Hello - I am looking for some help with setting up SSO on BI 4.0 using SiteMinder with Windows AD. We have already done the Kerberos/Vintela set up and that works well but due to some security/network issues we've been facing, the SSO using Kerberos/Vintela isn't working right on our Juniper VPN. So we were told by our NetSec guys to try the NTLM option, which I guess is not available for BI 4.0 running Tomcat.
So our option now is to go the SiteMinder route. We already have a SM Policy Server here that is used for SSO to a lot of other apps. What would be required to configure BI 4.0 to use it? The 4.0 admin guide is a joke when it comes to details. Do we need to install the SM agent on on the BO server running Tomcat? If so, it looks like there is no SM agent support for Tomcat. Then do we need IIS/Apache web server in front of our Tomcat App Server?
What are our options and is there any white paper or guide written for this specific configuration?
Here's our environment:
BI 4.0 SP02
Windows 2008 R2
Windows AD authentication
Business Objects Enterprise needs to use SMESSION cookie to complete the Single sign-on and only the siteminder Web Agent can generate the SMSESSION cookie.
If Business Objects Enterprise is running on Tomcat you can not use the Siteminder's Application Server Agent. In this case, you need an HTTP server that works with the application server (and that is supported by Siteminder), so you can install the Web Agent on the HTTP server.
Varun - we have manual Windows AD configured and working alright. Right now we also have Kerberos/Vintela SSO configuration for Tomcat and that works too. But we want to get rid of Vintela and use SiteMinder instead.
I have an IIS instance on a separate server that is running with SM agent configuration to generate the SMSESSION. When the IIS proxy redirects to Tomcat InfoView, I expect for the SMSESSION to be passed and authenticated against BO configuration for SM which I already did on the "Windows AD" auth plugin in the CMC as per the admin guide.
I am getting this error now, which I don't know why it's looking for secLDAP even though I am using secWindAD.
Account Information Not Recognized: The secLDAP security plugin is not enabled. Contact your system administrator for details. (FWB 00002)
I understand that this post is quite old now but, thought about sharing my experience.
I have setup Apache 2.2.22 with OpenSSO web agent (works same as Siteminder web agent) and have setup a bridge between Apache and Tomcat using mod_jk. Besides this, I have also split the static and dynamic content between these two. Works quite fast. To separate the content and setup mod_jk, look for the SAP guide "Improving the User Experience in SAP BI Platform 4.0 with Apache and WDeploy".
Ask your company's Siteminder guys to setup the web agent to populate an HTTP header with the ID of the user who gets authenticated. I think it's SM_USER for siteminder by default. Then, setup Trusted Authentication on Tomcat/CMC using the steps mentioned in BO BI 4.0 Admin guide.
Hope this helps.
Just noticed the post. The issue sounds like you don't have the setspn defined for the Juniper appliance.
I've ran BO 5, 6.5, XIR2, 3.0, 3.1 and some testing with 4.0 with Juniper for clustered environments in AIX, Windows, and Redhat environments, and it works just fine.
The primary issue when this occurs, is the definition of your setspn commands. Other than the base configurations you mentioned, I am not sure of other possible hinderances, but I can assure that it works. One issue that was prevelant with the Juniper system I worked on was the Layer 7 response system; however, it was an issue relating to the network appliance configuration.
Whether your in different subnets, vlan, or subdomain is another issue, and you will run into the same issues whether it is siteminder, ldap, or sap.