This document describes the steps needed to integrate Shibboleth (a SAML2 federated authentication/identity provider) with BI Platform using Trusted Authentication to achieve SSO (within the web browser, does not tie into Active Directory).
This document assumes you have already:
Example Tomcat server.xml (relevant pieces only)
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" compression="off" URIEncoding="UTF-8" /> . . . <Connector port="8009" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="443" URIEncoding="UTF-8" enableLookups="false" tomcatAuthentication="false" address="127.0.0.1" scheme="https" connectionTimeout="20000" maxThreads="400"/> |
Example Shibboleth2.xml (relevant pieces only)
<ApplicationDefaults . . . REMOTE_USER="uid" #### <-- This is whatever attribute your IdP returns that will match your Enterprise accounts . . . > |
Example httpd.conf (relevant sections only)
. . . Listen 80 TimeOut 300 AcceptFilter http none AcceptFilter https none EnableSendfile off EnableMMAP off <VirtualHost _default_:80> RewriteEngine on ReWriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L] </VirtualHost> ServerName yourserver.yourdomain.com UseCanonicalName On Include D:/opt/shibboleth-sp/etc/shibboleth/apache24.config ExtendedStatus On #====================Configure mod_deflate============== AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript text/json ##### Should be on one line with previous DeflateCompressionLevel 9 SetEnvIfNoCase Request_URI \ \.(?:gif|jpe?g|png)$ no-gzip dont-vary |
Example ssl.conf (relevant sections only)
. . . Listen 443 <VirtualHost _default_:443> RewriteEngine on ProxyPass /Shibboleth.sso ! ProxyPassReverse /Shibboleth.sso ! ProxyPass / ajp://127.0.0.1:8009/ ProxyPassReverse / ajp://127.0.0.1:8009/ . . . <Location /BOE> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location> <Location /shib> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location> # The next 3 are required to use the Webi Java applet since it connects separately and Shibboleth gets confused <Location ~ "/BOE/portal/.*/AnalyticalReporting/webiApplet/.*"> Satisfy Any Allow from all AuthType None Require all granted </Location> <Location ~ "/BOE/portal/.*/rebean3ws/services/.*"> Satisfy Any Allow from all AuthType None Require all granted </Location> <Location ~ "/BOE/portal/.*/InfoViewAppActions/ajaxUre/.*"> Satisfy Any Allow from all AuthType None Require all granted </Location> </VirtualHost> Listen 4443 <VirtualHost _default_:4443> . . . ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ </VirtualHost> |
BIP Config
3. Put the shared secret file, TrustedPrincipal.conf on the WEB SERVER, in this directory
D:\BI4\SAP BusinessObjects Enterprise XI 4.0\win32_x86\
4. Followed the SAP doc 1593628 to test the SSO using QUERY_STRING
sso.enabled=true
trusted.auth.user.param=user
trusted.auth.user.retrieval=QUERY_STRING
b. Save, then restart Tomcat
c. Should be able to get into Launch Pad now using the URL (e.g.)
https://myserver.mydomain.com:4443/BOE/BI?user=myuser
d. This demonstrates all the Trusted Authentication pieces are working, without Shibboleth
5. To put it all together, update the global.properties file so it looks like this
sso.enabled=true
trusted.auth.user.retrieval=REMOTE_USER
6. If you’re having trouble, you can use a /shib directory (create under Tomcat\webapps\) to see the values being passed from Apache/Shibboleth using a JSP, e.g.
<%@ page import="java.util.*" %> <html> <head> <title>Http Request Headers Example</title> </head> <body> <h2>HTTP Request Headers Received</h2> <table> <% Enumeration enumeration = request.getHeaderNames(); while (enumeration.hasMoreElements()) { String name = (String) enumeration.nextElement(); String value = request.getHeader(name); %> <tr><td><%= name %></td><td><%= value %></td></tr> <% } %> </table> <% out.print("request.getRemoteUser: "+request.getRemoteUser()+"<br/>"); out.print("request.getUserPrincipal.getName(): "+request.getUserPrincipal().getName()+"<br/>"); %> </body> </html> |
Login page setup
https://yourserver.yourdomain.com/Shibboleth.sso/Logout?return=yourIDPlogoutURL
4. Stop/Restart Tomcat
5. Either way you log in, you will be redirected to the Shibboleth logout. This is done to handle weird address issues when logging in/out via different methods.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |