SAML Integration between Microsoft Azure portal and SAP Business Intelligence Platform
SAML integration between Microsoft Azure portal and SAP Business Intelligence Platform
What is Azure Portal?
Microsoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. Users can manage Azure services using the Web-based Azure portal (sometimes referred to as the Azure Resource Manager (ARM) portal). The portal allows users to browse active resources, modify settings, launch new resources, and view basic monitoring data from active virtual machines and services.
Prerequisites
Before accessing the portal, you must first have a valid email address and Microsoft Azure password.
Business Objects Intelligence Platform 4.2 SP05 and above
What is Azure AD connect
The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync, and Forefront Identity Manager with the Azure Active Directory Connector configured.
Microsoft Azure Portal Configuration
- Access and login into Azure portal
- Goto Azure Active Directory –> Enterprise Applications –> All Applications
- New Application – In the All Applications window, click on New Application
- New Application – As SAP Business Intelligence application is not available in Microsoft Apps gallery, we need to add as Non-Gallery Application.
Provide application name and click on Add.
- All Application – After adding the application, it will be listed in all applications.
- SAML – click on the newly added applicaton ex – SAP Business Objects, it will open the SAP Business Objects application properties.
Click on Single sign-on for enabling SAML for this application.
Select SAML-based Sign-on from the Single Sign-0n Mode as shown below.
Provide the parameters required ex – identifier, Reply URL as shown above and save.
Click on Show advanced URL settings and in Sign on URL provide the URL where users can login and access the application
- Download IDP metadata.
Download IDP metadata (Azure portal) from SAML Signing Certificate.
Save this file we need it when configuring SAP BI.
- Save the configuration.
These are the steps required from Azure portal for SAML configuration with SAP BI.
SAP BI Configuration
Unlike other Web Application servers WebSphere, NetWeaver, Tomcat does not come with inbuilt Service Provider, we have to implement our own Service Provider for Tomcat.
We will be using Spring SAML Security Assertion Service Provider for Tomcat.
Adding Tomcat Service Provider Jars
- The Spring SAML Service Provider Jars are available inside <BOE Install Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS, Copy these jars <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\lib
- Stop Tomcat, delete tomcat work directory from <BOE Install Dir>\tomcat
- Start Tomcat
Configure Tomcat for HTTPS SSL
- Create a certificate keystore by executing the following command.
keytool -genkey -alias <create_AliasName> -keyalg RSA -keystore <path_and_create_KeystoreFilename> -keysize 2048
- This command will prompt for the attributes, enter all the attributes for the certificate.
- Configuring your SSL Connector.
Before Tomcat can accept secure connections, you need to configure an SSL Connector.
a. In a text editor, open the Tomcat server.xml file.
The server.xml file is usually located in the conf folder of your Tomcat’s home directory.
b.Locate the connector that you want to use the new keystore to secure.
Usually, a connector with port 443 or 8443 is used, as shown in step 4.
c.If necessary, uncomment the connector.
To uncomment a connector, remove the comment tags (<!– and –>).
d.Specify the correct keystore filename and password in your connector configuration.
4.When you are done, your connector should look something like this:
<Connector port=”8443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” SSLEnabled=”true” clientAuth=”false” sslProtocol=”TLS” keyAlias=”server” keystoreFile=”/home/user_name/your_site_name.jks” keystorePass=”your_keystore_password” />
Enabling SAML for required Web Applications Properties
SAML authentication has to be enabled for the different web applications. This can be done by uncommenting the respective endpoint in securityContext.xml and also edit saml.enabled in customproperties files of the respective applications.
In this we will be enabling SAML for Old BI Launchpad BOE/BI
- Changes in securityContext.xml file
In the securityContext.xml under<BOE Install Dir>\tomcat\webapps\BOE\WEB-INF , there is a section for the SAML entry endpoints.
By default, only the SAML entry endpoint for Classic BI Launchpad is enabled.
2. SAML Authentication can also be enabled for other applications Opendocument, Fiori Launchpad by uncommenting <security:intercept line of that particular application.
3. Also in case SAML authentication has to be enabled only for one application ex – BI Launchpad alone, the <security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/> has to been uncommented, comment the entry points for Opendocument, Fiori Launchpad
Changes in BILaunchpad.properties
Create BILaunchpad.properties file in the <BOE Install Dir> \SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom assuming custom properties file does not exist. If it is already does, only need to add the property saml.enabled=true
Configurations in the deployment descriptor – web.xml
Enabling SAML in the SP configuration
Activate the SAML context configuration
a.Open the <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\web.xml file in a text editor.
b.Remove the lines (<!—and –>) that comment out the contents of the START SAML / END SAML comments.
A new filter has been introduced for SAML, the relevant section in the web.xml will be kept commented by default.
Enabling filters in web.xml of BOE webapps by uncommenting the SAML sections.
Web.xml file path – <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\web.xml
Note: SAML authentication enablement is done the web application level, I.E., BOE itself and not in individual webpath bundles.
Update IDP metadata in SP
The IDP metadata has to be downloaded from the respective IDP (in our case Azure Portal).
Rename the file to idp-meta-downloaded.xml
Copy the Azure Portal IDP idp-meta-downloaded.xml file which we downloaded in step 7 above to
<BOE Install Dir>\tomcat\webapps\BOE\WEB-INF
In Case if BOE is deployed on a Linux machine (non -windows) the path separators in file path to the idp metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.
i.e <value type=”java.io.File”>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=”java.io.File”>\WEB-INF\idp-meta-downloaded.xml</value> for Linux
For windows, it looks like
SAML keystore generation
SAML exchanges involve usage of cryptography for signing and encryption of data.
