Skip to Content
Technical Articles

SAP Analytics Cloud: SSO to Live Universe Data Connection using Azure AD SAML

Introduction

In my first blog post I mentioned that future blog posts could be SAP Analytics Cloud, SAC, or SAP BusinessObjects BI Platform 4.2, SAP BI 4.2. Good News! You get both in this blog post!

Most customers I tend to work with will be organisations who have already got deployments of SAP BI Platform and will have spent a lot of time developing Universes and building documents off of them.

A great feature of SAC is that you can base your stories on data imported from Universes or retrieve data live using CORS. The only annoying thing getting in your way of live data is that every time you open a story, you are blocked from getting to your Universe as you have to login to SAP BI 4.2 to retrieve data.  This will be frustrating for users as they presented with the screen below:

In this blog post, we will go through the process of setting up SAML SSO to your SAP BI Platform using Azure AD.

Note:  This is not same process as setting up SAML SSO to the BI Launchpad.  For that, check out Francisco Almeida’s guide available at:

https://blogs.sap.com/2018/08/17/setting-up-sap-businessintelligence-bi-platform-saml-single-sign-on-with-microsoft-azure-as-the-identity-provider/

Pre-Reqs

The following is needed in order to complete Azure AD integration:

  1. A SAC tenant which your organisation will have already have. If you are studying this yourself, I believe you will need to purchase a tenant rather than use the trial version. You can purchase a 1 user license for a year (minimum subscription term). This will give you a license for 1 admin account and 1 user in a single tenant. If you only want it for a year, remember to turn off auto-renew subscription. I paid around £240 for 1 year. Check out https://www.sap.com/uk/products/cloud-analytics.html if you want purchase a tenant.
  2. Microsoft Azure subscription which again your organisation should have. If not, you can get your own free subscription for 12 months access. Check out https://azure.microsoft.com/en-gb/free/ to setup an account.  You do also need Premium AD which is not free but you get a 30 day trial initially.
  3. A PC with Google Chrome and Mozilla Firefox (I know its not supported but you may need it for troubleshooting.)
  4. SAML Tracer addon for Firefox.  This is needed as the SAML SSO is performed in a pop up box.  The SAML Tracer runs in a separate window and will capture all browser SAML activity. https://addons.mozilla.org/en-GB/firefox/addon/saml-tracer/
  5. SAP BI Platform 4.2 with SP04 or higher deployed.  For this guide it assumed that the install has been placed in the default directory of C:\Program Files (x86)\SAP BusinessObjects and the default Tomcat has been used.
  6. To have performed steps 1-7 of the Live Universe connection guided playlist: https://www.sapanalytics.cloud/guided_playlists/connect-sap-universe-live (Not a fan of the security rights part though, Full Control access to Webi and using Advanced rights, hmmmm)
  7. SAML SSO in SAC has already been set up against Azure AD

 

Setup Process

Step 1: SAP BI – Update boe.properties

The first step is to update the boe.properties file to have SAML enabled.  Following the Guided Playlist, the file should look something like:

# BOE Server info
boe.restUrl=http://<BOE_SERVER_NAME>:8080/biprws
boe.authenticationMode=secEnterprise

You will note that I am not using WACS and just using the Restful web services now hosted on Tomcat.  It seems faster.  You could just use localhost if the BOE LIve Data connect WAR file has been deployed on that same Tomcat as standard BI Launchpad, etc.

The authentication mode needs to be changed to saml and additional lines need to be added so the file reads as:

# BOE Server info
boe.restUrl=http://<BOE_SERVER_NAME>:8080/biprws
boe.authenticationMode=saml

# SAML via trusted authentication
boe.trustedauth.method=HTTP_HEADER
boe.trustedauth.user.name.parameter=X-SAP-TRUSTED-USER
boe.httpTimeout=180000

Step 2: SAP BI – Update web.xml

Using a text editor like Notepad++, open the web.xml located in:

C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\sap#boc#ina\WEB-INF

There are 2 sections that need to be uncommented.

Section1 before:

Section 1 after:

Section 2 before:

Section 2 after:

Save and close the file, then restart Apache Tomcat.

Step 3: SAP BI – Enable Trusted Authentication

The next step is to enable Trusted Authentication and load TrustedPrincipal.conf into Tomcat.

It maybe the case that you have already enabled Trusted Authentication before, say if you have setup SAML SSO to the BI Launchpad.  In which case you only need to place the previously generated TrustedPrincipal.conf file in the right location.

It is assumed that you are starting from scratch.

