SAP Analytics Cloud: Configure SAML SSO Live Data Connection to SAP Universe using SAP Cloud Platform Identity Authentication (SCI) Identity Provider
SAP Analytics Cloud allows us to directly connect to on-premise SAP BusinessObjects BI Platform Universe (UNV and UNX) via Live Data Connection (aka LUC). The queried data stays behind the corporate firewall and does not move into the cloud. Any changes made to the data on the source system are reflected immediately. Live Data Connection enables us to leverage the existing investment of universe modeling and security setup in SAP BI Platform system.
SAP Analytics Cloud now supports a Live Data Connection to SAP Universe using both Password Authentication, and SAML Single Sign-On (SSO) Authentication. It is recommended using SAML Authentication in Production environment.
This blog post will cover how to configure SAML SSO Live Data Connection in SAP Analytics Cloud to SAP Universe. We will use SAP Cloud Platform Identity Authentication (also known as SAP Cloud Identity) as SAML Identity Provider (IdP). The same workflow is applicable to any of your chosen Identity Provider compatible with SAML 2.0 protocol.
UPDATE: SAP BOE Live Data Connect version 2.x has been released. You can find out more information in Note 2771921. Please note version 1.x release is no longer supported.
The configuration is combined of following main parts:
Part 1. Configure Custom SAML SSO between SAP Analytics Cloud and IdP (SAP Cloud Platform Identity Authentication service)
Part 2. Configure SAML SSO between SAP BOE Live Data Connect and IdP (SAP Cloud Platform Identity Authentication service)
Part 3. Create a Live Direct Connection in SAP Analytics Cloud
If the SAP Analytics Cloud system has already been configured to use Custom SAML authentication, jump to Part 2, which is the main focus of the blog.
Part 1. Configure Custom SAML SSO between SAP Analytics Cloud and IdP (SAP Cloud Platform Identity Authentication service)
SAP KBA 2518900 provides detailed steps on how to set it up.
Part 2. Configure SAML SSO between SAP Live Data Connect and IdP (SAP Cloud Platform Identity Authentication service)
2.1. Deploy and setup SAP BOE Live Data Connect (LUC) component
a. Download and deploy the SAP BOE Live Data Connect component. Go to SAP Software Downloads site and log in with your SAP credentials ; Search “Live Data Connect” and download the latest version of SAP BOE Live Data Connect.
b. Rename cs_ina_agent.war file to sap#boc#ina.war, copy the renamed sap#boc#ina.war file to tomcat > webapps directory; Restart Tomcat to deploy it.
c. Create boe.properties file in the conf folder of your Tomcat installation directory
d. Edit boe.properties file with following lines ( for example)
# BOE Server info # Restful Web Service is deployed on Web Application Container Server # Its default port number is 6405 # replace <BI_Platform_Host_Name> by your BI Platform's Host Name boe.restUrl=http://<BI_Platform_Host_Name>:6405/biprws boe.authenticationMode=saml boe.clientType=AZFkpRO4waBGvZNBt4R85YY boe.trustedauth.method=HTTP_HEADER boe.trustedauth.user.name.parameter=X-SAP-TRUSTED-USER lde.port=58080 lde.boe.sharedKey=<value of the shared key in TrustedPrincipal.conf file>
- Make sure the values of boe.trustedauth.method and boe.trustedauth.user.name.parameter correspond to the CMC > WebApplicationContainerServer (WACS) > Trusted Authentication Configuration
e. Activate logs. Create bo_trace.ini file in the conf folder of your Tomcat installation directory. Edit it with following files (for example)
size = 494967290; keep_num = -1; sap_trace_level = trace_debug; sap_log_level = log_info; log_dir = "C:\\PROGRA~2\\SAPBUS~1\\SAPBUS~1.0\\LOGGING\\LUC";
f. Point Tomcat to boe.properties and bo_trace.ini files that were just created. This procedure varies depending on the type of Tomcat used.
For Tomcat BI 4 (Windows), coming with the default BI Platform installation, open Central Configuration Manager, stop Tomcat, then edit its properties by appending the following lines to the command line. Note: the paths need include up to the filename instead of just the directory.
For standalone Tomcat staring in batch or service mode, or Tomcat on Linux, please refer to the Product Guide for more details.
