> with the IP address of the machine and <replace_withport> with port number of the Tomcat application server. Replace HTTP with HTTPS if you have enabled HTTPS in Tomcat.

 

For example for HCP as IDP , Please follow following steps

SP  metadata should be uploaded on creation of a SAML application in HCP.

1.Create a new app underapplications

App Creation

 

2. Upload SP metadata as shown in screenshot.

 

  1. If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
  2. Restart the Tomcat application server.

Tip:To check if SAML integration is successful, once you launch the SAML configured application (BI launch pad, Fiorified BI launch pad or OpenDocument), you are redirected to the IDP.

Assigned Tags

      41 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Nelis Lamprecht
      Nelis Lamprecht

      Great, about time.

      Can you confirm this is working with Microsoft ADFS 2.0/3.0 ? Thanks for the information.

       

      Author's profile photo Shruthi Annappa
      Shruthi Annappa
      Blog Post Author

      Hi ,

      This works on any IDP which supports SAML 2.0

      Author's profile photo Analytics Consultores
      Analytics Consultores

      Hi,

      I have a question, in the case where I am using MS ADFS, how should I do in step "3) User Creation on BOE"? I have all the process clear but that step does not.

      Could you help me please.
      Thanks in advance.

       

      Author's profile photo Shruthi Annappa
      Shruthi Annappa
      Blog Post Author

      Hi ,

      Since every idp requires certain set of specific  configuration.We observed that support for ADFS needs some more configuration changes, which will be supported for 4.2 SP06 onwards officially.

       

      Regards,

      Shruthi

      Author's profile photo Maik Haslinger
      Maik Haslinger

      can you describe the changes more detail before 4.2 SP06 is released? We would like to use it with ADFS..

      Author's profile photo Maik Haslinger
      Maik Haslinger

      Analytics Consultores may you check https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/ for ADFS support?

      Author's profile photo Former Member
      Former Member

      Nice post...

      Of course in the real word you would make teh changes to the warfiles location and not directly in the Tomcat\webapps folders - Just so any patching/re-deploying keeps the changes

       

      Tim

       

      Author's profile photo Ivan Yin
      Ivan Yin

      Hi Shruthi,

      Does it support for BI Mobile now? Can I do similar changes in MobileBIService warfiles to achieve SAML for BI Mobile?

      Regards,
      Ivan

      Author's profile photo Shruthi Annappa
      Shruthi Annappa
      Blog Post Author

      Hi Yin,

      This feature is there on future roadmap for  MobileBIService

       

      Regards,

      Shruthi

      Author's profile photo Harald Anton Mueller
      Harald Anton Mueller

       

      Hi Shruthi,

       

      can you tell, when this is planned to be available for the Mobile use-case? Thanks!

      From my technical point of view, this should be straight forward to be setup for the MobileBIService too, isn't it?

      Regards,

      Harald

      Author's profile photo Imran Mullani
      Imran Mullani

       

      Nice post and really Useful !!

       

      Does SAML2.0 support for BI 4.2 SP3 patch 3 as well ?? or it only works for SP5 ? any clue ?

      Author's profile photo Shruthi Annappa
      Shruthi Annappa
      Blog Post Author

      Thanks. It works only on SP05

      Author's profile photo Imran Mullani
      Imran Mullani

      Thank you Shruthi for your swift response.

      I will look into other SSO methods 

       

       

      Author's profile photo Jaime Moreno
      Jaime Moreno

      Hi Shruthi Annappa

      Using this guide, we have configured SAML between BO SP05 and IDP Novell (Access Manager), but when we are trying to test the SAML Authentication, this message appears in the browser:

      "Unable to complete request at this time. (Request was from an untrusted provider-521979AE010AD7A7)"

      Navigating into the logs in IDP Novell (Access Manager) we can see the error below:

