37 Replies Latest reply: May 5, 2010 6:37 PM by Ingo Hilgefort RSS

Portal - BO SSO

Landry Renaud-Pierre
Currently Being Moderated

Hi,

 

We want to set-up SSO between SAP EP and Business Object to allow users to access reports without having to sign-on again. There is a lot of documentation explaining how to set-up SSO by putting in place SSO between BO and BI or ECC but what if the user does not exist in the SAP system...

 

In our case, EP and BO are connected to Active Directory where the user is created but the user is not created in any SAP system. How can we set-up SSO between the portal and BO in that case?

 

Thank you very much for your help!

Renaud

  • Re: Portal - BO SSO
    Ingo Hilgefort
    Currently Being Moderated

    Hi,

     

    so you have a user in the portal but the user does not exist in your ERP or BI system ?

     

    so how does the user access information in the ERP or BI system from the portal ?

     

    Ingo

  • Re: Portal - BO SSO
    Landry Renaud-Pierre
    Currently Being Moderated

    Hi,

     

    Most of our users are created in both but some users are only created in AD because they do not need any BI or ECC information. Although, they have to access some reports in BO throught the portal.

     

    I expect a real SSO to be something like, export a certificate from the portal and import it in the trust store of BO, then configure BO to accept the ticket created by EP to create a session for you. Is it possible to set-up a scenario like that?

     

    Regards,

    Renaud

     

    Edited by: Landry Renaud-Pierre on May 27, 2009 10:00 PM

    • Re: Portal - BO SSO
      Ingo Hilgefort
      Currently Being Moderated

      so what are you going to use for those users that are not coming from the portal ? just plain AD authentication ? that would not give you SSO for those users unless you use SNC.

       

      for the portal:

       

      - configure the SAP authentication

      - trust needs to be configured between the portal and your BI system as well assuming the report use BI as a source

      - all machines in the same domain

      - all names fully qualified

       

       

      ingo

  • Re: Portal - BO SSO
    Landry Renaud-Pierre
    Currently Being Moderated

    Hi Ingo,

     

    Thanks for your answer. We have ECC in the picture and not BI but I guess the same applies, right?

     

    Let's say to keep it simple that all users are comming from the portal and that we have reports in BO that do not have an SAP system as a datasource. We want to expose these reports in the portal ensuring that there is SSO in place for this user. This user does not exist anywhere else than in our LDAP. What is the procedure to put that in place?

     

    Do you have any documentation related to unless you use SNC . Would SNC allow us to set-up a trust between portal and BO or it is used to set-up a trust betwee BO and ECC?

     

    Regards,

    Renaud

    • Re: Portal - BO SSO
      Ingo Hilgefort
      Currently Being Moderated

      so how are you doing SSO to the non-SAP system today ?

       

      You need a system where the users are coming from. The portal is only going to give you a token.

       

      Ingo

      • Re: Portal - BO SSO
        Landry Renaud-Pierre
        Currently Being Moderated

        Hi,

         

        The way we access datasource shouldn't have anything to do with the BO-portal integration. There are different processes in place for the different systems. As an example SNC will probably be used for ECC. But I would like to start with this simple scenario :

         

        1 - We have a portal, connected to AD, when I log on to the portal with this AD account, I gets a token.

         

        2 - We have a BO box connected to AD, when I pick LDAP and enter my userID and pw, I can execute a report called Comparative Income Statement under Report Sample -> Demonstration.

         

        3 - I have created an iView in the portal pointing to this Report. I would like to have SSO in place to display that report in the portal without having to log-on twice. How can I have SSO working in that scenario?

         

        Regards,

        Renaud

        • Re: Portal - BO SSO
          Ingo Hilgefort
          Currently Being Moderated

          so you want to setup the portal to use Windows AD as authentication but call a report that actually requires LDAP for authentication ?

           

          Ingo

          • Re: Portal - BO SSO
            Landry Renaud-Pierre
            Currently Being Moderated

            Hi,

             

            Both portal and BO are using LDAP as authentication. If you tell me it should be Windows AD authentication on both, that would be good too.

             

            How? Any solution/document that you could point me to?