2.2. Configure Cross-Origin Resource Sharing (CORS)
When deploying the component, you can configure CORS requests so that the browser accepts requests coming from the SAP Analytics Cloud server. It’s a way to secure the component by making sure that you control what servers are accessing your BI system via the component.
a. Go to tomcat > webapps > sap#boc#ina > WEB-INF directory and open the web.xml file using Notepad
b. Locate <param-name>cors.allowed.origins</param-name> line
c. Edit the <param-value>*</param-value> line underneath it as follows
2.3. Configuration related to SAML Authentication
*** If you use Chrome 80 or later version, you need to set SameSite=None for backend LUC. Open context.xml in <Tomcat_root>/webapps/sap#boc#ina/METADATA-INF directory.
Insert the CookieProcessor segment to set the SameSite attribute to None.
<Context docBase="" path="/sap/boc/ina" reloadable="false" useHttpOnly="true"> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="none" /> </Context>
Details can be found in KBA 2889975 – SAP BusinessObjects Live Data Connect and Google Chrome 80: connection failure
a. Make sure that SAML related properties (boe.authenticationMode, boe.trustedauth.method, boe.trustedauth.user.name.parameter…etc) have already been configured in boe.properties file as detailed in step 2.1 d of Part 2 above
b. Go to the tomcat > webapps > sap#boc#ina > WEB-INF directory and open the web.xml file using Notepad, and uncomment the section related to SAML.
Prior to the change:
<!--SAML --> <!--Uncomment the following section to activate SAML authentication --> <!-- <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/securityContext.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> --> <!--SAML -->
After the change :
<!--SAML --> <!--Uncomment the following section to activate SAML authentication --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/securityContext.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!--SAML -->
c. Specify the keystore location in securityContext.xml file of LUC webapp
Go to the tomcat > webapps > sap#boc#ina > WEB-INF directory and edit the securityContext.xml file. First of all, comment out the following line, otherwise you would get HTTP Status 404 – Not Found error (KBA 2838745); then use one of two options below to add keystore information.
<bean id=”keyManager” class=”org.springframework.security.saml.key.EmptyKeyManager”/>
Option 1: Add the following lines to provide the location of keystore file for Live Data Connect SAML certificate.
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> <constructor-arg value="/WEB-INF/samlKeystore.jks" /> <constructor-arg type="java.lang.String" value="Password1"/> <constructor-arg> <map> <entry key="boe" value="Password1"/> </map> </constructor-arg> <constructor-arg type="java.lang.String" value="boe"/> </bean>
In the above sample, a keystore file named samlKeystore.jks is created for Live Universe Data Connect, and it is located within sap#boc#ina > WEB-INF directory. The alias of private key entry used for SAML certificate is boe, and the password of both keystore file and private key is Password1.
In the high level, you use Java keytool.exe to generate a Key Store file, and generate a Certificate Request, then you contact Certificate Authority (CA) who provides you with a signed certificate or certificate chain; After that, you use Java keytool.exe to import the signed certificate into the keystore file. You can consult and get assistance from your organization’s security Administrator on this topic. For your reference, I list some commands executed from JVM bin directory.
Generate keystore file: keytool.exe -genkey -alias boe -keyalg RSA -keystore "C:\Program Files (x86)/SAP BusinessObjects/tomcat/webapps/sap#boc#ina/WEB-INF/samlKeystore.jks" -keysize 2048 Generate certificate request: keytool.exe -keystore "C:\Program Files (x86)/SAP BusinessObjects/tomcat/webapps/sap#boc#ina/WEB-INF/samlKeystore.jks" -certreq -alias boe -file c:\sso\boecertreq Import ceritificate: keytool.exe -keystore "C:\Program Files (x86)/SAP BusinessObjects/tomcat/webapps/sap#boc#ina/WEB-INF/samlKeystore.jks" -import -alias boe -file c:\sso\boe.crt
Option 2 :Alternatively (this is my preferred method), instead of creating a new keystore file for Live Data Connect (LUC) as shown above, you can reuse the same key store file created for Tomcat which has been configured in HTTPS, as well as for LUC. As a prerequisite, Tomcat hosting LUC must have already been configured in HTTPS, therefore you can always reuse the same keystore on the same machine.
Tomcat keystore file is generally located in a directory outside of LUC webapp directory, but how do you make a reference to it in securityContext.xml file within sap#boc#ina > WEB-INF directory ?
Firstly, use mklink /H command to create a hardlink to Tomcat Java keystore file in the LUC webapp directory;
cd C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\sap#boc#ina\WEB-INF mklink /H TomcatJKS.hl "C:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\.keystore"
Then, update securityContext.xml file.