      <b>System Event Time:</b> 2018-02-08 18:13:19 <b>Age:</b> 1M 38S 776Ms <b>Level:</b> Functional Loss
      <b>Comments:</b>
      Unable to validate SAML2 Trusted Service Provider. The trusted relationship with this entity will not be functional!
      Error Validating X509 Certificate of Trusted Provider
      Trusted Provider Type: SAML2 Trusted Service Provider
      Trusted Provider Id: http://XxxxxxXxxXX:8080/BOE/saml/metadata
      Error Validating X509 Signing Certificate
      X509 Certificate Version: 3
      X509 Certificate Subject: CN=Shruthi Annappa OU=SAP O=SAP L=BAN ST=KA C=IN
      X509 Certificate Issuer: CN=Shruthi Annappa OU=SAP O=SAP L=BAN ST=KA C=IN
      X509 Certificate Serial Number: XxXxXxXxX
      X509 Certificate Start Date: 2017-10-13 07:03:56
      X509 Certificate Expiration Date: 2019-10-18 07:03:56
      X509 Certificate Validation Root Exception: com.novell.nidp.NIDPException: Unable to find certificate chain. Root Cause: java.security.cert.CertPathBuilderException: Unable to find certificate chain.

      We dont understand it, why appears your name as Subject and Issuer ?

      Where is the chain certificate ?

      Thanks a lot !!

      Jaume.

       

      Author's profile photo Shruthi Annappa
      Shruthi Annappa
      Blog Post Author

      Hi ,

       

      It is only a sample certificate.Can you please try to generate your own certificate and tryagain?

       

      Regards,

      Shruthi

      Author's profile photo Jaime Moreno
      Jaime Moreno

      Thanks Shruthi

      Now is working with our certificate.

      Regards,

       

      Author's profile photo Former Member
      Former Member

      Hi Shruthi,

       

      Is SAML SSO authentication in BI4.2 SP4 P3 using Microsoft Azure AD Premium possible ?

      as per the above link it says SAML SSO works only with BI4.2 SP5 only.

       

      Regards,

      Tim

      Author's profile photo Chenghao Huang
      Chenghao Huang

      Hi,

      2)Configure Trusted Authentication with WebSession

      1. Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32  => this should be win32_x86?

      Regards,

      Chenghao

       

      Author's profile photo Shruthi Annappa
      Shruthi Annappa
      Blog Post Author

      YEah Huang . It has to be part of  win32_x86 and win64_x64

      Author's profile photo Former Member
      Former Member

      Hi Shruthi,

      we have a working SAML2 setup with BI 4.2 SP05 against a NetIQ Network Access Manager.

      Now we want to additionally use DNS aliases for accessing the BI server.

      In the SAP AS JAVA SAML2 wizard this is done via Trusted Provider->Authentication Requirements->Authentication Response-> Assertion Consumer Service-> "Application URL".

      Any idea where to find this in BI 4.2 SP5 ?

      Thanks

      Michael

      Author's profile photo Satya Vara Kalla
      Satya Vara Kalla

       

      Hi, can we get LDAP users authentication through SSO once above steps are configured? Or is the above process only for Enterprise users?

      Author's profile photo Shruthi Annappa
      Shruthi Annappa
      Blog Post Author

      Hi Satya,

      As part for 4.2 sp05 the ldap users has to manually created as enterprise users

       

      Regards,

      Shruthi

      Author's profile photo Vishal Bagherwal
      Vishal Bagherwal

      Thanks Shruti for the blog, grat information. We are trying to implement SSO between SalesForce and BOBJ to access embedded BOBJ reports in Salesforce. 1) Can it be done?  2) Our BOBJ userid id are SAP aliases & NOT enterprise, your blog describes process for enterprise id, how can we implement SAML with SAP aliases?

