Skip to Content
Author's profile photo Dhrubajyoti Paul

ADFS with SAP Business Intelligence Platform

The sole purpose of this blog  is to easily integrate an existing BO deployment with ADFS as an identity provider and to enable customers to use a service Provider initiated request from  Business Objects to an identity provider like ADFS with single sign on through trusted authentication.

Prerequisites : Business Objects Deployment needs to be 4.2 SP05 and above and ADFS needs to be version 2.0 and above

What is Idp (Claims Provider CP) ?

An Identity Provider (Idp) is sometimes called an Identity Service Provider.An identity provider is a trusted provider that lets you use single sign on (SSO) to access other websites, authenticates users on the internet by means of security tokens, one of which is SAML.
The Microsoft terminology for Identity provider is Claims Provider.

What is Service Provider (Relying Party RP) ?

A Service Provider (SP) is an entity that provides Web Services
A Service Provider relies on a trusted Identity Provider (Idp or Claims Provider)  or Security Token Service (STS) for authentication and authorization.The Microsoft Terminology for Service provider is Relying Party.

What is ADFS ?

Active Directory Federation Services (AD FS) is a feature from Windows Server 2003 R2 operating systems and higher that supports Web single-sign-on (SSO) technologies to authenticate a user to multiple web applications, ADFS integrates with Active Directory Domain Services, using it as an identity provider.

Features in ADFS
-Web single sign on (SSO)
-Web Services interoperability
-Extensible architecture

SAP BI Configuration

Unlike other Web Application servers WebSphere, NetWeaver, Tomcat does not come with inbuilt Service Provider, we have to implement our own Service Provider for Tomcat.

We will be using Spring SAML Security Assertion Service Provider for Tomcat.

 

Adding Tomcat Service Provider Jars

  1. The Spring SAML Service Provider Jars are available inside <BOE Install  Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS,
  2. Copy these jars to <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\lib
  3. Stop Tomcat, delete tomcat work directory from <BOE Install  Dir>\tomcat
  4. Start Tomcat

 

Configure Tomcat for HTTPS SSL

  1. Create a certificate keystore by executing the following command
    keytool -genkey -alias <create_AliasName> -keyalg RSA -keystore <path_and_create_KeystoreFilename> -keysize 2048
  2. This command will prompt for the attributes, enter all the attributes for the certificate.
  3. Configuring your SSL Connector

Before Tomcat can accept secure connections, you need to configure an SSL Connector.

a.  In a text editor, open the Tomcat server.xml file.

The server.xml file is usually located in the conf folder of your Tomcat’s home directory.

b.  Locate the connector that you want to use the new keystore to secure.

Usually, a connector with port 443 or 8443 is used, as shown in step 4.

c.  If necessary, uncomment the connector.

To uncomment a connector, remove the comment tags (<!– and –>).

d.Specify the correct keystore filename and password in your connector configuration.

4. When you are done, your connector should look something like this:

<Connector port=”8443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″   maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” SSLEnabled=”true” clientAuth=”false” sslProtocol=”TLS” keyAlias=”server” keystoreFile=”/home/user_name/your_site_name.jks” keystorePass=”your_keystore_password” />

Enabling SAML for required Web Applications Properties

SAML authentication has to be enabled for the different web applications. This can be done by uncommenting the respective endpoint in securityContext.xml and also by editing saml.enabled in customproperties files of the respective applications.

In this we will be enabling SAML for Old BI Launchpad BOE/BI

  1. Changes in securityContext.xml file

In the securityContext.xml under<BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF , there is a section for the SAML entry endpoints.

By default, only the SAML entry endpoint for Classic BI Launchpad is enabled.

 

 

 

2. SAML Authentication can also be enabled for other applications Opendocument, Fiori Launchpad      by uncommenting <security:intercept line of that particular application.

3. Also in case SAML authentication has to be enabled only for one application ex : BI Launchpad        alone, the <security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/> has to          been uncommented, comment the entry points for Opendocument, Fiori Launchpad.

 

Changes in BILaunchpad.properties

Create BILaunchpad.properties file in the <BOE  Install  Dir> \SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom assuming custom properties file does not exist. If it is already does, only need to add the property saml.enabled=true

 

Configurations in the deployment descriptor – web.xml

Enabling SAML in the SP configuration

Activate the SAML context configuration

  1. Open the <BOE Install  Dir>\tomcat\webapps\BOE\WEB-INF\web.xml file in a text editor.
  2. Remove the lines (<!—and –>) that comment out the contents of the START SAML / END SAML comments wherever you find in the web.xml file. Below snapshots show the uncommented part

 

 

 

A new filter has been introduced for SAML, the relevant section in the web.xml will be kept commented by default.