You can generate your own self-signed key using the Java utility keytool by following steps
Navigate to <BOE Install Dir>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin and run the following command to generate certificate.
keytool -genkey -alias <aliasname> -keypass <Password> -keystore <sampleKeystore.jks> -keyalg RSA -validity <numberofdays>
aliasname – certificate alias name, Password -password of your choice, numberofdays – number of the days during which the self-signed certificate is valid, sampletestKeystore.jks is name of the keystore file.
Example – keytool -genkeypair -alias Testkey -keypass Password1 -keystore sampletestKeystore.jks -validity 735
The generated keystore file has to be copied from bin folder and pasted under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF and the references of the new aliasname, Password, keyStore file name has to be changed in securityContext.xml file
The first argument (sampleKeystore.jks) points to the used key store file,
second contains password (Password1) for the keystore which you enter in command prompt after entering the keystore generation command,
third then map with passwords for private keys with alias-password value pairs(Password1). Alias of the default certificate is the last parameter.(Testkey).
Note: SP metadata has to be generated everytime this keystore file is changed.
After making all the above changes, Restart tomcat.
Configure Trusted Authentication for Tomcat with Web session
- Add the global.properties file under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom and make the below changes
sso.enabled=true
trusted.auth.shared.secret=MySecret
trusted.auth.user.param=MyUser
trusted.auth.user.retrieval=WEB_SESSION
- Goto CMC –> Authentication –> Enterprise
- Enable Trusted Auhentication
- Set validity and download the shared secret key TrustedPrincipal.conf
- Click Save, and save the TrustedPrincipal.conf file to the following directories:
<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\
<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86\
Create the IDP user in BOE
The IDP user has to be created in BOE or imported through some SDK script or export using CSV option in CMC.
The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.
Import the bulk users into BI Platform:
Locate the custom.jsp file inside the web folder in the com.businessobjects.webpath.InfoView.jar file at C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\eclipse\plugins\webpath.InfoView\web\custom.jsp
Make the following changes to the custom.jsp file in the
<\!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “http://www.w3.org/TR/html4/loose.dtd”>
<%@ page language=”java” contentType=”text/html;charset=utf-8″ %>
<% //custom Java code
%>
Restart Tomcat.
Validation
There are two ways to access SAML application SSO.
- SP Initiated SSO
- IDP Initiated SSO
SP Initiated SSO
SP initiated SSO is starting / accessing app using application URL (in our case SAP BI).
User will be redirected to IDP login page for authentication. Enter the user credentials of your email id login for azure
It will get logged in automatically once credentials are validated.
IDP initiated
For accessing app using IDP initiated SSO, the following change / attribute should be added, click on Show advanced URL settings checkbox and add https://boehost:port/BOE/BI in the Sign on URL of SAP Business Intelligence
Save the configuration.
For accessing app using IDP initiated SSO, go to Apps in azure portal using below URL and click on SAP Business Intelligence
https://account.activedirectory.windowsazure.com/r#/applications
If all the SAML configuration is correct, user will be automatically gets logged into SAP BI.
Blog by:Dhrubajyoti Paul
Mohammed Ashraf
I have a short question here:
1: In BI4.2 PAM, there is no MS Azure in supported Portal Server list, does that mean SAP doesn’t support SAML SSO between Azure and BI officially?
2. For BI, the authentication from Azure portal is Windows AD or others? I mean if check the CMC > Sessions, it will display secWinAD or others?
Regards,
Chenghao
That is because Trusted Authentication is used for SSO.
With Trusted Authentication you will always get SecEnterprise session in Sessions not SecwinAD.
You can refer to Admin guide for the same
IDP SAML is supported from BI 4.2 SP05 onwards.Initially it was certified with HCP.Now Azure has also been certified.The SSO happens through trusted authentication .In sessions it will reflect as SecEnterprise
Hi Paul,
It would be great to add the information about what kinds of IdP are supported by BI4.2 SP5 in PAM so that the customers can get a clear idea about it.
Regards,
Ivan
The Official line is SAML is supported with BO.
An IDP supporting SAML should work with Business Objects.
There will not be a separate list for that in PAM as of now
Hey Paul, this is really a great post and helpful information! Thanks much for sharing step by step process and guide for configuring Microsoft azure and the detailed guidance about SAP BI configuration. Also, the links for reference that you've provided in between are very much useful.
Best Regards
Ranjit
Hi,
Need help here, we configured BI SSO with Azure as our IDP. Followed the exact steps on this blog and final result is kind of partially working.
BI launch pad link works fine authenticating with AZURE in chrome browsers, but failing on the IE and Edge browsers. Basically on the microsoft browsers, this is not working. Getting the /BOE/saml/SSO error on the microsoft browsers.
Not sure if there is any issue on either BI config or AZURE config. But there is no way to find and fix the hole here.
Also checked with SAP and Microsoft on the error, they checked everything and replied no issues at either sides.
Any help on my issue is really appreciated.
Is there any way to avoid the /BOE/same/SSO error and redirect always to /BOE/BI ...
THANKS,
PRASANNA
Hello Prasanna,
Did you ever find a solution for this?
Facing the exact same issue.
Thanks
Marcel
Hello,
Very Good Job!
I have just only one question for you :
You say we have to create the users as Enterprise users... Does it mean we have ton maintain them through the CMC? In classic SSO, the users are created into the Active Directory. I'm a bit confused...
If I understand well :
Thanks you for your answers!
Best regards,
Great blog, but where is the keystore stored in the linux server.
In 4.3 SP2 the SAML jars are installed, but I need to know the location of the keystore command, is it .sh?
Or do you run this on the app server?