SAML Authentication for BOE on Tomcat
This blog is focused on the SAML 2.0 support improvements with BI 4.2 SP05.
The support for SAML 2.0 is available today as well. Basically, application server needs to be configured as SAML service provider and BO application needs to be configured for trusted authentication. And there has to be glue code/config that picks up user information from SAML assertion response and provide that to BO in the defined format. Once that happens BO logs you in as a user.
This support is documented for SAP NetWeaver (BOE SAML with Netweaver). However, customers have struggled to set this up for other application servers as this required third-party SAML libraries and some custom code/configuration.
Key Summary of the changes
- Support is available from BI 4.2 SP05
- Support is available for Apache Tomcat application server
- Tomcat application server now is bundled with spring SAML libraries, which makes the required configuration minimal for customers
- This addresses the front-end logon via SAML Usecase. However, the same SAML ticket is not used for authentication to databases (DB SSO to HANA via SAML, to SAP BW via STS and to DBs via stored credentials would still work).
To use Tomcat Application Server as SAML Service Provider for BOE Web Applications
Follow the steps below:
1)Adding SAML Tomcat service provider jars.( This step is only for SAML Authentication for BOE Web Applications )
a).The spring saml service provider jars exists inside <BOE Install Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS. Stop Tomcat.
Copy these jars to <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\lib.
b).Delete work from <BOE Install Dir>\tomcat.
c).Restart tomcat.Wait for tomcat work to be populated.
2)Configure Trusted Authentication with WebSession
a)Add the global.properties file under the custom folder <INSTALLDIR>\SAPBusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom. In case global.properties file exists under custom folder, the trusted authentication configuration has to be appended to the existing file.
Following is the content for global.properties:
sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=UserName
b)Configures Trusted Auth in CMC
Go to CMC Application, Authentication , Enterprise . Refer Screen below
- Enable Trusted Authentication.
- Set the Validity.
- Choose New Shared Secret.
- To download the generated shared secret, choose Download Shared Secret.
The TrustedPrincipal.conf file is downloaded.
- Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32
- Go to CMC Authentication Enterprise and choose Update.
- Restart Tomcat.
3)User Creation on BOE .
The IDP user has to created in BOE or imported through some SDK script or export using CSV option in CMC.The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.
If you are using SAP Cloud Platform Identity Provider, export all the users and then import them to the BI platform. Refer How to import users in bulk from Central Management Console
To export SAP Cloud Platform users to CSV, refer Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service
4)Edit the securityContext.xml file to enable SAML Endpoints
The securityContext.xml is located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF.
In the securityContext.xml file, locate the SAML entry point in the XML code as below. The SAML
Please see the section below
<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Opendocument–>
<!–<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>
</security:http>
In general, the SAML authentication can be enabled
a) For BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/> under SAML entry point.
b) For OpenDocument,by keeping this line uncommented <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.
c)For Fiorified BI Launchpad, by keeping this line uncommented <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/> under saml entry point.
Examples
1) Incase SAML authentication has to be enabled only for Opendocument alone and not BI LaunchPad and Firoufied BILaunchpad the line <security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for BI Launchpad and FioriBI Launchpad. In that case SAML entry point looks like below
<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<!–<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>–>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>
</security:http>
2)Incase SAML authentication has to be enabled for FioriLaunchPad and Opendocument the line <security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>,<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/> has to be uncommented , comment the entry points for BI Launchpad . In that case SAML entry point looks like below
<security:http entry-point-ref=”samlEntryPoint” use-expressions=”false”>
<!– Comment/Uncomment for Launchpad–>
<!–<security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/>–>
<!– Uncomment for Opendocument–>
<security:intercept-url pattern=”/OpenDocument/**” access=”IS_AUTHENTICATED_FULLY”/>
<!– Uncomment for Fiori Launchpad–>
<security:intercept-url pattern=”/BILaunchpad” access=”IS_AUTHENTICATED_FULLY”/>
<security:custom-filter before=”FIRST” ref=”metadataGeneratorFilter”/>
<security:custom-filter after=”BASIC_AUTH_FILTER” ref=”samlFilter”/>
</security:http>
NOTE :The XML tag for Classical BI Launch Pad is enabled by default..
5)Changes in properties for WebApplications
The property is saml.enabled =true
As in any other properties’ setting, it is recommended to put this property in the /config/custom/<application>.properties file.
If you do not already have any custom property file here, please create an empty <application>.property. To be sure, refer to the exact name in the /config/default directory
For example:
(Assuming custom properties file does not exist. If it already does, only need to append the property saml.enabled=true)
For Classic BI LaunchPad, create BIlaunchpad.properties under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom
For Fiorified BI LaunchPad create fioriBI.properties under under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom
For Opendocument create OpenDocument.properties under under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom
Add saml.enabled =true.
