21
1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4 and SAP BusinessObjects Business Intelligence version 4.1 If you are using any other versions, your interface may differ from the instructions. An overview of configuring SAP BusinessObjects Business Intelligence for SSO The following is an overview of the steps required to configure the SAP BusinessObjects Business Intelligence’s BI LaunchPad Web Application for single sign-on (SSO) via SAML. SAP BusinessObjects Business Intelligence offers both IdP-initiated SAML SSO (for SSO access through theuser portal or Admin Portal) and SP-initiated SAML SSO (for SSO access directly through the SAP BusinessObjects Business Intelligence web application). You can configure SAP BusinessObjects Business Intelligence for either or both types of SSO. Enabling both methods ensures that users can log in to SAP BusinessObjects Business Intelligence in different situations such as clicking through a notification email. 1 Prepare SAP BusinessObjects Business Intelligence for single sign-on (see SAP BusinessObjects Business Intelligence requirements for SSO). 2 Add and begin to configure SAP BusinessObjects Business Intelligence application in Admin Portal. Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 1). 3 Enable SAML and Create a Local Provider. For more information, see Enabling SAML and creating a local provider in SAP NetWeaver Administrator 4 Create and Enable a Trusted Provider for Centrify. For more information, see Creating and enabling a trusted provider. 5 Create Authentication Stack for SAML 2.0. For more information, see Creating a new authentication stack for SAML 2.0. 6 Enable trusted authentication between the LaunchPad and server.

An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

Embed Size (px)

Citation preview

Page 1: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

Chapter 86

SAP BusinessObjects Business Intelligence BI

Note These instructions are written with SAP NetWeaver AS Java 7.4 and SAP BusinessObjects Business Intelligence version 4.1 If you are using any other versions, your interface may differ from the instructions.

An overview of configuring SAP BusinessObjects Business Intelligence for SSO

The following is an overview of the steps required to configure the SAP BusinessObjects Business Intelligence’s BI LaunchPad Web Application for single sign-on (SSO) via SAML. SAP BusinessObjects Business Intelligence offers both IdP-initiated SAML SSO (for SSO access through theuser portal or Admin Portal) and SP-initiated SAML SSO (for SSO access directly through the SAP BusinessObjects Business Intelligence web application). You can configure SAP BusinessObjects Business Intelligence for either or both types of SSO. Enabling both methods ensures that users can log in to SAP BusinessObjects Business Intelligence in different situations such as clicking through a notification email.

1 Prepare SAP BusinessObjects Business Intelligence for single sign-on (see SAP BusinessObjects Business Intelligence requirements for SSO).

2 Add and begin to configure SAP BusinessObjects Business Intelligence application in Admin Portal.

Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 1).

3 Enable SAML and Create a Local Provider.

For more information, see Enabling SAML and creating a local provider in SAP NetWeaver Administrator

4 Create and Enable a Trusted Provider for Centrify.

For more information, see Creating and enabling a trusted provider.

5 Create Authentication Stack for SAML 2.0.

For more information, see Creating a new authentication stack for SAML 2.0.

6 Enable trusted authentication between the LaunchPad and server.

1

Page 2: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

For more information, see Enabling trusted authentication between the SAP BO BI LaunchPad and the SAP BO BI server.

7 Create configuration files for the LaunchPad.

For more information, see Creating the configuration files for the BI LaunchPad application.

8 Configure the SAML 2.0 login process to use the authentication stack.

For more information, see Configuring the SAML 2.0 login process to use the authentication stack.

9 Finish configuring SAP BusinessObjects Business Intelligence application for single sign-on.

For details, Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 2).

After you have finished configuring and verifying the application settings in the Admin Portal and the SAP BusinessObjects Business Intelligence application, users are ready to launch the application from the Centrify user portal.

Preparing for Configuration

SAP BusinessObjects Business Intelligence requirements for SSO

Before you configure the SAP BusinessObjects Business Intelligence web application for SSO, you need the following: SAP BusinessObjects Business Intelligence.

An active SAP BusinessObjects Business Intelligence account with administrator rights for your organization.