  • Log in to the Central Management Console (CMC) as Administrator
  • Go to Home > Authentication > Enterprise
    • Ensure “Trusted Authentication is enabled” is checked
    • Click “New Shared Secret”
    • Click “Download Shared Secret” and save TrustedPrincipal.conf to on all web and app servers:
      • C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86
      • C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64

    • Click Update Settings and then close the Enterprise Window
  • On the server hosting Apache Tomcat and the biprws.war file deployed, place the TrustedPrincipal.conf in a folder.  I put it in D:\trustauth
  • Open Tomcat Configuration by going to Start > Tomcat > Tomcat Configuration
    • Go to Java Tab
    • In Java Options add:
         -Dbobj.trustedauth.home=D:\trustauth
    • Click OK

The properties window should have looked like this (yes I am using Tomcat 9 rather than bundled Tomcat):

 

  • Restart Tomcat

Step 4: Azure – Create Live DC Enterprise Application

  • Select “Enterprise applications”

  • Click “New Application”

  • Click “Non-gallery application”

  • Give the application a name. e.g. SAP BOE Live DC. Then Click OK.

  • You have now created the Application

Step 5: Azure – Download Metadata from Azure to BOE Live Data Connect

  • In the SAP BOE Live DC Overview screen, click Single Sign-On

  • Select “SAML”

  • Under SAML Signing Certificate, download the Federation Metadata XML file. The file will have a default name of your application e.g. SAP BOE Live DC.xml.  

  • Change the name of the file to idp_metadata.xml and place in C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\sap#boc#ina\WEB-INF\classes\metadata on the SAP BI server

Step 6: SAP BI – Create a Keystore

The next step is to create a certificate keystore like you would for enabling SSL.  This is needed for SAML SSO.  If you have set up SAML to SAP BI Launchpad, you will have noticed that SAP provided a keystore in the WEB-INF folder of the BOE war file and had configured the securitycontext.xml file to use it.  This is not the case with the BOE Live Data Connect war file and defaults to have no keystore.  SSO will not work without the keystore and securitycontext.xml file updated to use the file.

Here are the steps to create and place the keystore:

  • On the SAP BI server, open the command prompt as administrator
  • Navigate to:
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\bin
  • Run the following command:
keytool.exe -genkey -alias boe -keyalg RSA -keystore "samlKeystore.jks" -keysize 2048
  •  You will be prompted with a number of questions to generate the keystore.  The things like first name, country, etc are not important.  What is important is setting the 2 passwords (make a note of  what you set them to). I have highlighted what you type in Red, you won’t see the passwords actually being typed:
Enter keystore password: Password1
Re-enter new password: Password1
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  Itelligence
What is the name of your City or Locality?
  [Unknown]:  London
What is the name of your State or Province?
  [Unknown]:  London
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=Unknown, OU=IT, O=Itelligence, L=London, ST=London, C=GB correct?
  [no]:  yes

Enter key password for <boe>
        (RETURN if same as keystore password): Password2
Re-enter new password: Password2
  • Copy the samlKeystore.jks file from:
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\bin
  • To
C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\sap#boc#ina\WEB-INF

Step 7: SAP BI – Update securityContext.xml

You now need to update securityContext.xml file to use the keystore created in the previous section and also set it to reflect URL that will be used to access the Live Universe connection.  Doing this will mean that the metadata file that you upload into Azure will contain all the correct data without need for modification in Azure.  By default the metadata file will contain a URL for localhost with no https.

The steps below go through the changes required for the securityContext.xml:

  • Using a text editor, e.g. Notepad++, open the securityContext.xml file located in:
C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\sap#boc#ina\WEB-INF
  • Locate the following lines of code:
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>
  • Update it to read as below:
<!-- Central storage of cryptographic keys -->
<!--<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>-->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
  <constructor-arg value="/WEB-INF/samlKeystore.jks" />
  <constructor-arg type="java.lang.String" value="Password1"/>
  <constructor-arg>
    <map>
      <entry key="boe" value="Password2"/>
    </map>
  </constructor-arg>
  <constructor-arg type="java.lang.String" value="boe"/>
</bean>
  • Locate the next section of code:
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter"
	class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
	<constructor-arg>
		<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
			<property name="extendedMetadata">
				<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
					<property name="idpDiscoveryEnabled" value="false" />
				</bean>
			</property>
		</bean>
	</constructor-arg>
</bean>
  • Add the “entityBaseURL” property:
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter"
	class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
	<constructor-arg>
		<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
			<property name="extendedMetadata">
				<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
					<property name="idpDiscoveryEnabled" value="false" />
				</bean>
			</property>
			<property name="entityBaseURL" value="https://<BOE_SERVER_NAME>/sap/boc/ina"/>
		</bean>
	</constructor-arg>
</bean>
  • Locate the last section of code that needs updating:
<!-- Provider of default SAML Context -->
<bean id="contextProvider"
	class="org.springframework.security.saml.context.SAMLContextProviderImpl" />
  • Update the code to explicitly state server name and path to BOE Live Data Connect URL:
<!-- Provider of default SAML Context -->
<!--<bean id="contextProvider"
	class="org.springframework.security.saml.context.SAMLContextProviderImpl" /> -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="<BOE_SERVER_NAME"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/sap/boc/ina"/>
</bean>
  • Save and Close the securityContext.xml file
  • Restart Apache Tomcat

