SiteMinder/Tomcat/AD SSO for BI 4.0 on Windows

Former Member · ‎05-15-2012

Hello - I am looking for some help with setting up SSO on BI 4.0 using SiteMinder with Windows AD. We have already done the Kerberos/Vintela set up and that works well but due to some security/network issues we've been facing, the SSO using Kerberos/Vintela isn't working right on our Juniper VPN. So we were told by our NetSec guys to try the NTLM option, which I guess is not available for BI 4.0 running Tomcat.

So our option now is to go the SiteMinder route. We already have a SM Policy Server here that is used for SSO to a lot of other apps. What would be required to configure BI 4.0 to use it? The 4.0 admin guide is a joke when it comes to details. Do we need to install the SM agent on on the BO server running Tomcat? If so, it looks like there is no SM agent support for Tomcat. Then do we need IIS/Apache web server in front of our Tomcat App Server?

What are our options and is there any white paper or guide written for this specific configuration?

Here's our environment:

BI 4.0 SP02

Windows 2008 R2

Tomcat 6

Windows AD authentication

Thanks!

Former Member · ‎10-04-2012

Just noticed the post. The issue sounds like you don't have the setspn defined for the Juniper appliance.

I've ran BO 5, 6.5, XIR2, 3.0, 3.1 and some testing with 4.0 with Juniper for clustered environments in AIX, Windows, and Redhat environments, and it works just fine.

The primary issue when this occurs, is the definition of your setspn commands. Other than the base configurations you mentioned, I am not sure of other possible hinderances, but I can assure that it works. One issue that was prevelant with the Juniper system I worked on was the Layer 7 response system; however, it was an issue relating to the network appliance configuration.

Whether your in different subnets, vlan, or subdomain is another issue, and you will run into the same issues whether it is siteminder, ldap, or sap.

Dennis

Former Member · ‎09-05-2012

I understand that this post is quite old now but, thought about sharing my experience.

I have setup Apache 2.2.22 with OpenSSO web agent (works same as Siteminder web agent) and have setup a bridge between Apache and Tomcat using mod_jk. Besides this, I have also split the static and dynamic content between these two. Works quite fast. To separate the content and setup mod_jk, look for the SAP guide "Improving the User Experience in SAP BI Platform 4.0 with Apache and WDeploy".

Ask your company's Siteminder guys to setup the web agent to populate an HTTP header with the ID of the user who gets authenticated. I think it's SM_USER for siteminder by default. Then, setup Trusted Authentication on Tomcat/CMC using the steps mentioned in BO BI 4.0 Admin guide.

Hope this helps.

Manish

Former Member · ‎05-23-2012

Anyone who has done SiteMinder SSO with Windows AD/Keberos for BI 4.0 yet? I can definitely use some help!

Former Member · ‎05-17-2012

Hello,

Business Objects Enterprise needs to use SMESSION cookie to complete the Single sign-on and only the siteminder Web Agent can generate the SMSESSION cookie.

If Business Objects Enterprise is running on Tomcat you can not use the Siteminder's Application Server Agent. In this case, you need an HTTP server that works with the application server (and that is supported by Siteminder), so you can install the Web Agent on the HTTP server.

Cheers,

Vikram.V

SiteMinder/Tomcat/AD SSO for BI 4.0 on Windows

Accepted Solutions (0)

Answers (4)

Answers (4)

Re: Failed to commit objects to server : Undefined...

BTP Free Tier SAP Integration Suite (CPI) Cloud Fo...

Re: Filter on multiple criteria

Crystal Reports text clipping issue. PDF created b...

Re: Crystal Reports