For more set-up information: Configuring AS Java as a service provider:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/bc/3385f2311a4181bddf0faa2e3e8a9a/content.htm

Setting up the certificates for SSO

To establish a trusted connection between the web application and the Centrify Directory Service, you need to have the same signing certificate in both the application and the application settings in Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Chapter 86 • 2

Page 3: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

What you need to know about SAP BusinessObjects Business Intelligence

Each SAML application is different. The following table lists features and functionality specific to SAP BusinessObjects Business Intelligence.

Capability Supported? Support details

Web browser client Yes

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes

IdP-initiated SSO Yes

Force user login via SSO only Yes Only if Identity Provider Selection Mode in SAML configuration is set to Automatic.

Separate administrator login after SSO is enabled

Yes Central Management Console (CMC) is a separate application, however it is part of the same Web Module. Administrators can access the CMC application with the “saml2=disabled” query parameter.

User or Administrator lockout risk Yes Users can be locked out of SAP BusinessObjects Business Intelligence Launchpad if they cannot access IdP. You can specify a back door URL by adding the parameter “saml2=disabled” to your destination URL. For example:

• SAP BusinessObjects Business Intelligence BI LaunchPad:http(s)://sap-nw-as-java-fqdn-and-port/BOE/BI/custom.jsp?saml2=disabled

• SAP NetWeaver Administrator:http(s)://sap-nw-as-java-fqdn-and-port/nwa?saml2=disabled

Automatic user provisioning No

Multiple User Types No

Self-service password Yes In the CMC application, users can reset their own passwords and administrators can reset user passwords.

Access restriction using a corporate IP range

Yes You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Admin Portal user’s guide 3

Page 4: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 1)

To add and configure the SAP BusinessObjects Business Intelligence application in Admin Portal:

1 In Admin Portal, click Apps, then click Add Web Apps.

The Add Web Apps screen appears.

2 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

3 Next to the application, click Add.

4 In the Add Web App screen, click Yes to confirm.

Admin Portal adds the application.

5 Click Close to exit the Application Catalog.

The application that you just added opens to the Settings page.

6 Click the Trust page to begin configuring the application.

The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page.

Chapter 86 • 4

Page 5: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

You might have to select Manual Configuration to expose those settings, as shown in the following example.

Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

7 On the Application Settings page, click Download Identity Provider Metadata File.

This downloads an XML file onto your computer that you will need in the section, Creating and enabling a trusted provider.

8 (Optional) On the Settings page, click Enable Derived Credentials for this app on enrolled devices (opens in built-in browser) to use derived credentials on enrolled mobile devices to authenticate with this application.

For more information, see Derived Credentials.

Admin Portal user’s guide 5

Page 6: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

9 On the Settings page, specify the following settings:

Option Description

Category Specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

Application ID Configure the Application ID field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The Centrify Directory Service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

Show in User app list Specifies whether this web application displays in the user portal. By default, this option is selected.

On enrolled mobile devices, open this application in the built-in browser (required for derived credentials)

Allows the use of derived credentials on enrolled mobile devices to authenticate with this application.

For more information, see Derived Credentials.

Chapter 86 • 6

Page 7: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

10 (Optional) On the Settings page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

11 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional Install:

Select Automatic Install for applications that you want to appear automatically for users.

If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.

Admin Portal user’s guide 7

Page 8: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

12 (Optional) On the Policy page, specify additional authentication controls for this application.

a Click Add Rule.The Authentication Rule window displays.

Chapter 86 • 8

Page 9: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

b Click Add Filter on the Authentication Rule window.

c Define the filter and condition using the drop-down boxes.For example, you can create a rule that requires a specific authentication method when users access the Centrify Directory Service from an IP address that is outside of your corporate IP range. Supported filters are:

Filter Description

IP Address The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.

Identity Cookie The authentication factor is the cookie that is embedded in the current browser by the directory service after the user has successfully logged in.

Day of Week The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.

Date The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.

Date Range The authentication factor is a specific date range.