NOTE: It is mandatory to uncomment the specific endpoint and also add saml.enabled =true properties in custom properties file for the respective webapp to enable SAML Authentication
6)Configurations in the deployment descriptor – web.xml
A new filter has been introduced for SAML. The relevant section in the web.xml will be kept commented by default.
Enable filters in web.xml of BOE webapp by uncommenting the SAML section(s).
Web.xml file path: <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF web.xml .
Uncomment the sections which have SAML Comment as Shown in the Images below.
1. Uncomment the listener and context param
Commented listener and context param
After uncommenting the listener and context param web.xml looks as below
2.Uncomment the SAML filters and mapping
Commented SAML filters and mapping
After Uncommenting the SAML filters and mapping
3.Save the web.xml with these changes.
5.Update IDP Metadata
To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF and rename it to idp-meta-downloaded.xml . For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration
If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.
i.e <value type=”java.io.File”>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=”java.io.File”>\WEB-INF\idp-meta-downloaded.xml</value> .
6).KeyStore Generation
This step is optional applicable only if you want to use your own keystore file.
SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019.sampletestKeystore.jks has an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:
- Navigate to <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
Example
keytool -genkeypair -alias TestAlias -keypass AliasPassword -keystore sampleKeystore.jks -validity 735 .
b.Run the command: keytool -genkeypair -alias aliasname -keypass password -keystore samplekeystore.jks -validity numberofdays
| Command | Description |
| -alias | Enter the alias name of the certificate |
| -keypass | Enter the certificate’s password |
| -keystore | Name of the keystore file |
| -validity | Validity of the certificate |
| numberofdays | Number of days for which the self-signed certificate is valid. |
- The following questions are prompted after executing the command:
- Enter keystore password: *****(Password1)
- Re-enter new password: *****(Password1)
- What is your first and last name? : Rohit Prasad
- What is the name of your organizational unit? : BusinessObjects
- What is the name of your organization? : SAP
- What is the name of your city and locality? : BLR
- What is the name of your State and Province? : KA
- What is the two-letter country code for this unit? : IN
- Stop the Tomcat application server.
The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
- Move the keystore file to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF
- Edit the xmlfile located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF with the new alias name, password, and keystore file name. Refer the XML code below:
<bean id=”keyManager” class=”org.springframework.security.saml.key.JKSKeyManager”> <constructor-arg value=”/WEB-INF/sampleKeystore.jks”/><constructor-arg type=”java.lang.String” value=”Password1″/><constructor-arg><map><entry key=” TestAlias ” value=”AliasPassword”/></map></constructor-arg><constructor-arg type=”java.lang.String” value=” TestAlias “/></bean>
| Refer the table below for understanding the arguments: | |
| XML Tag | Description |
| <constructor-arg value=”/WEB-INF/sampleKeystore.jks”/> | Locates the keystore file. |
| <constructor-arg type=”java.lang.String” value=”Password1″/> | Password for the keystore file. |
| <entry key=” TestAlias ” value=” AliasPassword”/> | Alias password |
| <constructor-arg type=”java.lang.String” value=” TestAlias “/> | Alias of the default certificate |
Note: SP metadata has to be generated everytime this keystore file is changed.Our sample sp metadata will be working only with our sample keystore certificate.
7)Restart the Tomcat application server.
8)Generate and upload the service provider metadata.
Go to http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider. Upload this in IDP using the relevant IDP’s feature support.
Note
You can use the default service provider metadata file spring_saml_metadata.xml located at<INSTALLDIR>\tomcat\webapps\BOE\WEB-INF instead of generating it manually. You must replace the XML tag <replace_withip> with the IP address of the machine and <replace_withport> with port number of the Tomcat application server. Replace HTTP with HTTPS if you have enabled HTTPS in Tomcat.
For example for HCP as IDP , Please follow following steps
SP metadata should be uploaded on creation of a SAML application in HCP.
1.Create a new app underapplications
App Creation
2. Upload SP metadata as shown in screenshot.
- If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
- Restart the Tomcat application server.
Tip:To check if SAML integration is successful, once you launch the SAML configured application (BI launch pad, Fiorified BI launch pad or OpenDocument), you are redirected to the IDP.
Great, about time.
Can you confirm this is working with Microsoft ADFS 2.0/3.0 ? Thanks for the information.
Hi ,
This works on any IDP which supports SAML 2.0
Hi,
I have a question, in the case where I am using MS ADFS, how should I do in step "3) User Creation on BOE"? I have all the process clear but that step does not.
Could you help me please.
Thanks in advance.