             

            Regards,

            Renaud

            • Re: Portal - BO SSO
              Ingo Hilgefort
              Currently Being Moderated

              so whats the actual data source for the reports that you want to leverage ?

               

              SAP ERP / SAP BW ? non-sap ?

               

              ingo

              • Re: Portal - BO SSO
                Landry Renaud-Pierre
                Currently Being Moderated

                Hi,

                 

                In the scenario I want to put in place, there is no datasource.

                 

                If you look at the report I told you about earlier, you will see that this report has no datasource.

                 

                Regards,

                Renaud

                • Re: Portal - BO SSO
                  Ingo Hilgefort
                  Currently Being Moderated

                  SSO means to be able to authenticate once and view a report with data from my point of view.

                   

                  so you saying you don't want to view a report ? so what exactly then you want to do ?

                   

                  Ingo

                  • Re: Portal - BO SSO
                    Landry Renaud-Pierre
                    Currently Being Moderated

                    Hi Ingo,

                     

                    I agree with your vision of SSO.

                     

                    I have never said I don't want to see a report. For me a report and a data source are two different things.

                    The report I told you about :  Income Statement under Report Sample -> Demonstration. Is a report that you access without going to any datasource. Right?

                     

                    But if you want a report to be linked to a data source, then let say that the data source is ECC and we use SNC with a generic user  to get the information once a day out of ECC. The AD user does not exist in ECC although we want him to see the generated report through the portal without having to log-in again. How can we do that?

                     

                    Regards,

                    Renaud

                    • Re: Portal - BO SSO
                      Ingo Hilgefort
                      Currently Being Moderated

                      Hi,

                       

                      I have never said I don't want to see a report. For me a report and a data source are two different things.

                      The report I told you about : Income Statement under Report Sample -> Demonstration. Is a report that you access without going to any datasource. Right?

                       

                      Partly correct. the report has saved data which is shown in the initial view and when refresh is goes against an MS Access database - assuming we talk about the sample report.

                       

                       

                      But if you want a report to be linked to a data source, then let say that the data source is ECC and we use SNC with a generic user to get the information once a day out of ECC. The AD user does not exist in ECC although we want him to see the generated report through the portal without having to log-in again. How can we do that?

                       

                      B configuring your BOE server to leverage SNC as well. the user would then logon with your AD user to InfoView and run the report

                       

                      Ingo

                      • Re: Portal - BO SSO
                        Landry Renaud-Pierre
                        Currently Being Moderated

                        Hi,

                         

                        Thanks for your answer. By configuring SNC on the BOE server, it would accept the portal logon ticket, right?

                         

                        Do you have any documentation that you can point me to related to leveraging SNC on the BOE server?

                         

                        Regards,

                        Renaud

                        • Re: Portal - BO SSO
                          Ingo Hilgefort
                          Currently Being Moderated

                          Hi,

                           

                          would it leverage the ticket - yes -....... but you mentioned you want Windows AD integration and thats why I suggested SNC. if you always coming from the portal and always have a portal ticket you might not need SNC.

                           

                          documentation : go to help.sap.com on the BusinessObjects tab you can find all the product documentation product down by products and version.

                           

                          Ingo

                          • Re: Portal - BO SSO
                            Landry Renaud-Pierre
                            Currently Being Moderated

                            Hi Ingo,

                             

                            Thanks for your answer.

                             

                            If I understand well, I could have a scenario where EP->BOE sso is done using a ticket and BOE->other data sources like ERP or BW would be done with SNC. I have found focumentation on the SNC part but haven't seen anything about the configurations required in BOE to make it accept the ticket. Can you give me more information on the topic?

                             

                            Regards,

                            Renaud

                            • Re: Portal - BO SSO
                              Ingo Hilgefort
                              Currently Being Moderated

                              hi Renaud,

                               

                              it seems we are going back and forth here and each time I give you an answer you are suddenly coming back with a different scenario.

                               

                              in the beginning I asked what you want to do from a SSO point of view and you mentioned you don't want to view the reports, now you mentioned you want to do SSO from the portal to BOE and then use SNC to view reports for BW or ERP.

