Product Information
Microsoft Drive support in SAP BusinessObjects 4.3 SP03 Release
This blog is about Microsoft OneDrive support in the BI Platform with the SAP BusinessObjects BI 4.3 SP03 release.
As you know, SAP BusinessObjects support Azure authorization servers on OAuth 2.0 protocol in 4.2 SP02. More information you can find here
Steps to Configure Authorization Configuration:
-
- Launch and log in to Central Management Console as an Administrator
- In-Home Page, click on the “Applications” section under the Manage column
- In Applications, double click on “Authorization Server Configuration” application
- In the “Authorization Server Configurations” pop-up window, Click on either “Manage > New Authorization Server Configuration” in the top menu bar or click the “Create a New Authorization Server Configuration” toolbar icon.
- Fill in the following parameters in “Create an Authorization Server Configuration”:
- Reference Name – Choose a unique random string and enter the same to identify the configuration, to recognize and choose the configuration in different workflows for achieving Authorization-based SSO.
- Description (Optional) – Enter any statement and keywords to describe and quickly identify the configuration out of the list of available configurations.
- Note: Following fields are specific to “OpenID Connect Authentication” and are not required for Authorization SSO; you do not need to enable these unless this configuration is required to serve for OpenID Connect Authentication.
- A checkbox with the following label “Enabled for “OpenID Connect” Authentication.”
- Issuer URI
- JSON Web Key Sets URI (jwks_uri)
- ID Token Signing Algorithm
- Note: Following fields are specific to “OpenID Connect Authentication” and are not required for Authorization SSO; you do not need to enable these unless this configuration is required to serve for OpenID Connect Authentication.
- Authorization Endpoint – Enter the URL of the authorization server with which one can get the authorization grant
- Token Endpoint – Enter the URL of the authorization server, with which one can request an access token by exchanging the authorization code
- Client ID – Enter the name of the Application which is used to register BI Landscape with the Authorization Server
- Client Secret – Enter the specific secret code corresponding to the Application which is used in registering the BI Landscape with the Authorization Server
- Redirect URL – Enter the URL of the BI Landscape endpoint to which the authorization code has to be sent by the Authorization server after successfully validating the authorization. For this purpose, a new endpoint has been introduced in the REST API of the BI Platform, i.e. /oauth2/callback. Hence the URL should be as follows: https://<hostname: port>/biprws/v1/oauth2/callback.
- Note:
- Here the hostname will be the system name hosting the BI landscape application server, where RESTful web services application (biprws) is deployed. And port will be the SSL port of the application server.
- And the same URL should be configured while registering the application (client app to register BI Landscape) on Authorization Server (OAuth Server) as the value for the callback URI.
- Note:
- Revocation Endpoint (Optional) – Enter the URL of the authorization server, with which the application can request the revocation of all previously issued Access Tokens through a specific Refresh Token
- Authorization Scope – offline_access OpenID email Files.ReadWrite.All
- Type of Resource –
- Microsoft Drive enables support of Microsoft One Drive /Share Point/ Microsoft Teams.
- Custom Parameters (Optional) – Enter any custom parameters required to send while requesting the authorization based on any custom requirements (if needed) of the Authorization Server being configured.
- Note:
- The name of the custom parameter should be unique in the configuration
- At maximum 5 custom parameters are allowed to be configured in any Authorization configuration
- Note:
- After filling in all the required parameters, click the OK button to validate the details and save the configuration. And the configuration will be saved as a system object in the repository with the kind “AuthorizationReference “. And you can refer to the configuration in all supported scenarios with its “Reference Name “.
Steps to Enable Microsoft Drive Destination in Job Server
-
- Launch and log in to Central Management Console as an Administrator
- Open servers page
- In the Job Server Destinations, Select “Microsoft Drive “
Steps to Generate Token in BI Launchpad
- After the successful Creation of the Microsoft Authorization server configuration, launch BI Launchpad and login
- Navigate to Settings by clicking on the same from the drop-down menu under the user icon in the top right corner
- In the Settings pop-up window, navigate to the Authorization Tokens tab in the User Account section.
- Click on the Generate button under the Manage Tokens column, which is against the Microsoft Authorization Reference saved above
- As per your organization policy, based on the Authorization configuration in your authorization server, either the account validation will happen based on the certificates configured in the system, or you will be challenged with the user name, password and/or multi-factor authentication challenges based on the configuration settings, answer those challenges
- Once the credentials/certificate is successfully validated, then BI Platform should have received the Refresh Token, and it should have been stored securely in BI Platform Repository against the BI Platform user currently logged in; once all this is successful, then you should see the following changes in the Authorization Token tab:
- In the Expires On column against the Authorization Reference from where you clicked on the “Generate” button, you should see the expiration value for the Token issued by the Authorization Server. If your Authorization Server gives a Token with no expiry, the column value will be updated as “No Expiry. “
- And also, under the Manage Tokens column, you should see a Delete button appearing next to Generate button.
- The Delete button is to delete the token issued by the Authorization Server, and this deletion is not limited to deleting the ticket from the BI Platform repository storage. Still, it can also be propagated to the Authorization Server based on the configuration and support.
- That means if the optional parameter Revocation Endpoint is filled with the proper URL based on your Authorization server’s support for the same, then the issued token will be revoked at the Authorization server level and cleared from the BI Platform repository storage.