Time Range The authentication factor is a specific time range in hours and minutes.

Device OS The authentication factor is the device operating system.

Browser The authentication factor is the browser used for opening the Centrify Identity Services user portal.

Admin Portal user’s guide 9

Page 10: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

d Click the Add button associated with the filter and condition.

e Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Creating authentication profiles.

f Click OK.

g (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.

h Click Save.If you have more than one authentication rule, you can prioritize them on the Policy page. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require

Country The authentication factor is the country based on the IP address of the user computer.

Risk Level The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to Centrify Identity Services from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact Centrify Identity Services support. The supported risk levels are:

• Non Detected -- No abnormal activities are detected.

• Low -- Some aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.

• Medium -- Many aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.

• High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.

• Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

Managed Devices The authentication factor is the designation of the device as “managed” or not. A device is considered “managed” if it is managed by Centrify Identity Services, or if it has a trusted certificate authority (CA has been uploaded to tenant).

For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

Filter Description

Chapter 86 • 10

Page 11: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

additional authentication methods. For details, see Application access policies with JavaScript.

Note If you left the Apps section of Admin Portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in Admin Portal.

13 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

The options are as follows:

Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify Directory.

Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the Centrify Directory Service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the

Admin Portal user’s guide 11

Page 12: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

user’s mail attribute value is [email protected] then the Centrify Directory Service uses [email protected]. For more information about writing a script to map user accounts, see the SAML application scripting.

14 (Optional) On the SAML Response page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting.

15 (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

16 (Optional) Click Workflow to set up a request and approval work flow for this application.

The Workflow feature is a premium feature and is available only in the Centrify Identity Services App+ Edition. See Configuring Workflow for more information.

17 Click Save.

18 Leave the browser tab open to the Admin Portal. You will use it again in Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 2).

Enabling SAML and creating a local provider in SAP NetWeaver Administrator

To enable and configure SAML 2.0:

1 Open a new browser tab, navigate to your URL (resembles: http(s)://<sap-java-hostname-and-port-number>/nwa), and log in to the SAP NetWeaver Administrator as an administrator.

2 Select Configuration > Authentication and Single Sign-On.

3 Click SAML 2.0 > Enable SAML 2.0 Support.

4 In Provider Name, enter CentrifySAML and click Next.

Note If you enter a different provider name here, you must also enter it in the Local Provider Name field in Application Settings of your SAML application. See Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 2) for details.

5 Click Browse for Signing Key Pair.

6 Click Create.

7 Supply an Entry Name to identify this key entry.

Chapter 86 • 12

Page 13: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

All the other required fields in this box have default values. Make any desired changes to these other fields.

8 Click Next.

9 In commonName, enter any value you would like SAP to use to identify this key pair when SAP generates it.

For example, use the host name of your SAP BusinessObjects Business Intelligence instance.

10 Click Finish.

The Select Keystore Entry window appears showing the new key pair you just created.

11 Click OK.

Under Signature and Encryption, Signing Key Pair and Encryption Key Pair are filled in for you with the new key pair you just created.

12 Select On under Legacy Systems Support (Issue Login Ticket).

13 Click Next.

14 (Optional) If you plan to use SP-initiated SSO, choose one of the following for the Selection Mode under Identity Provider Discovery:

Manual: displays the identity provider selection screen when the SP-initiated SSO launches. Then the user must select a configured IdP, or click the Cancel button to return to the username-password login screen.

Automatic: redirects users to the default trusted provider (configured later starting here: Creating and enabling a trusted provider). Users who lose access to their IdP are locked out of SAP BusinessObjects Business Intelligence.

15 (Optional) Uncheck the remaining check boxes.

16 Click Finish.

17 Under Local Provider, select Service Provider Settings > Edit.

18 Copy the Endpoint URL and save it in a location where you can find it when Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 2).

19 In Default Application Path, you can use the BI Web Application URL itself as the default, or enter the relative path to the page where you want SSO users to land, such as: /irj/portal

Note The application configured here is the landing application. If the SAML engine is unable to determine the application to show to the user during IdP-initiated SAML, it will land on this path.