Step 8: Azure – Upload Metadata to Azure from BOE Live Data Connect

We are nearly there! The next step is to upload the metadata file from BOE Live Data Connect into Azure

  • Open your web browser go to the URL: https://<BOE_SERVERNAME>/sap/boc/ina/saml/metadata
  • You will be prompted to save a file called spring_saml_metadata.xml. Just save it to a local folder on your PC/Laptop
  • Login to Azure Portal (https://portal.azure.com) and click “Azure Active Directory”

  • Click “Enterprise Applications”

  • Click “SAP BOE Live DC”

  • Click “Single Sign-on”

  • Click “Upload metadata file” and then locate the spring_saml_metadata.xml file you downloaded earlier.  Then click “Add”

  • You will now see the URLs for your BOE Live Data Connect application.  Check that the URL has the right servername prefixed with https. It should look like this:

Step 9: Azure – Passing the correct User ID to SAP BI

In order for SSO to work you have get Azure to pass an ID which is matches the account name field in SAP BI 4.2. In my case I am going with email address but it is likely you will want to pass a standard Windows AD username. I would suggest working with your AD administrator on what ID to pass. Users using BOE Live Data Connect must have an Enterprise alias assigned to their account as well if they had been created from Windows AD.

The steps I will go through are setting up email address as the ID:

  • Click “Enterprise Applications”

  • Click “SAP BOE Live DC”

  • Under User Attributes & Claims, click the edit icon

  • Click “Unique User Identifier (Name ID)”

  • Change Source attribtute to user.mail and then click save

 

Step 10: SAC – Update Connection to use SAML

For these steps, it is assumed that you already have a Live Universe connection that you are updating to work using SAML SSO.  You can create brand new connections using SAML SSO as well.

  • Login to SAP Analytics Cloud Tenant as the user with privileges to edit connections
  • Click on Menu > Connections

  • Select the connection you wish to edit, “UNX Live” in my example, and then click the edit icon.

  • Change the Authentication Method to “SAML Single Sign On.”

  • Click Save.  If successful, your connection will Save.

Following this step you have now completed all the technical aspects of setting up SSO to Universes from SAP Analytics Cloud.

User Management

Following the setup make sure you do the following:

  1. Make sure that in Azure AD that you have added users and groups to “SAP BOE Live DC” application. (The users have been added to SAP Analytics Cloud).
  2. Users have been setup in SAP BI 4.2 either as just Enterprise authenticated users or users have Enterprise aliases added.  Enterprise is needed as Trusted Authentication is used.
  3. Users in SAP BI 4.2 have create query and data refresh access to relevant Universes and Connections.
  4. On user PCs, make sure pop ups are allowed from your SAC Tenant URL. A popup windows appears briefly to perform the authentication.

Troubleshooting

Troubleshooting was a bit more tricky compared to setting up SAML SSO into SAC.  The Google Chrome SAML Panel I used before was of no use as BOE Live Data Connect performs SAML SSO in a popup window. So the way I view what was happening with SAML was to use Firefox and SAML Tracer addon.  The SAML Tracer addon logs all activity in any Firefox Window. Below is a screenshot example of the tool in action.

SAP BI Sessions

One thing I have noticed with using BOE Live Data Connect is that when a user retrieves data for a story that 2 sessions are generated in SAP BI 4.2.  So be careful if your users are using Concurrent Session Based Licesing, CSBLs, in SAP BI 4.2.

Conclusion

You should now have full SSO into SAP BI 4.2 Universes after following this guide. This will certainly make your users happy not having to logon twice to get their analytics.

I hope you find this guide useful.  I really enjoyed researching and writing this guide and hope to write more technical blog posts in the future.

Andrew

 

 

2 Comments
You must be Logged on to comment or reply to a post.