Enabling filters in web.xml of BOE webapps by uncommenting the SAML sections.

Web.xml file path –  <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\web.xml

Note: SAML authentication enablement is done the web application level, that is in BOE itself and not in individual webpath bundles.

Update IDP metadata in SP

The IDP metadata has to be downloaded from the respective IDP. Run the below URL in browser and download the IDP metadata file.

Rename the file to idp-meta-downloaded.xml

Copy the ADFS IDP idp-meta-downloaded.xml file to
<BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF

In Case if BOE is deployed on a Linux machine (non -windows)  the path separators in file path to the idp metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF.

i.e  <value type=”java.io.File”>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=”java.io.File”>\WEB-INF\idp-meta-downloaded.xml</value> for Linux

For windows, it looks like

 

 

SAML keystore generation
SAML exchanges involve usage of cryptography for signing and encryption of data.

You can generate your own self-signed key using the Java utility keytool by following steps

Navigate to <BOE  Install  Dir>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin and run the following command to generate certificate.

keytool -genkeypair -alias <aliasname> -keypass <Password> -keystore <sampleKeystore.jks> -keyalg RSA -validity <numberofdays>

aliasname – certificate alias name, Password -password of your choice, numberofdays – number of the days during which the self-signed certificate is valid, sampletestKeystore.jks is name of the keystore file.

Example – keytool -genkeypair -alias Testkey -keypass Password1 -keystore sampletestKeystore.jks -keyalg RSA -validity 735

The generated keystore file has to be copied from bin folder  and  pasted under <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF and the references of the new aliasname, Password, keyStore file name has to be changed in securityContext.xml file

 

The first argument (sampleKeystore.jks) points to the used key store file,
second line contains password (Password1) for the keystore which you enter in command prompt after entering the keystore generation command,
third line then maps with passwords for private keys with alias-password value pairs(Password1). Fourth line Alias of the default certificate is the last parameter.(Testkey).

Note: SP metadata has to be generated everytime this keystore file is changed.

After making all the above changes, Restart tomcat.

Generate and upload SP metadata

NOTE: A pre-generated service Provider (SP) metadata file  will be  shipped by default. User may edit this and upload the same. The IP/hostname should be one property that has to be changed.The file will be available under

 

<BOE Install Dir>\tomcat\webapps\biprws\WEB-INF  spring_saml_metadata.xml

Type the URL https://BOEHOST:8443/BOE/saml/metadata.

This will automatically download a xml file spring_saml_metadata.xml

ADFS Configuration

Export the ADFS Certificates

Download the certificates from ADFS server and transfer them to the Service Provider server.

  1. Login to the ADFS server.
  2. Find the certificates on the “ADFS Management”

 

 

There should be three certificates – one for service communications, one for token-decrypting, and one for token signing.

3. Right-click the first certificate, select View Certificate, go to the details tab, and then click the          Copy  the File button.

 

 

4.Specify the export file name, and then click Next

 

5.Click Finish to finish the export.

 

6.Repeat the previous steps for the other two certificates.

 

 

Import the ADFS certificates into the SP SAML keystore

 

Import the three certificates to the SP SAML key store located in <BOE  Install  Dir>\tomcat\webapps\BOE\WEB-INF\samltestKeystore.jks.

 

Run the following command for each of the three certificates.

keytool -v -importcert -file <certificate filename> -keystore samlKeystore.jks -alias <certificate   alias>

Example

keytool -v -importcert -file ADFS1.cer -keystore samlKeystore.jks -alias ADFS1

keytool -v -importcert -file ADFS2.cer -keystore samlKeystore.jks -alias ADFS2

keytool -v -importcert -file ADFS3.cer -keystore samlKeystore.jks -alias ADFS3

 

Import the service provider metadata file in ADFS

Add Relying Party Trust – import the Service Provider metadata file in ADFS

 

 

  1. After importing file, click on next
  2. Specify Display name and click on next

 

 

3. Select I do not want to configure multi-factor authentication settings for this relying party trust at     this time.

 

 