      Author's profile photo Former Member
      Former Member

      Hi Shruti ,

      After implementing WEBSSO in BI 4.2 SP5 I am getting error in tomcat logs

       

      17-Apr-2018 15:38:06.320 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
      Context initialization failed
      org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from ServletContext resource [/WEB-INF/applicationContext.xml]; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/WEB-INF/applicationContext.xml]
                      at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:341)
                      at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
                      at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:174)
                      at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:209)
                      at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:180)
                      at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:125)
                      at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:94)
                      at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)
      please help
      Author's profile photo Sagar Ghamandi
      Sagar Ghamandi

      Hello Shruti & Fellow Coders,

      We are trying to accomplish the same for SAP BO MOBILE  landscape by using.

      Usecase in a nuttshell: The Mobile iOS client hits the Mobile BO TOMCAT app server, TOMCAT then should redirect the request to an ID provider ( we are using PING authenticator for 2 factor authentication). User would then enter their Win AD credentials for PING to authenticate the user against the AD groups, Then the user is authenticated and logged in with SSO to BOBJ cms to obtain the content access.

      With the above being said, we are trying to accomplish the first step by exchanging of the Metadata between Mobile Tomcat Server ( as SP) and PING Server( as ID provider). spring_saml_metadata.XML ( from SP to IDP) and idp-metadownloaded.xml ( from IDP to SP). As a result of this I am expecting to get redirected to the ID provider login URL when a Client request for access is sent to the SP. I get the below error after having completed all the steps mentioned on this blog:

      HTTP Status 500 – Internal Server Error


      Type Exception Report

      Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP

      Description The server encountered an unexpected condition that prevented it from fulfilling the request.

      Exception

      javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
      	org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:161)
      	org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:186)
      	org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:168)
      	org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:131)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
      	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
      
      
      Any words of advice is appreciated.
      
      Thanks,
      Sagar.
      Author's profile photo Sumanth Thunga
      Sumanth Thunga

      Hi Sagar,

      Were you able to resolve this issue? If so, any hints on the resolution. I am having the same issue.

       

      Thanks

      Sumanth

      Author's profile photo Chaitanya Kumar
      Chaitanya Kumar

      Hi Sagar,

      I am trying exactly same scenario. Can you please help how did you download metadata file from Ping ID(IDP) and are you able to succeed?.

       

      There are no blogs related with PING ID SAML configuration with BI 4.2. Your answer will really helpful.

       

      Thanks

      Chaitanya

       

      Author's profile photo Former Member
      Former Member

      HI Team ,

       

      I followed above process exactly , but IDP is redirecting to http://localhost8080/BOE/logon.jsp instaed of   http://localhost8080/BOE/BI/logon.jsp

      Can you please help me on this

      Author's profile photo Tobias Spägele
      Tobias Spägele

       

      Hi all

       

      We've implemented using SAML for the BO-Server 4.2 SP5, with using a SAP webdispatcher. (Like SAP-Note: https://launchpad.support.sap.com/#/notes/2621904). It's working so fine.

      Now we connect the SAP webdispatcher with an other Server address (external Access). When accessing with this external Address we're getting a 404 Error Page and in the log I can find the following message: "InResponseToField of the Response doesn't correspond to sent message".

      Is there any possibility to fill the Attribut AssertionConsumerURL dynamic ?
      Or any other Idea how to get this running without any the 404 Error Page

      regards

      Tobias Spaegele

      Author's profile photo Ram M
      Ram M

      Hi All,

      Recently we upgraded BO FROM 4.1 SP 6 TO 4.2 SP7  and we are facing the issue while connecting from one report to another and the error is shown below.

      HTTP Status 500 – Internal Server Error


      Type Exception Report

      Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP

      Description The server encountered an unexpected condition that prevented it from fulfilling the request.