                               

                              if you want to use from the portal the BOE server to view reports against BW then there is no need for SNC.

                               

                              perhaps you can describe the user workflows that you want to cover and what their entry points for authentication are and then we can go from there.

                               

                              Ingo

                              • Re: Portal - BO SSO
                                Landry Renaud-Pierre
                                Currently Being Moderated

                                Hi,

                                 

                                The scenario is always the same. I just try to divide it in pieces so I get answers but don't get me wrong, all users will want to view reports.

                                 

                                My big question mark is still the SSO between Portal and BOE knowing the fact that all users are in AD but not all users are in ECC or BW. The secSAPR3 authentication does not work for me.

                                 

                                -> All users will access reports or infoView through portal

                                -> All users will want to see reports

                                -> All users are created in AD

                                -> I am not clear on what SNC does

                                -> We have scenarios where users exist in SAP and scenarios where user does not exist in SAP. (If you don't exist in SAP, you don't have access in BOE to see reports that require SAP)

                                 

                                -> Some reports will need data from ECC/BW and some will not although that should not have any impact on how we set SSO between portal and BOE.

                                 

                                I deeply need to be able to put in place a scenario where, even if I do not exist in ECC or BW, I can still get SSO from Portal to BOE to view a report. The sample one we discussed earlier is a good example. If you know a way to do that, I would greatly appreciate that you point me to the set-up steps on the BOE server. If you can point me to steps in order to set-up SSO between portal and that sample report, everything else will be simple after that.

                                 

                                Regards,

                                Renaud

                                • Re: Portal - BO SSO
                                  Ingo Hilgefort
                                  Currently Being Moderated

                                  Hi,

                                   

                                  ok - so now we have the picture.

                                  -


                                  My big question mark is still the SSO between Portal and BOE knowing the fact that all users are in AD but not all users are in ECC or BW. The secSAPR3 authentication does not work for me.

                                  -


                                   

                                  - SSO from the portal to the BOE system can be done with the SAP authentication

                                  - you also want to have the Windows AD in there >> which then means that we need to somehow consolidate the users >> which leads us to using SNC.

                                   

                                   

                                  -> All users will access reports or infoView through portal

                                   

                                  >> ok - so we still sticking to SNC with Windows AD as the leading authentication

                                   

                                  -> All users will want to see reports

                                   

                                  >> Yes - possible with the above constellation - exception see later on

                                   

                                  -> All users are created in AD

                                   

                                  >> ok

                                  -> I am not clear on what SNC does

                                  >> it allows you to consolidate several authentication options and create a single entry for the user. think about you logon to your desktop and have a certificate that grants you entry to all the systems.

                                   

                                  -> We have scenarios where users exist in SAP and scenarios where user does not exist in SAP. (If you don't exist in SAP, you don't have access in BOE to see reports that require SAP)

                                   

                                  >> thats where it becomes tricky.

                                   

                                  >> You have Windows AD users with no SAP account >> so they won't be able to see the SAP reports - at least not with the capability to refresh the on-demand against the SAP system. they could get access to reports that have been scheduled.

                                   

                                  ingo

                                  • Re: Portal - BO SSO
                                    Landry Renaud-Pierre
                                    Currently Being Moderated

                                    Hi,

                                     

                                    Thanks for the clarifications.

                                     

                                    > - SSO from the portal to the BOE system can be done with the SAP authentication

                                     

                                    That cannot work for us. What are the possible ways to do SSO from portal to BOE. Is it the only one?

                                     

                                    > - you also want to have the Windows AD in there >> which then means that we need to somehow consolidate the users >> which leads us to using SNC.

                                    > >> ok - so we still sticking to SNC with Windows AD as the leading authentication

                                     

                                    In a scenario where Windows AD is the leading authentication, is the BOE server reading the SSO ticket from the portal or it does single sign-on with the AD account you logged on to your PC?

                                     

                                    -> If it does single sign-on with your PC, it is not SSO between Portal and BOE. What would happen if user A logs to the PC and user B logs to the portal... User B would get the reports from user A in his portal, right?

                                     

                                    -> If it reads the ticket from the portal, this is the solution I am deeply trying to put in place.  How????