Hi ,
Since every idp requires certain set of specific configuration.We observed that support for ADFS needs some more configuration changes, which will be supported for 4.2 SP06 onwards officially.
Regards,
Shruthi
can you describe the changes more detail before 4.2 SP06 is released? We would like to use it with ADFS..
Analytics Consultores may you check https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/ for ADFS support?
Nice post...
Of course in the real word you would make teh changes to the warfiles location and not directly in the Tomcat\webapps folders - Just so any patching/re-deploying keeps the changes
Tim
Hi Shruthi,
Does it support for BI Mobile now? Can I do similar changes in MobileBIService warfiles to achieve SAML for BI Mobile?
Regards,
Ivan
Hi Yin,
This feature is there on future roadmap for MobileBIService
Regards,
Shruthi
Hi Shruthi,
can you tell, when this is planned to be available for the Mobile use-case? Thanks!
From my technical point of view, this should be straight forward to be setup for the MobileBIService too, isn't it?
Regards,
Harald
Nice post and really Useful !!
Does SAML2.0 support for BI 4.2 SP3 patch 3 as well ?? or it only works for SP5 ? any clue ?
Thanks. It works only on SP05
Thank you Shruthi for your swift response.
I will look into other SSO methods
Hi Shruthi Annappa
Using this guide, we have configured SAML between BO SP05 and IDP Novell (Access Manager), but when we are trying to test the SAML Authentication, this message appears in the browser:
"Unable to complete request at this time. (Request was from an untrusted provider-521979AE010AD7A7)"
Navigating into the logs in IDP Novell (Access Manager) we can see the error below:
<b>System Event Time:</b> 2018-02-08 18:13:19 <b>Age:</b> 1M 38S 776Ms <b>Level:</b> Functional Loss
<b>Comments:</b>
Unable to validate SAML2 Trusted Service Provider. The trusted relationship with this entity will not be functional!
Error Validating X509 Certificate of Trusted Provider
Trusted Provider Type: SAML2 Trusted Service Provider
Trusted Provider Id: http://XxxxxxXxxXX:8080/BOE/saml/metadata
Error Validating X509 Signing Certificate
X509 Certificate Version: 3
X509 Certificate Subject: CN=Shruthi Annappa OU=SAP O=SAP L=BAN ST=KA C=IN
X509 Certificate Issuer: CN=Shruthi Annappa OU=SAP O=SAP L=BAN ST=KA C=IN
X509 Certificate Serial Number: XxXxXxXxX
X509 Certificate Start Date: 2017-10-13 07:03:56
X509 Certificate Expiration Date: 2019-10-18 07:03:56
X509 Certificate Validation Root Exception: com.novell.nidp.NIDPException: Unable to find certificate chain. Root Cause: java.security.cert.CertPathBuilderException: Unable to find certificate chain.
We dont understand it, why appears your name as Subject and Issuer ?
Where is the chain certificate ?
Thanks a lot !!
Jaume.
Hi ,
It is only a sample certificate.Can you please try to generate your own certificate and tryagain?
Regards,
Shruthi
Thanks Shruthi
Now is working with our certificate.
Regards,
Hi Shruthi,
Is SAML SSO authentication in BI4.2 SP4 P3 using Microsoft Azure AD Premium possible ?
as per the above link it says SAML SSO works only with BI4.2 SP5 only.
Regards,
Tim
Hi,
2)Configure Trusted Authentication with WebSession
Regards,
Chenghao
YEah Huang . It has to be part of win32_x86 and win64_x64
Hi Shruthi,
we have a working SAML2 setup with BI 4.2 SP05 against a NetIQ Network Access Manager.
Now we want to additionally use DNS aliases for accessing the BI server.
In the SAP AS JAVA SAML2 wizard this is done via Trusted Provider->Authentication Requirements->Authentication Response-> Assertion Consumer Service-> "Application URL".
Any idea where to find this in BI 4.2 SP5 ?
Thanks
Michael
Hi, can we get LDAP users authentication through SSO once above steps are configured? Or is the above process only for Enterprise users?
Hi Satya,
As part for 4.2 sp05 the ldap users has to manually created as enterprise users
Regards,
Shruthi
Thanks Shruti for the blog, grat information. We are trying to implement SSO between SalesForce and BOBJ to access embedded BOBJ reports in Salesforce. 1) Can it be done? 2) Our BOBJ userid id are SAP aliases & NOT enterprise, your blog describes process for enterprise id, how can we implement SAML with SAP aliases?
Hi Shruti ,
After implementing WEBSSO in BI 4.2 SP5 I am getting error in tomcat logs
Hello Shruti & Fellow Coders,
We are trying to accomplish the same for SAP BO MOBILE landscape by using.