Admin Portal user’s guide 13

Page 14: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

20 A relay state must be provided to display the desired application that users will access from Centrify User Portal. To set a relay state:

a Click RelayState Mapping > Add

b For Relay State, enter the relative path to the page where you want SSO users to land, for example:

c For Path, enter: /BOE/BI/custom.jsp

Note You will finish configuring the relay state later when you modify the script as described in Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 2).

21 Click Save.

22 (Optional) If you plan to use SAML over HTTP, follow these steps:

a Click General Settings.

b Click Edit.

c Select Yes for Allow HTTP Access.

d Click Save.

23 Continue to Creating and enabling a trusted provider.

Creating and enabling a trusted providerNote This procedure continues from Enabling SAML and creating a local provider in SAP NetWeaver Administrator.

1 Click Trusted Providers.

2 Select Add > Uploading Metadata File.

3 In the SAML 2.0 Configuration pop-up window, click Browse and select the metadata file you downloaded in Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 1).

4 Click Next.

5 (Optional) Enter Centrify as the Alias.

If entered, SAP BusinessObjects Business Intelligence will show the name of the alias on the IdP selection screen; if not entered the selection screen will show the IdP’s Entity ID that was provided in the IdP Metadata.

6 Click Next.

7 On the screen that appears, leave all the default values unchanged and click Next again.

8 Select HTTP Post and click Next.

Chapter 86 • 14

Page 15: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

9 Continue clicking Next without changing any values until the Finish button appears.

10 Click Finish.

11 Select the trusted provider you just created under the List of Trusted Providers.

12 Click Edit.

13 Click Identity Federation under Details of trusted provider.

14 Click Add.

15 Select Unspecified as the Supported NameID Format and click OK.

16 Select Assertion Subject NameID as the User ID Source.

17 If the user profile used to login to Centrify Identity Services Identity Service has a username in email address format, select Email as the User ID Mapping Mode.

18 Click Save.

19 Click Enable.

20 Click OK to confirm.

The Active icon changes from a gray diamond to a green square.

21 Continue to Creating a new authentication stack for SAML 2.0.

Creating a new authentication stack for SAML 2.0Note This procedure continues from Creating and enabling a trusted provider.

1 Go to the Authentication tab.

2 Click Create.

3 Enter centrify-saml20 as the Configuration Name.

4 Leave the default Type set to Custom.

5 Click Create.

Your new custom configuration displays as the selected configuration in the Authentication tab.

6 Click Edit in the Authentication Stack tab.

7 Click Add and select EvaluateTicketLoginModule from the <Select Login Module> drop-down list.

8 Click Add and select SAML2LoginModule from the <Select Login Module> drop-down list.

Admin Portal user’s guide 15

Page 16: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

9 Click Add and select BasicPasswordLoginModule from the <Select Login Module> drop-down list.

10 Click Add and select CreateTicketLoginModule from the <Select Login Module> drop-down list.

11 Select the Optional flag for CreateTicketLoginModule.

12 Click Save.

Your Login Modules table should look like this:

13 Continue to Enabling trusted authentication between the SAP BO BI LaunchPad and the SAP BO BI server.

Enabling trusted authentication between the SAP BO BI LaunchPad and the SAP BO BI server

Note This procedure continues from Creating a new authentication stack for SAML 2.0.

1 Open a new browser tab, navigate to your CMC URL and log in to the CMC as an administrator with SAML2 disabled. Your CMC URL resembles: http(s)://<sap-java-hostname-and-port-number>/BOE/CMC?saml2=disabled)

2 Go to the Authentication tab.

3 Click Enterprise.

4 In the Enterprise dialog box, scroll down until you see Trusted Authentication.

5 Click Trusted Authentication to enable it.

6 Click New Shared Secret.

7 Click Download Shared Secret to download the TrustedPrincipal.conf file that allows the web server and the CMS to establish trust.