4. Issuance Authorization Rules, select Permit all users to access this relying party

 

  1. Click on next and finish
  2. Add Claim Rule for SAP Analytics Cloud.
    Select Send LDAP Attribute as Claims and click on next

  1. Enter Claim Rule name

SAP Business Intelligence from AD login to Name ID

 

  1. Select attribute store – Active Directory and mapping of LDAP attributes

 

 

 

This is a transformation example, from Login name in active directory to Name ID that can be used in SAP Business Intelligence

Configure Trusted Authentication for Tomcat with Web session

  1. Add the global.properties file under <BOE Install  Dir>\tomcat\webapps\BOE\WEB-INF\config\custom and make the below changes

sso.enabled=true

trusted.auth.shared.secret=MySecret

trusted.auth.user.param=MyUser

trusted.auth.user.retrieval=WEB_SESSION

  1. Goto CMC –> Authentication –> Enterprise
  2. Enable Trusted Auhentication
  3. Set validity and download the shared secret key TrustedPrincipal.conf
  4. Click Save, and save the TrustedPrincipal.conf file to the following directories:

<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\

<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86\

Create the IDP user in BOE

The IDP user has to be created in BOE or imported through some SDK script or export using CSV option in CMC.

The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.

Import the bulk users into BIPlatform:

https://blogs.sap.com/2013/05/16/bi-40-sp6-how-to-import-users-in-bulk-from-central-management-console/

Locate the custom.jsp file inside the web folder at C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\eclipse\plugins\webpath.InfoView\web\custom.jsp

Make the following changes to the custom.jsp file in the location mentioned above

<\!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”  “http://www.w3.org/TR/html4/loose.dtd”>

<%@ page language=”java” contentType=”text/html;charset=utf-8″ %>

<% //custom Java code

%>

Restart Tomcat.

Verification

SAML is configured for BILaunchpad endpoint

Hit the URL https://BOEHOST:8443/BOE/BI

it redirects to IDP authentication, enter your domain users details

 

 

 

If the configuration is correct and mapping is successful and trusted authentication is configured correctly, you will be logged in into BOE/BI

 

 

 

 

 

This completes the configuration.

Users will be able to use SAML to login into SAP Business Intelligence.

 

 

Blog by:

Dhrubajyoti Paul
Ashraf Mohammed

 

 

 

Assigned Tags

      35 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Maik Haslinger
      Maik Haslinger

      Very nice documentation!

      Is your BO-Server running on a Windows or a Linux Platform?

      Do you know about any platform restriction about ADFS?

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      Thanks.

      Is your BO-Server running on a Windows or a Linux Platform?
      BO-Server is running on a Windows Platform.

      Do you know about any platform restriction about ADFS?
      Are you talking about BO on windows or BO on linux ? we have tested this with BO on windows.

      Author's profile photo Maik Haslinger
      Maik Haslinger

      Hi,

      our BO Server is running on Linux..

      We tried to implement as you described but it does not work right now..

      We created a SAP OSS ticket now..

       

      Author's profile photo Denis Konovalov
      Denis Konovalov

      Nice write up, but one important thing to note - all changes done to \tomcat\webapps\ location will be overwritten by next patch/SP you install.

      Author's profile photo David Cartwright
      David Cartwright

      What is the URL that's supposed to be here?

      The IDP metadata has to be downloaded from the respective IDP. Run the below URL in browser and download the IDP metadata file.

      Rename the file to idp-meta-downloaded.xml

       

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      Thanks for your comment.

      The URL to download metadata file for ADFS as IDP is

      https://adfsservername/federationmetadata/2007-06/federationmetadata.xml

      Author's profile photo Former Member
      Former Member

      In the URL you provided there is a error.  ".....federationmetedata.xml"  "e" = "a"

       

      Author's profile photo Former Member
      Former Member

      Thank you for the nice documentation!

      We have tried to configure our Business Objects enviroment with SAML 2.0 as well, following your steps, but everytime we try to logon to https://BOEHOST:8443/BOE/BI we are redirected to https://BOEHOST:8443/BOE/saml/SSO with an Missing page (see image).

      We are using ADFS 3.0 and Business Objects is running on Windows.

      Do you have any idea how to solve this? We checked the steps several times, but no solution yet.

       

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      It could be because if the ADFS certificates are not imported properly into SP keystore.

      try repeating the step Import the ADFS certificates into the SP SAML keystore and check.