      Exception

      javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
      	org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:161)
      	org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:186)
      	org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:168)
      	org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:131)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
      	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
      	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
      	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
      	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
      	com.businessobjects.saml.CustomSAMLDelegatingFilterProxy.doFilter(CustomSAMLDelegatingFilterProxy.java:60)
      

      Root Cause

      org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
      	org.springframework.security.saml.metadata.MetadataManager.getDefaultIDP(MetadataManager.java:781)
      	org.springframework.security.saml.context.SAMLContextProviderImpl.populatePeerEntityId(SAMLContextProviderImpl.java:157)
      	org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity(SAMLContextProviderImpl.java:127)
      	org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:146)
      	org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:186)
      	org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:168)
      	org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:131)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
      	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
      	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
      	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
      	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
      	com.businessobjects.saml.CustomSAMLDelegatingFilterProxy.doFilter(CustomSAMLDelegatingFilterProxy.java:60)
      
      
      
      
      Any solution for this problem.
      
      Ram M
      
      
      Author's profile photo Jean Marie Baudet
      Jean Marie Baudet

      Hi

      4.2 SP7 whith Tomcat is installed on Linux, I had resolved the error "Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP"

      In the default securityContext.xml provied by 4.2 SP7 i have replaced

       

      <value type="java.io.File">/WEB-INF/idp-meta-downloaded.xml</value>

      by

      <value type="java.io.File">WEB-INF/idp-meta-downloaded.xml</value>

      Jean-Marie

      Author's profile photo Vishal Bagherwal
      Vishal Bagherwal

      Hello Guys, is it possible to use SAML method for group mapping, is there is a way BOBJ groups can get synced with PING SAML like LDAP?

      Author's profile photo Ashly Titus
      Ashly Titus

      Hello

      We are having BO 4.2 SP7 and we would like to configure SAML2 for SSO for BI Launchpad and also use it to access reports via mobility.

      Does anyone have a reference of configuration guide for end to end implementation of SSO using SAML2.

      Regards

      Ashly

       

      Author's profile photo Nabil BENJEBARA
      Nabil BENJEBARA

      hello

      can you help me it's not work for me

      SAP BI 4.2 SP05

      i have this error message :

      État HTTP 404 – Not Found


      Type Rapport d''état

      message /BOE/saml/login

      description La ressource demandée n''est pas disponible.

      thanks

      Author's profile photo Nabil BENJEBARA
      Nabil BENJEBARA

      sorry this message:

      Type Rapport d''état

      message /BOE/BI

      description La ressource demandée n''est pas disponible.

      Author's profile photo Stephen Camilleri
      Stephen Camilleri

      Hi,

      We've been reading and rereading this document as it is one of the only and if not the only one explaining SAML with Tomcat and ADFS.

      We need to set up ADFS with BO4.3 using Tomcat as the application server and web server on a Windows 2016 server platform

      The first hurdle is this statement "... spring saml service provider jars exists inside <BOE  Install  Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS ...".  There are NO such file available.

      Tomcat is the 9.0 latest bundled with the BO4.3 installation. Where can we source these files from please?

       

      Thank You

      Stephen

      Author's profile photo Arju Sharma
      Arju Sharma

      Hey Stephen,

       

      Were you able to find the path to the SAML jar files ?

       

      I am trying to implement the SAML for OpenDocument for BO 4.2 SP8 but couldn't found the jars file as originally mentioned in the blog.

       

      Any help is highly appreciated.

       

      Thank you

      Arju Sharma

      Author's profile photo Sravan Kumar Gostu
      Sravan Kumar Gostu

      Hi,

      Thanks for the details steps to implement the SAML for BO

      We have followed the steps and are able to configure SAML and also MFA using Ping ID

      but still while opening BO CMC user credentials are being asked, can you please guide what could be the error

      Author's profile photo Arju Sharma
      Arju Sharma

      Hey Sravan,

       

      Where did you found the SAML jars file ?

       

      What BO version your have implemented the SAML ?

       

      Thank you

      Arju Sharma

      Author's profile photo KASHIF ANSARI
      KASHIF ANSARI

      Hi Shruthi Annappa

      The URL for generating SP Metadata. Will it make a difference between the below 2?

       

      http://host:port/BOE/saml/metadata

       

      http://host:port/BOE/BI/saml/metadata

       

      Author's profile photo Turgay Samdanli
      Turgay Samdanli

      hi is oracle access manager supported?