8 Click Save and choose this directory to save the TrustedPrincipal.conf file.

On UNIX:

Chapter 86 • 16

Page 17: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

<SAP BOBIE INSTALL DIRECTORY>/sap_bobj/enterprise_xi40/

On Windows server:<SAP BOBIE INSTALL DIRECTORY>\SAP BusinessObjects Enterprise XI 4.0\win32_x86

This file is used by the SAP BusinessObjects Business Intelligence server to validate the shared secret submitted by the BI LaunchPad application during user authentication.

Note For further assistance, see the Business Intelligence Platform Administrator Guide: https://help.sap.com/businessobject/product_guides/boexir4/en/xi4_bip_admin_en.pdf, in the section titled Configuring Trusted Authentication for the web application.

9 Leave the browser tab open to the Admin Portal. You will use it again in Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 2).

Creating the configuration files for the BI LaunchPad application

To create the global.properties file:

1 Create a new file in a text editor.

2 Enter the following content in your new file to specify the trusted authentication properties:sso.enabled=true

trusted.auth.user.retrieval=WEB_SESSION

trusted.auth.user.param=MyUsertrusted.auth.shared.secret=MySecret

3 Save the file as:

On UNIX:<SAP BOBIE INSTALL DIRECTORY>/sap_bobj/enterprise_xi40/warfiles/webapps/BOE/WEB-INF/config/custom/global.properties

On Windows server:<SAP BOBIE INSTALL DIRECTORY>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom\global.properties

To modify the custom.jsp file:

1 Go to the custom.jsp file and open it in a text editor:

On UNIX:<SAP BOBIE INSTALL DIRECTORY>/sap_bobj/enterprise_xi40/warfiles/webapps/BOE/WEB-INF/eclipse/plugins/webpath.InfoView/web/custom.jsp

On Windows server:<SAP BOBIE INSTALL DIRECTORY>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\eclipse\plugins\webpath.InfoView\web\custom.jsp

Admin Portal user’s guide 17

Page 18: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

2 Replace the contents of your custom.jsp file using the JSP code below, editing these parts:

Replace the tokens YOUR_SHARED_SECRET_NAME and YOUR_USERNAME_STRING with the corresponding values from your global.properties file.

Replace the token YOUR_SHARED_SECRET with the shared secret that you downloaded from the CMC console in Enabling trusted authentication between the SAP BO BI LaunchPad and the SAP BO BI server.

<%@ page import="javax.servlet.RequestDispatcher" %>

<%@ page import="java.security.Principal" %><%@ page language="java" contentType="text/html;charset=utf-8" %>

<%//custom Java code

String userName = "";

if (session != null) {

Principal p = request.getUserPrincipal();

userName = (p != null)? p.getName() : null;if(userName == null) {

userName = request.getRemoteUser();

}

if(userName != null) {session.setAttribute("YOUR_SHARED_SECRET_STRING",

"YOUR_SHARED_SECRET");

session.setAttribute("YOUR_USERNAME_STRING", userName);

}

}response.sendRedirect("/BOE/BI/logon.jsp");

%>

3 Save the file.

To modify the web.xml file:

1 Go to the web.xml file and open it in a text editor:

On UNIX:<SAP BOBIE INSTALL DIRECTORY>/sap_bobj/enterprise_xi40/warfiles/webapps/BOE/WEB-INF/web.xml

On Windows server:<SAP BOBIE INSTALL DIRECTORY>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\web.xml

2 Add the following code snippet to the bottom of the web.xml file:<!-- Centrify SSO Configuration Start -->

<security-constraint>

<web-resource-collection>

<web-resource-name>InfoView</web-resource-name><url-pattern>*</url-pattern>

</web-resource-collection>

<auth-constraint><role-name>*</role-name>

</auth-constraint>

<user-data-constraint>

Chapter 86 • 18

Page 19: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

<transport-guarantee>NONE</transport-guarantee></user-data-constraint>

</security-constraint>

<login-config><auth-method>FORM</auth-method>

<realm-name>InfoView</realm-name>

<form-login-config><form-login-page>/logon.jsp</form-login-page>

<form-error-page>/logon.jsp</form-error-page>

</form-login-config></login-config>

<security-role>

<description>Assigned to the SAP J2EE Engine System Administrators</description>

<role-name>j2ee-admin</role-name>

</security-role><security-role>

<description>Assigned to all users</description>

<role-name>j2ee-guest</role-name></security-role>

<security-role>

<description>Assigned to a special group of users</description><role-name>j2ee-special</role-name>