      Author's profile photo Former Member
      Former Member

      Thank you for your reaction. We have repeated the steps you suggested, but unfortunately it still doesn't work.

      Do you have any other suggestions?

      Author's profile photo Former Member
      Former Member

      We‘ve got the same Problem. The issue has been resolved meanwhile so SAML is working with ADFS 3.0?

       

       

      Author's profile photo David Cartwright
      David Cartwright

      The BI Launchpad directs us to a site where we can be prompted for entering credentials. Once we enter the credentials, we get this message:

      There was a problem accessing the site. Try to browse to the site again.

      If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

      ADFS logs have this in it:
      Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason

      ADFS admins are asking after hitting adfs and getting a token, where should the call be redirected to?

       

      Author's profile photo David Cartwright
      David Cartwright

      The spring_saml_metadata.xml file ends with a redirect to a URL that doesn't seem to exist in Tomcat

      https://<webserver>:8443/BOE/saml/SSO

      It provides a page does not exist error message when you go to that URL.

      Author's profile photo Former Member
      Former Member

      We have our tomcat using SSL on port 8443.

      The BOBJ Servers and ADFS server are in two separate domains.

      Do we only need to have port 8443 open between the ADFS sever and the BOBJ Servers or do both the 443 and 8443 need to be opened.

      I read somewhere that ADFS only works on 443.  But after going through the instructions I am not sure since I don't ever see a reference to the 443 port other than in the server.xml which we use the 8443 connector.

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      ADFS does not support http federation metadata, so ADFS only works with https.

      generate SP metadata using https URL else ADFS will throw error while configuring trust.

      8443 is tomcat default ssl connector port, tomcat ssl can be configured / works with any available port so the ADFS.

       

      Author's profile photo Former Member
      Former Member

      From the Instructions,

      SAML keystore generation
      SAML exchanges involve usage of cryptography for signing and encryption of data.

      You can generate your own self-signed key using the Java utility keytool by following steps

      Navigate to <BOE  Install  Dir>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin and run the following command to generate certificate.

      keytool -genkeypair -alias <aliasname> -keypass <Password> -keystore <sampleKeystore.jks> -keyalg RSA -validity <numberofdays>

       

      We attempted to use the samplekeystorefile provided but without success after much searching we believe it was because the samplekeystore was set with SHA256 ,

      Our remedy was to add an additional argument when creating new keystore "-sigalg SHA1withRSA"

      there is another KBA which states SAML in BOBJ doesn't work with SHA256.

      Command Example

      keytool -genkeypair -alias NewKeyStore -keypass XXXXXYYYYY -keystore "E:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\KeyStoreFile_v2.jks" -keyalg RSA -sigalg SHA1withRSA -validity 735

      Author's profile photo Former Member
      Former Member

      We are still having issues getting our environment to work. Any assistance is appreciated helping us to get it working.

      We have validated that the ADFS side is working and sending back a response.   However, we still continue to the get the 404 message.

      The trusted authentication piece has been validated between Tomcat and BOBJ.  It was validated using the "QUERY_STRING" method described in a separate KBA

      I can provide any additional information you need to see on request.

       

      KEY POINTS, Observations and SCREENS SHOTS.

      Although the Tomcat configuration guide states that you can use the default keystore included, it contains a SHA1 certificate encrypted with the DSA algorithm that is not compatible with ADFS, so we had to create a new keystore with a SHA1-RSA certificate

       

      If you open the SAP BO website using a slash “/” at the end, you get a 500 error, if you open the URL without the ending slash, the error we get is 400

      Screen shots of two errors above

       

      The trust was created using only the LDAP Attribute SAM-Account-Name mapped to the outgoing claim Name ID

      When checking the ADFS logs, we can see that the SAP BO is contacting the ADFS server, and we also see the ADFS server sending back the token with the claim requested (Name ID, as a NameIdentifier claim type)

       

       

      We read on a spring SAML configuration document that in ADFS 3.0 you might need to create a Claim transformation rule for Name ID, but there is no mention of how should the transformation rule look like or how to create it.

       

      ADFS authentication flow appears to be working as expected: You open the SAP BO application URL, get redirected to the ADFS Forms Based authentication screen, enter your credentials, your credentials are validated against AD, ADFS returns a token with the requested claims, SAP BO website fails with either error 400 or 500.  These resulting screen shots are provided above.