                                     

                                    Regards,

                                    Renaud

                                    • Re: Portal - BO SSO
                                      Ingo Hilgefort
                                      Currently Being Moderated

                                      Hi,

                                      why does the SAP authentication not work for you ? Without that you won't get ANY SSO to the reports.

                                       

                                      you will need that for SNC as well

                                       

                                       

                                      I mentioned already several times that just reading the portal ticket means SAP authentication on the BOE server but you keep changing the story.

                                       

                                       

                                      Simple question : what is the SINGLE ENTRY POINT for the Authentication of the user ?

                                       

                                      Is it the portal ? or is it the PC with the Windows AD credentials ? or is it InfoView ?

                                       

                                       

                                       

                                       

                                       

                                       

                                      ingo

                                       

                                      Edited by: Ingo Hilgefort on May 29, 2009 12:42 PM

                                       

                                      Edited by: Ingo Hilgefort on May 29, 2009 12:43 PM

                                      • Re: Portal - BO SSO
                                        Landry Renaud-Pierre
                                        Currently Being Moderated

                                        Ingo,

                                         

                                        The single entry point is the portal. All users exist in AD and Portal's authentication source is AD.

                                         

                                        SAP Authentication (SAPsecR3) implies that the user must exists in ECC or BI, right? In our case it is not always true. Are you saying that it means that we cannot have SSO if the user does not exist in ECC or BI?

                                         

                                        Renaud

                                         

                                        Edited by: Landry Renaud-Pierre on May 29, 2009 10:30 PM

                                        • Re: Portal - BO SSO
                                          Ingo Hilgefort
                                          Currently Being Moderated

                                          Hi,

                                           

                                          so you are using the portal but the authentication is done with Windows AD to the portal.

                                           

                                          that gives you two options:

                                          - using the SAP authentication with SNC

                                          - using the SAP authentication without SNC

                                           

                                          correct : SAP authentication assumes the user is in SAP.

                                           

                                          which makes sense because to run a report on top of a SAP system you are required to have an SAP account - how else do you want to logon to the system ?

                                           

                                           

                                          Ingo

                                          • Re: Portal - BO SSO
                                            Landry Renaud-Pierre
                                            Currently Being Moderated

                                            Hi,

                                             

                                            ok but it means that (with a portal that is authenticated on AD) there is no way for a non-ECC/BI user to get access to view reports with SSO (between the report and the portal). Isn't that right?. Let's say this report does not need ECC/BI data

                                            • Re: Portal - BO SSO
                                              Ingo Hilgefort
                                              Currently Being Moderated

                                              that depends on the authentication you configure in the portal. pretty sure you could configure the portal to a) use Windows AD but also b) hand over the Windows AD to the BOE server.

                                               

                                              SSO down to the actual source is then something that needs to be configured on the BOE server.

                                               

                                              Perhaps Siteminder is a solution.

                                               

                                              Ingo

                                              • Re: Portal - BO SSO
                                                Landry Renaud-Pierre
                                                Currently Being Moderated

                                                Hi,

                                                 

                                                In fact, portal uses LDAP authentication to connect to AD.

                                                 

                                                Saying that there is no way for BOE to read the portal ticket without having a user created in ECC/BI means that there is no SSO mechanism between portal and BO. Most of our BO reports will not have SAP as datasource and most of our users will not have an SAP account.

                                                 

                                                > pretty sure you could configure the portal to a) use Windows AD but also b) hand over the Windows AD to the BOE server.

                                                 

                                                Any idea how to do b) ?

                                                 

                                                Regards,

                                                Renaud

                                                • Re: Portal - BO SSO
                                                  Ingo Hilgefort
                                                  Currently Being Moderated

                                                  Hi,

                                                   

                                                  I would suggest you get in touch with either field services for the portal or with field services for the BOE side and put all the scenarios you want to cover "on the table".

                                                   

                                                  I have heard at least several scenarios now :

                                                   

                                                  - User comes with Windows AD to the portal

                                                  - user needs access to SAP based reports

                                                  - user needs access to non-SAP based reports

                                                  - users might have a SAP account - might not

                                                  - LDAP is mentioned now as well as being used by the portal

                                                   

                                                   

                                                  it doesn't make sense to focus on one area and then look at the next for user authentication. all the scenarios need to be looked at and then looking at the options that are out there to consolidate and authenticate the user.