- Suppose the token is issued and the Expires On column is updated according to the token’s expiry. In that case, the configuration is working and ready for BI Developers’ and end users’ consumption.
Scheduling to Microsoft Drive:
To Schedule the report to Microsoft Drive, the user can choose “Microsoft OneDrive “as the destination.
Users can browse the One drive folder.
OneDrive window displays Two options:
- OneDrive: it shows the user’s personalized OneDrive content
- Shared with me: if BI Administrator configured a shared folder under Microsoft Teams, Microsoft share point or Microsoft OneDrive, it would display under the “Shared with me” folder.
The following drive browsing page is native to BI Launchpad and the same experience you can get while browsing Google Drive, which has been supported since BI4.3 SP02.
Sending Documents to Microsoft Drive In BI Launchpad:
Similarly, like scheduling, user can send documents directly to Microsoft drives in BILaunchpad using the “Send To “Option
Important Note: “Sent To “functionality is not supported for WebI documents
Access Rights for Microsoft Drive:
Individual rights are provided to restrict the users from accessing Microsoft Drive while scheduling.
Access Rights for “Sent to Microsoft Drive”:
Similarly, like scheduling, administrators can restrict users using the “Send To” functionality in BI Launchpad.
Fixed Issue:
If you encounter an issue with the empty folder structure while navigating to Microsoft Drive, please refer to the provided KBA for guidance: 3365344
Hi Hariprasad,
Thanks for your sharing.
I am trying to configure following your steps but I have a confusion that how I can find the following parameters value.
Authorization Endpoint *
Token Endpoint *
Thanks for your reply in advance.
I followed https://launchpad.support.sap.com/#/notes/3304928 but I get a blank screen and error: Internal server error. (RWS 00070) when clicking on "Browse" under "Cloud Drive Folder Details" when scheduling a report. I can generate a token successfully and I'm logged in as Admin into BI Launchpad.
Hello Solomon,
Could you please share the Chrome browser logs? Additionally, could you let me know the scopes and resource type defined in your authorization server?
HI Hari,
In this condition, I have captured network logs from Firefox and Edge and both are pointing to this URL.
https://<Hostname>/BOE/portal/2303301502/biprwsproxy/biprws/drivesbrowsing/microsoftdrive/folders?c=1684138402353
HTTP Status 500
I am not sure if I want to drill down this issue more which Logs I need to review.
Thanks,
Brij
Hi Solomon,
Did you find any solution for this issue?
I am also facing same problem.
Thanks,
Brijendra
Did you get any solution for this? I'm also facing this issue. Token is getting generated but folders are not visible when we click on Browse
Do you solved this Problem? We are facing the same Issue with BO 4.3 SP3 Patch 400
A Trace shows that we are getting this Error when trying to show Content on OneDrive:
Internal Server Error (RWS 0070)
see my Answer
https://answers.sap.com/questions/13944074/ms-onedrive-cannot-see-the-folder-structure.html
see my Answer
https://answers.sap.com/questions/13944074/ms-onedrive-cannot-see-the-folder-structure.html
Good morning:
How do I disable the ONE Drive option for end-users, please?
I've found it for Google Drive, but not for ONE drive.
Thanks ind advance,
Andreas J.A.
Disable for everyone or just end users? Everyone simply remove OneDrive from Destinations in Job Server. For Everyone change application permissions so the OneDrive application has everyone set to nothing. then users can't use one drive at all as no auth token would be establihsed.
Disable Microsoft OneDrive is now available in 4.3 SP03-P500
CMC --> Users and Groups --> select group -- Customization
Hi,
I am also interested in having more details on the configuration for Microsoft SharePoint Online.
I assume that the information (Authorization Endpoint / Token Endpoint /
What about the Authorization Scope ? are all the scopes required (offline_access OpenID email Files.ReadWrite.All)
Thanks
Didier
HI Didier,
You need to write an email to your Azure Admin and ask for every details.
Only thing which is needed from BO Side to configure this is redirect URL.
https://<hostname: port>/biprws/v1/oauth2/callback
All other things will be provided my MS 365 team/Azure team.
Thanks,
Brij
what runs the OneDrive integration? RESTFul API on the webserver? App Server? Or both layers work together?
Has anyone been able to get the OneDrive feature to work? Working with my Azure Admin to setup the connectivity we followed note 3304928. When adding the permissions under Microsoft Graph we were unable to find "user_impersonation" as a permission. Is the note missing a step?
Thanks,
Angela
There is no "user_impersonation" as permission. (KBA is not correct)
Just add the following permission: Files.ReadWrite Files.ReadWrite.All openid offline_access email
and you can also add Files.Read and Files.Read.All (if you only need "Read from OneDrive")
Note: ".All" means that OneDrive and all files shared by/with the user are displayed
..
Also see my answer for other OneDrive folder display issues
https://answers.sap.com/questions/13944074/ms-onedrive-cannot-see-the-folder-structure.html
Hi Ayman,
Can you please help on this 'Expiry on' column?
I want to set it to max 24 hours and Azure team is not much familiar with this setting.
Currently it is set to "No Expiry" and everything is working fine.
Thanks,
Brij
Hi Hari
What happens with the SAML configuration if OpenID will be enabled ?
For openID we have to set: logon.webssoauthnetication.framework=OpenId
For SAML we have to set: logon.webssoauthnetication.framework=SAML
I will do some testing internally as soon as time allows it but maybe you are faster and can provide some insights.
Cheers