Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Apache + Shibboleth SSO with Tomcat for BI Platform using Trusted Authentication

Former Member
‎07-21-2015 10:25 PM

This document describes the steps needed to integrate Shibboleth (a SAML2 federated authentication/identity provider) with BI Platform using Trusted Authentication to achieve SSO (within the web browser, does not tie into Active Directory).

This document assumes you have already:

  1. Installed BIP 4.1 (used SP2 P2) with Tomcat. We used Windows 2008 R2, but nothing here is very OS-specific.
  2. Installed Apache 2.4.12+ (must use VC10 version) with SSL as a reverse proxy for Tomcat using the AJP connector (see below)
    1. Apache HTTPS/443 connects to Tomcat AJP/8009 (see below)
    2. Apache HTTPS/4443 (or other port number) connects to Tomcat HTTP/8080 (see below)
  3. Installed/configured Shibboleth 2.5.3+ (see below)
  4. Configured Apache with Shibboleth to protect a static folder, such as /secure, that does not exist in the BIP install
  5. The Apache-Shibboleth securing process is working properly (without Tomcat)
  6. Your Enterprise user IDs match some attribute that will be returned from Shibboleth (uid, eppn, etc.), or you plan to rename your Enterprise users to match one of the Shibboleth attributes
  7. We only use Webi and Crystal, you may need to tweak your setup if you use other tools

Example Tomcat server.xml (relevant pieces only)

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" compression="off" URIEncoding="UTF-8" />

. . .

<Connector port="8009" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="443" URIEncoding="UTF-8" enableLookups="false"

tomcatAuthentication="false" address="127.0.0.1" scheme="https" connectionTimeout="20000" maxThreads="400"/>

Example Shibboleth2.xml (relevant pieces only)

    <ApplicationDefaults

        . . .

        REMOTE_USER="uid"    #### <-- This is whatever attribute your IdP returns that will match your Enterprise accounts

        . . .

    >

Example httpd.conf (relevant sections only)

. . .

Listen 80

TimeOut 300

AcceptFilter http none

AcceptFilter https none

EnableSendfile off

EnableMMAP off

<VirtualHost _default_:80>

  RewriteEngine on

  ReWriteCond %{SERVER_PORT} !^443$

  RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

</VirtualHost>

ServerName yourserver.yourdomain.com

UseCanonicalName On

Include D:/opt/shibboleth-sp/etc/shibboleth/apache24.config

ExtendedStatus On

#====================Configure mod_deflate============== 

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript text/json     ##### Should be on one line with previous

DeflateCompressionLevel 9

SetEnvIfNoCase Request_URI  \

       \.(?:gif|jpe?g|png)$ no-gzip dont-vary

  

Example ssl.conf (relevant sections only)

. . .

Listen 443

<VirtualHost _default_:443>

  RewriteEngine on

  ProxyPass /Shibboleth.sso !

  ProxyPassReverse /Shibboleth.sso !

  ProxyPass / ajp://127.0.0.1:8009/

  ProxyPassReverse / ajp://127.0.0.1:8009/

. . .

  <Location /BOE>

    AuthType shibboleth

    ShibRequestSetting requireSession 1

    require shib-session

  </Location>

  <Location /shib>

    AuthType shibboleth

    ShibRequestSetting requireSession 1

    require shib-session

  </Location>

  # The next 3 are required to use the Webi Java applet since it connects separately and Shibboleth gets confused

  <Location ~ "/BOE/portal/.*/AnalyticalReporting/webiApplet/.*">

    Satisfy Any

    Allow from all

    AuthType None

    Require all granted

  </Location>

  <Location ~ "/BOE/portal/.*/rebean3ws/services/.*">

    Satisfy Any

    Allow from all

    AuthType None

    Require all granted

  </Location>

  <Location ~ "/BOE/portal/.*/InfoViewAppActions/ajaxUre/.*">

   Satisfy Any

   Allow from all

   AuthType None

   Require all granted

  </Location>

</VirtualHost>

Listen 4443

<VirtualHost _default_:4443>

. . .

  ProxyPass / http://127.0.0.1:8080/

  ProxyPassReverse / http://127.0.0.1:8080/

</VirtualHost>


BIP Config

  1. For reference, see the BI Admin Doc, starting on page 229 about Trusted Authentication. The essential steps are below.
  2. Set the Authentication parameters similar to this, generate and download a new Shared Secret, then click Update

3. Put the shared secret file, TrustedPrincipal.conf on the WEB SERVER, in this directory


D:\BI4\SAP BusinessObjects Enterprise XI 4.0\win32_x86\


4. Followed the SAP doc 1593628 to test the SSO using QUERY_STRING

    1. Create file global.properties in D:\BI4\tomcat\webapps\BOE\WEB-INF\config\custom with the following contents

sso.enabled=true

    trusted.auth.user.param=user

    trusted.auth.user.retrieval=QUERY_STRING

          b. Save, then restart Tomcat

          c. Should be able to get into Launch Pad now using the URL (e.g.)


https://myserver.mydomain.com:4443/BOE/BI?user=myuser

          d. This demonstrates all the Trusted Authentication pieces are working, without Shibboleth

5. To put it all together, update the global.properties file so it looks like this

         sso.enabled=true

         trusted.auth.user.retrieval=REMOTE_USER

    1. Save, then restart Tomcat
    2. Close and reopen your browser
    3. Go to the URL, https://myserver.mydomain.com/BOE/BI
    4. You should be prompted to log in via Shibboleth

6. If you’re having trouble, you can use a /shib directory (create under Tomcat\webapps\) to see the values being passed from Apache/Shibboleth using a JSP, e.g.

<%@ page import="java.util.*" %>

<html>

<head>

<title>Http Request Headers Example</title>

</head>

<body>

<h2>HTTP Request Headers Received</h2>

<table>

<%

Enumeration enumeration = request.getHeaderNames();

while (enumeration.hasMoreElements()) {

String name = (String) enumeration.nextElement();

String value = request.getHeader(name);

%>

<tr><td><%= name %></td><td><%= value %></td></tr>

<%

}

%>

</table>

<%

       out.print("request.getRemoteUser: "+request.getRemoteUser()+"<br/>");

       out.print("request.getUserPrincipal.getName(): "+request.getUserPrincipal().getName()+"<br/>");

%>

</body>

</html>

Login page setup

  1. We created a custom login page that presented links for both Shibboleth and Enterprise logins, under /auth, which then directs users to login via one of those methods
  2. Set up a redirect from /index.jsp (tomcat ROOT) to /auth/index.jsp, then present links to log on either via Shibboleth, or via Enterprise (port 4443)
  3. In \BI4\tomcat\webapps\BOE\WEB-INF\config\custom\BILaunchpad.properties, set url.exit to e.g.

https://yourserver.yourdomain.com/Shibboleth.sso/Logout?return=yourIDPlogoutURL

   4. Stop/Restart Tomcat

   5. Either way you log in, you will be redirected to the Shibboleth logout. This is done to handle weird address issues when logging in/out via different           methods.

7 Comments
Labels in this area
Popular Blog Posts