Usecase in a nuttshell: The Mobile iOS client hits the Mobile BO TOMCAT app server, TOMCAT then should redirect the request to an ID provider ( we are using PING authenticator for 2 factor authentication). User would then enter their Win AD credentials for PING to authenticate the user against the AD groups, Then the user is authenticated and logged in with SSO to BOBJ cms to obtain the content access.
With the above being said, we are trying to accomplish the first step by exchanging of the Metadata between Mobile Tomcat Server ( as SP) and PING Server( as ID provider). spring_saml_metadata.XML ( from SP to IDP) and idp-metadownloaded.xml ( from IDP to SP). As a result of this I am expecting to get redirected to the ID provider login URL when a Client request for access is sent to the SP. I get the below error after having completed all the steps mentioned on this blog:
HTTP Status 500 – Internal Server Error
Type Exception Report
Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
Description The server encountered an unexpected condition that prevented it from fulfilling the request.
Exception
Hi Sagar,
Were you able to resolve this issue? If so, any hints on the resolution. I am having the same issue.
Thanks
Sumanth
Hi Sagar,
I am trying exactly same scenario. Can you please help how did you download metadata file from Ping ID(IDP) and are you able to succeed?.
There are no blogs related with PING ID SAML configuration with BI 4.2. Your answer will really helpful.
Thanks
Chaitanya
HI Team ,
I followed above process exactly , but IDP is redirecting to http://localhost8080/BOE/logon.jsp instaed of http://localhost8080/BOE/BI/logon.jsp
Can you please help me on this
Hi all
We've implemented using SAML for the BO-Server 4.2 SP5, with using a SAP webdispatcher. (Like SAP-Note: https://launchpad.support.sap.com/#/notes/2621904). It's working so fine.
Now we connect the SAP webdispatcher with an other Server address (external Access). When accessing with this external Address we're getting a 404 Error Page and in the log I can find the following message: "InResponseToField of the Response doesn't correspond to sent message".
Is there any possibility to fill the Attribut AssertionConsumerURL dynamic ?
Or any other Idea how to get this running without any the 404 Error Page
regards
Tobias Spaegele
Hi All,
Recently we upgraded BO FROM 4.1 SP 6 TO 4.2 SP7 and we are facing the issue while connecting from one report to another and the error is shown below.
HTTP Status 500 – Internal Server Error
Type Exception Report
Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
Description The server encountered an unexpected condition that prevented it from fulfilling the request.
Exception
Root Cause
Hi
4.2 SP7 whith Tomcat is installed on Linux, I had resolved the error "Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP"
In the default securityContext.xml provied by 4.2 SP7 i have replaced
by
Jean-Marie
Hello Guys, is it possible to use SAML method for group mapping, is there is a way BOBJ groups can get synced with PING SAML like LDAP?
Hello
We are having BO 4.2 SP7 and we would like to configure SAML2 for SSO for BI Launchpad and also use it to access reports via mobility.
Does anyone have a reference of configuration guide for end to end implementation of SSO using SAML2.
Regards
Ashly
hello
can you help me it's not work for me
SAP BI 4.2 SP05
i have this error message :
État HTTP 404 – Not Found
Type Rapport d''état
message /BOE/saml/login
description La ressource demandée n''est pas disponible.
thanks
sorry this message:
Type Rapport d''état
message /BOE/BI
description La ressource demandée n''est pas disponible.
Hi,
We've been reading and rereading this document as it is one of the only and if not the only one explaining SAML with Tomcat and ADFS.
We need to set up ADFS with BO4.3 using Tomcat as the application server and web server on a Windows 2016 server platform
The first hurdle is this statement "... spring saml service provider jars exists inside <BOE Install Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS ...". There are NO such file available.
Tomcat is the 9.0 latest bundled with the BO4.3 installation. Where can we source these files from please?
Thank You
Stephen
Hey Stephen,
Were you able to find the path to the SAML jar files ?
I am trying to implement the SAML for OpenDocument for BO 4.2 SP8 but couldn't found the jars file as originally mentioned in the blog.
Any help is highly appreciated.
Thank you
Arju Sharma
Hi,
Thanks for the details steps to implement the SAML for BO
We have followed the steps and are able to configure SAML and also MFA using Ping ID
but still while opening BO CMC user credentials are being asked, can you please guide what could be the error
Hey Sravan,
Where did you found the SAML jars file ?
What BO version your have implemented the SAML ?
Thank you
Arju Sharma
Hi Shruthi Annappa
The URL for generating SP Metadata. Will it make a difference between the below 2?
http://host:port/BOE/saml/metadata
http://host:port/BOE/BI/saml/metadata