      Screen clip of our Fiddler output

       

      Since we are using ADFS 3.0  we tried creating the pass through claim as recommended on the Spring Security SAML extension document (Document HERE, page 47)

      It did not make any difference, the problem remains the same with or without the transform rule.

      The ADFS claim rule is set to use a persistent name id  format.  below is the excerpt from the Spring SAML Metadata.xml

       

      bilaunchpad.properties  has been updated

       

      global.properties file below.

       

      the custom.jsp

       

      Note that in the screen shot above.   The “request.getUserPrinicipal().getName());

      We noticed the alternate spelling “Prinicipal” vs. “Principal” in the function call but are unclear as to any impact on the process.

       

      Thanks in advance for any responses to this comment.

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

       

      Hi,

      Please find my comments below.

      1. We have testing SAML between ADFS and SAP BI using ADFS 2.0, ADFS 3.0 is still under certification process
      2. Trusted Authentication is validated using WEB_SESSION
      3. Regarding keystore generation, yes you are correct DSA algorithm is not supported by ADFS, we need to generate certificate using RSA SHA-1 algorithm as we mentioned above in the blog.
      4. Regarding 404 missing page – As i mentioned in my earlier replyIt could be because if the ADFS certificates are not imported properly into SP keystore.try repeating the step Import the ADFS certificates into the SP SAML keystore and check.

        if you follow the above steps and you still face the issue, the possible cause could be encryption.

        To be sure if all the configuration is correct and it could because of encryption, then you can try disable ling it.

        Goto ADFS – Relaying Party (your created relaying party) – properties – encryption
        Note – Take the backup of the certificate (save the certificate)
        Remove / Delete the certificate — ok

        Try and test now – SAML should work fine now.

      5. custom.jsp file – It should be request.getUserPrincipal().getName()

      Thanks
      Ashraf

      Author's profile photo Former Member
      Former Member

      Ashraf

      This is follow up to the previous comment.

      Our issue was encryption related.

      1st Recommend anyone reading this to also set up SAML Logging.

      See "2634421 - How to enable trace logging for BI SAML extension (log4j)"

      Once the log was available we identified an Encryption issue in the log.  Below is an excerpt from the log.

      ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

      2018-04-25 15:39:44 DEBUG JCEMapper:246 - Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc

      2018-04-25 15:39:44 DEBUG XMLCipher:1818 - JCE Algorithm = AES/CBC/ISO10126Padding

      2018-04-25 15:39:44 DEBUG XMLCipher:1267 - Saw non-AES-GCM mode block cipher, returning IvParameterSpec: null

      2018-04-25 15:39:44 ERROR Decrypter:587 - Error decrypting the encrypted data element org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size

      Original Exception was java.security.InvalidKeyException: Illegal key size

      2018-04-25 15:39:44 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey failed:

      org.opensaml.xml.encryption.DecryptionException: Error decrypting the encrypted data element

      +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

      The research from our AD Engineer determined that that cause was due to a limitation of cryptography strength in the SAP JVM distribution

      The solution was to download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download"

      http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

      Extract zip archive and find there local_policy.jar and US_export_policy.jar

      we replaced the existing files found in the "..\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\lib\security"  directory with the updated downloaded ones.

       

       

      Author's profile photo Lokesh Borse
      Lokesh Borse

      Hi,

       

      I did all steps mentioned in above blog to configure SAML, updated jar files as well however after clicking on SAML icon, it redirects to SAML URL https://<SAML URL>/go/0c3ae7fa-64e2-47f9-b6ea-b27da486babc and finally lads to https://<boewebserver>:8443/BOE/logon.jsp and gives 404 error.

      We can not reimport certificate as it says, certificate already exist and also tried disabling encryption but same error. Please guide.

      Author's profile photo Former Member
      Former Member

      I followed above process and configured SAML successfully on tomcat server.  When I tried to connect BI launch pad from APACHE server it is pointing to https://tomcathost;:8443/BOE/saml/SSO instead of BI launch pad.

      Can you please help.

       

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      Hi,

      There are some slight changes to be done in securityContext.xml file when accessing BI Launchpad using Apache for SAML.

      Please follow the steps in the below note.

      https://launchpad.support.sap.com/#/notes/2621904

      Thanks
      Ashraf

      Author's profile photo Former Member
      Former Member

      Hi Ashraf,

      Thanks, I followed above instructions. its working fine.