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> <constructor-arg value="/WEB-INF/TomcatJKS.hl" /> <constructor-arg type="java.lang.String" value="Password1"/> <constructor-arg> <map> <entry key="tomcat" value="Password1"/> </map> </constructor-arg> <constructor-arg type="java.lang.String" value="tomcat"/> </bean>
In above sample, a hardlink file TomcatJKS.hl is created to point to the existing Tomcat Java keystore file located at “C:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\.keystore”. The alias of private key entry used for Tomcat is tomcat, and the password of both keystore file and private key is Password1. With this way, you would not need to create and maintain a second keystore file and associated certificate.
d. Log in Central Management Console (CMC) of BI Platform system, click Authentication > Enterprise. Select the checkbox Trusted Authentication is enabled, click New Shared Secret button then click Download Shared Secret button. Click Update button.
e. Open TrustedPrincipal.conf file from the temporary downloads directory, and copy the SharedSecret value from TrustedPrincipal.conf file. Configure the lde.boe.sharedKey parameter with the shared secret in the boe.properties file as detailed in step 2.1 d of Part 2 above. (Please note this step has been changed since LUC ver2.3. Now it is defined in boe.properties file. In earlier version, this property is configured via Java option -Dbobj.trustedauth.home. )
2.4 Download the SAML metadata of the Identity Provider (SAP Cloud Platform Identity Authentication service), and upload it to the Service Provider (SAP BOE Live Data Connect )
a. Log on Administration Console of your SAP Cloud Platform Identity Authentication Identity Provider tenant
b. Under Applications & Resources, choose Tenant Settings, and then choose SAML 2.0 Configuration
c. Click Download Metadata File to download the metadata file (metadata.xml ) of Identity Provider
d. Copy the IdP’s metadata file from the previous step , and save it in tomcat > webapps > sap#boc#ina > WEB-INF > classes >metadata directory as idp_metadata.xml
e. Restart Tomcat
2.5 Download the SAML metadata of the Service Provider (SAP BOE Live Data Connect ), and upload it to the Identity Provider (SAP Cloud Platform Identity Authentication service)
a. Go to https://<HOST>:<PORT>/sap/boc/ina/saml/metadata and save the metadata file (spring_saml_metadata.xml) of Service Provider.
<HOST> is the host name of Tomcat where SAP BOE Live Data Connect is deployed
- If you get An unexpected error occurred, please contact your administrator error when trying to download the LUC SAML metadata file, please check KBA 2885353
b. Connect to Administration Console of your SAP Cloud Platform Identity Authentication Identity Provider tenant
c. Under Applications & Resources, choose Applications, then click + Add to add a new application for SAP BOE Live Data Connect. Provide a name and Save. Select the newly created application, then click SAML 2.0 Configuration.
d. Under Define from Metadata, click Browser button to select and upload the metadata file of Service Provider (from step 2.5 a ). Click Save.
e. Click Name ID Attribute
f. Choose the attribute (e.g. Login Name or User ID) that will be used to map and match the Account Name property value of users in BI Platform system. Click Save.
Note: The value of selected Name ID attribute in Identity Provider must be identical to the Account Name of corresponding user in BI Platform system to allow seamless Single Sign onto BI Platform system from SAP Analytics Cloud.
Let me illustrate a little bit how the attribute mapping works using this following sample.
A user logs in SAP Analytics Cloud using his or her Identity Provider credentials.
User ID = P000019
Login Name = TestUser
There are two BI users (P000019 and TestUser) in BI Platform as shown below.
When Name ID Attribute of SAP BOE Live Data Connect application in IdP is set to Login Name (from step 2.5 f ), its value (TestUser) is used to search and compare against Account Name attribute in BI Platform. As of now, only Account Name attribute can be used for mapping purpose from BI Platform side, and it is not configurable and can not be set to other attribute. There is a match with the BI user TestUser (second user shown in above screenshot). This BI user (TestUser) will be automatically log in BI system behind the scene when SAML SSO Live Data Connection to Universe is established, or its story is refreshed in SAC.
Now we switch Name ID Attribute of SAP BOE Live Data Connect application in IdP to User ID (from step 2.5 f ), its value (P000019) is used to search and compare against Account Name attribute in BI Platform. There is a match with the BI user P000019 (first user shown in above screenshot). This BI user will be automatically log in BI system behind the scene when SAML SSO Live Data Connection to Universe is established, or its story is refreshed in SAC.