</security-role>

<!-- Centrify SSO Configuration End -->

3 Save the file.

To create the BOE.war file and deploy on SAP NetWeaver AS Java:

1 Use WDeploy to build and deploy the BOE.war file on the web application server.

For information on using WDeploy, see the SAP BusinessObjects Business Intelligence Platform Web Application Deployment Guide. To find this guide, go to http://help.sap.com/bobip and search for the Web Application Deployment Guide for your platform.

Configuring the SAML 2.0 login process to use the authentication stack

Note This procedure continues from the browser tab you left open in Enabling trusted authentication between the SAP BO BI LaunchPad and the SAP BO BI server.

1 In the Policy Configuration Name table, select the type Web and search for your deployed BI LaunchPad application name.

2 Click Edit in the Authentication Stack tab.

3 Enter centrify-saml20 as the Used Template.

4 Click Save.

Admin Portal user’s guide 19

Page 20: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 2)

Note This procedure continues from the browser tab you left open to the Admin Portal in Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 1).

To finish configuring the SAP BusinessObjects Business Intelligence application in Admin Portal:

1 Return to the browser tab you were using to work in the Admin Portal in Configuring SAP BusinessObjects Business Intelligence in Admin Portal (Part 1) and navigate to the Application Settings screen of your SAP BusinessObjects Business Intelligence app.

2 Configure the following:

3 On the Advanced page, scroll to the bottom of the script window and change YOUR-BI-LAUNCHPAD-RelayState with the same relay state string that you used in Step 20 of Enabling SAML and creating a local provider in SAP NetWeaver Administrator. For example:setRelayState (‘BI_Launchpad’);

4 Click Save.

5 To verify that you have properly configured trusted authentication, use the following URL to access the BI LaunchPad application, replacing [server] with the name of the machine hosting the CMS, and [port] with the port number used to access the SAP application:http://[server]:[port]/BOE/BI/custom.jsp

6 (Optional) To configure the SAP BusinessObjects Business Intelligence application for automatic provisioning, see SAP BusinessObjects Business Intelligence provisioning.

SAP BusinessObjects Business Intelligence provisioning

Field Set it to What you do

ACS Endpoint URL The SAML Endpoint saved from Enabling SAML and creating a local provider in SAP NetWeaver Administrator

Paste the SAML Endpoint from the SAP BusinessObjects Business Intelligence Administrator.

Local Provider Name The name of your local provider; either CentrifySAML or the name saved from Enabling SAML and creating a local provider in SAP NetWeaver Administrator

Enter the local provider name you provided in Step 4 of Enabling SAML and creating a local provider in SAP NetWeaver Administrator

Chapter 86 • 20

Page 21: An overview of configuring SAP BusinessObjects · PDF file1 Chapter 86 SAP BusinessObjects Business Intelligence BI Note These instructions are written with SAP NetWeaver AS Java 7.4

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

If your application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.

For more information about provisioning your app, see Setting up generic SCIM provisioning.

For more information about SAP BusinessObjects Business Intelligence

For further assistance, see the Business Intelligence Platform Administrator Guide: https://help.sap.com/businessobject/product_guides/boexir4/en/xi4_bip_admin_en.pdf, in the section titled Configuring Trusted Authentication for the web application.

Known issue with logoffIf the user logs off directly using the Logoff link on the web application, they will be completely logged out from SAP BusinessObjects Business Intelligence, SAP NetWeaver AS Java, and Centrify Identity Services.

Note If the user’s session expires, they are only logged out from SAP BusinessObjects Business Intelligence and SAP NetWeaver AS Java, and they will not be logged out of Centrify Identity Services.

Admin Portal user’s guide 21