      But I have 1 tomcat servers and 2 apache servers and one load balncer link.

      https://launchpad.support.sap.com/#/notes/2621904 using this link , I am able to add only one apache server in securityContext.xml file. Is it possible to add one more apache server in securityContext.xml . can you please guide me on this.

       

      Thank you so much for helping me on this.

       

       

      Author's profile photo Former Member
      Former Member

      I have one tomcat server in which SAML has been configured sucessfully. on the top of it I am using two apache servers as load balancers.

      at present I followed https://launchpad.support.sap.com/#/notes/2621904  and added one apache server in securityContext.xml and its working fine.

      I am able to connect BI launch pad sucessfully.

      Is it possible to add second apache servers to securityContext.xml  , can you please guide me on this.

       

      Author's profile photo Former Member
      Former Member

       

      Hi Ashraf/Reginald

      Was this 404-Missing page issue resolved?

      We have set up SSO to use Tomcat as SAML service provider. When we are browsing BI launchpad url(/BOE/BI) it is redirecting us to organization sign in page, after providing the login information, it is throwing 404- Missing page by landing to BOE/saml/SSO URL.

      We are unable to proceed further. Any help would be appreciated.

       

      Regards

      RK

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      Hi,

      Yes it is resolved, you need to have JCE policy files 8.

      Follow below steps will resolve 404 - Missing page issue.

      Import Java policy files

      Download

      http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

      Extract zip archive and find there local_policy.jar and US_export_policy.jar

      Replace the existing files found in the “..\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\lib\security”  directory with the updated downloaded ones and restart SIA and Tomcat.

      Thanks
      Ashraf

       

      Author's profile photo Former Member
      Former Member

      Hi Ashraf,

       

      Thanks for your inputs here. I have downloaded JCE policy files 8 files and performed the steps mentioned above. Unfortunately we are still getting  404 – Missing page issue.

      Could you please advise?

       

      Regards

      RK

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      Hi,

      Follow step 4 from below comment and check is it working after disabling encryption.

      https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/comment-page-1/#comment-421383

      Thanks
      Ashraf

      Author's profile photo Former Member
      Former Member

      Hi Ashraf,

      We have enabled BI extension trace. We could see the below errors in the logs:

       

      Can you please advise if its related to encryption?

      Regards

      RK

      Author's profile photo Lokesh Borse
      Lokesh Borse

      I disabled encryption and now its going to https://tus3bojwebdin04:8443/BOE/saml/SSO and getting 404 error.

      Author's profile photo Lokesh Borse
      Lokesh Borse

      We have single tomcat and multiple CMS/processing tier. Do I need to replace these jar files on all CMS/processing tier along with tomcat node? Also, do we also need to replace jars in win32_x86 folder? Same folder structure is there.

      Author's profile photo Benjamin Gonzalez
      Benjamin Gonzalez

      Hi Mohammed

       

      I'm facing the same issue than a Former Member (post from 23/05/2018) with an "Access Denied" into log from springsaml file

       

      I'm using BI 4.2 SP6 with Tomcat 8 and I would like to know if there is a solution ?

       

      And another question because I didn't understand this point

      What is the value I need to write into the custom.jsp

      request.getSession().setAttribute("???",???);
      request.getSession().setAttribute("???",request.getUserPrincipal().getName());

       

      Thank you for your help

       

      Regards,

      Ben

      Author's profile photo Jean-Didier Friteau
      Jean-Didier Friteau

      A bit late, but that's can help others readers.

      You can read within the official documentation how to replace ??? with your needs.

      [link for 14.2.7]

      https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.7/en-US/46822c1f6e041014910aba7db0e91070.html?q=custom.jsp

       

      Author's profile photo Alex Cruickshank
      Alex Cruickshank

      For anyone struggling with this, i found this part caused me an issue

      Create BILaunchpad.properties file in the <BOE  Install  Dir> \SAP

      If you create a filed called BILaunchpad.properties it doesnt work, you need use a lowercase l so BIlaunchpad.properties.

      Also once you complete your config back it all up and copy to warfiles directory otherwise upgrades will overwrite your config.

      Author's profile photo Bryan Ng
      Bryan Ng

      Hi Mohammed,

      Could I apply this ADFS solutions in Crystal Server 2020 SP1? Or only working on Business Objects Deployment 4.2 SP05?

      Thanks