If the Name ID Attribute value is not matched with any BI user, it throws the error “Unable to authenticate. Please ensure your credentials are valid.” when setting up a SAML SSO Live Data Connection to Universe.
Part 3. Create a Live Direct Connection in SAP Analytics Cloud
1. Log on SAP Analytics Cloud tenant
2. Go to Main Menu > Connection > Connections > +(Add Connection) > Connect to Live Data > SAP Universe
3. In the dialog, enter the connection name of your choice. NOTE: The connection name cannot be changed later
4 Specify Tomcat Server’s Host (where BOE Live Data Connect is deployed) and HTTPS port number
5. Under Authentication Method select SAML Single Sign On
6. Click OK
If the configuration is successful, you will notice a small popup Window appears and immediately closes. Once the connection has been successfully saved, you can create a model to consume the SAP Universe already built in on-premise BI Platform via the Live Data Connection. On top of the model, you can then build stories in SAP Analytics Cloud.
1. Error : “Unable to authenticate. Please ensure your credentials are valid.” when saving the SAML SSO Live Data Connection.
It is most likely there is issue with the mapping between Name ID Attribute of IdP and Account Name property of user object in BI Platform. No matching user is found in BI Platform system.
BOE Live Data Connect trace shows the error: Failed login attempt for user: <user> from IP: <IP address>. It contains the User in Identity Provider and client machine’s IP address.
When the SAML SSO Live Data Connection is successfully established, you should see this from the trace : Successful login attempt for user: <user> from IP: <ID address>
SAML tracer (addon for Firefox) is a good tool to capture the complete SAML trace including the popup window invoked in the SSO workflow.
SAP KBA 2411608 – SAP Analytics Cloud SAML authentication
SAP KBA 2487567 – Troubleshooting SAML assertions when configuring SAML SSO in SAP Analytics Cloud
2. If New Shared Secret button (CMC > Authentications > Enterprise) is clicked for any reason, the TrustedPrincipal.conf gets updated, and it is required to copy the updated TrustedPrincipal.conf file to the location corresponding to this WACS java properties: -Dbobj.trustedauth.home (refer to step 2.3 d). Otherwise, the existing SAML SSO Live Data Connection will be broken.
3. Master KBA: 2527393 – SAP Analytics Cloud Live Data Connection to SAP Universes via SAP BOE Live Data Connect
Great blog Han! Works a treat.
Dear Han ,
Great overview! Our SAML metadata of the Service Provider (SAP BOE Live Data Connect ) doesn't have Signing Certificate . Moreover I could not find trust relation setup ( exchange certificates between IDP & SP) . Is that not required ?
FYI: Our systems are already configured to work with SSL. Still i don't see Assertion Signing certificate in the SP metadata.
If the spring_saml_metadata.xml file does not contain the block of X509 Certificate info, it usually means securityContext.xml file in your LUC webapp does not have a correct reference to your keystore file. Signing certificate is required.
btw, the blog has been updated with the change of recent LUC v2 release.
Hoi Han ,
Thank you! I am not sure whether the SAML keystore config steps were part of config guide. For example, I could not find the steps in https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/b9f08e2bedec452d933da799b8a95b25.html
You can find SAML authentication for BOE Live Data Connect online guide here:
Do we need to first configure SSO for BO Server using SAML? As currently we have Windows AD Kerberos SSO.
No, it is not required.
I need some clarification updating securityContext.xml file. We are using OpenSSL to generate the private key file and currently tomcat SSL is working fine( so we have .pem and .cer file). So I believe I can use the existing certificate and private key file. I am simply updating as <constructor-arg value=”Path of key file”>.
How can we specify the path of the certificate?OR it is not required?
I am not use mklink /H command to create a hardlink to Tomcat Java keystore . Let me know If it is mandatory to use this command? Currently I am providing full path of private key file. Even When I tried it threw an error "The system cannot move the file to a different disk drive"
I am presently facing HTTP 404 error.
You should need to use jvm keytool.exe to generate the keystore file, then import CA signing cert in the keystore file. In securityContext.xml file, you can have a reference of the file location of keystore file. Hope it helps.
We already have tomcat SSL configured using openssl. I already have .cer and .pem file. Can you let me know how I can use this .cer and .pem in securitycontext.xml file.
I tried to convert.cer to .jks but not sure how to specify.pem which is my private key.
I believe I can use existing Tomcat certificate in securitycontext.xml file. If not,kindly confirm.
You would need to convert the certificate to jks.
You can refer to https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html