                                                   

                                                   

                                                  Saying that there is no way for BOE to read the portal ticket without having a user created in ECC/BI means that there is no SSO mechanism between portal and BO

                                                   

                                                  >>> I did not say that. I said that if you want the BOE server to read the SAP ticket (and we were talking about access SAP datasource so I assume we talk about MYSAPSSO2 tickets) then the BOE server needs the SAP authentication configured.

                                                   

                                                  pretty sure the portal is capable of handing over several authentication mechanisms .

                                                   

                                                   

                                                  Ingo

                                                • Re: Portal - BO SSO
                                                  Ingo Hilgefort
                                                  Currently Being Moderated

                                                  Hi,

                                                  is it a MUST HAVE that your Windows AD user are coming to the BOE server via the portal ?

                                                   

                                                  What about :

                                                   

                                                  - Windows AD user enters BOE via InfoView

                                                  - SAP user enters BOE via Portal

                                                   

                                                   

                                                  Ingo

                                                  • Re: Portal - BO SSO
                                                    Landry Renaud-Pierre
                                                    Currently Being Moderated

                                                    Hi,

                                                     

                                                    Sadly, it is a must have. In fact the most important scenario is the one I was sharing with you earlier in that thread. If we could make at least that one work, it would be great.

                                                     

                                                    User created in AD but not existing in any SAP System that requires access to a BO report (that has a non-sap datasource) through EP using SSO. (Don't forget that both BO and EP are being authenticated on the same AD). Any idea on how to set it up?

                                                     

                                                    I see BO supplies a kit to SSO with WebSphere and Sharepoint. If it is the case, there must be something with EP... Is there a Business Object specific forum?

                                                     

                                                    Regards,

                                                    Renaud

                                                    • Re: Portal - BO SSO
                                                      Ingo Hilgefort
                                                      Currently Being Moderated

                                                      Hi,

                                                       

                                                      it has nothing to do with the Portal integrations for WebSphere or Sharepoint or the SAP portal - it comes down to authentication.

                                                       

                                                      the BOE Server is capable of handling Windows AD as authentication. You need to look at options to configure the Enterprise Portal to a) accept Windows AD and b) pass on Windows AD to other applications

                                                       

                                                       

                                                      Ingo

  • Re: Portal - BO SSO
    Landry Renaud-Pierre
    Currently Being Moderated

    ok I guess it will never get resolved.

    • Re: Portal - BO SSO
      Ramesh Krishnan
      Currently Being Moderated

      Hai Renu

       

      Did you find a solution for your situation, I am having a similar Situation if you could share your solution you finalized that would help

       

      cheers

      Ramesh

      my gmail id is mkr1975

    • Re: Portal - BO SSO
      Ingo Hilgefort
      Currently Being Moderated

      Hi Landry,

       

      the documentation on how to integrate with the portal is part of the documentation for the SAP Integration Kit and BusinessObjects Enterprise.

       

      The documentation for authentication is also in those two areas.

       

      all documentation is available on help.sap.com

       

      Ingo

      • Re: Portal - BO SSO
        Tanner Spaulding
        Currently Being Moderated

        Ingo,

         

        The issue is that the documentation for the SAP Integration Kit only covers the integration scenario with SAP EP where you utilize the EP user to login to the portal, and this in turn passes through to BOE using SAP authentication.  It does not cover a scenario where you use Windows AD authentication to SAP EP and pass that to BOE.

         

        I am working with a customer on this right now.  Will update once we get it figured out. 

         

        Tanner

        • Re: Portal - BO SSO
          Ingo Hilgefort
          Currently Being Moderated

          Hi,

           

          it actually does in case you want to use SNC - that is covered in the SAP Integration Kit

           

          In case you want to use standard Windows AD with BusinessObjects Enterprise you can find all the details in the BOE documentation as it is relevant not only for SAP based solutions.

           

          Ingo

Actions