cancel
Showing results for 
Search instead for 
Did you mean: 

How to set-up Information Steward for SSO based on SAP authentication?

MarcusZwirner
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi experts,

I’m currently involved in a project where Information Steward is implemented.

One requirement is Single-Sign-On (SSO) for Information Steward based on SAP authentication.

What we did so far:

1. We configured the SAP authentication in the CMC:

a. We defined and connected to the SAP entitlement system

b. We defined that system as the default system and enabled SAP authentication

c. We imported all roles from the SAP system

d. We scheduled the user update (updating roles and aliases on a daily basis)

e. We generated a keystore file, exported the public key certificate and imported the certificate file to the SAP system

f. We also set up single sign-on to the SAP database in the CMC

g. And we added the Security Token Service to the Adaptive Processing Server and the EIM Adaptive Processing Server

2. We managed Users in the CMC:

a. We added one of the imported aliases to the group Data Insight Administrator

b. The user was able to log on to Information Steward with his SAP credentials

3. Then we configured Tomcat for SSO:

a. We copied the global.properties and ICCExplorer.properties files from D:\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\default to D:\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom

b. We changed / added the following settings (in the custom folder):

i. global.properties file

1. trusted.auth.user.namespace.enabled=false

2. trusted.auth.user.param=iv-user

3. trusted.auth.user.retrieval=HTTP_HEADER

4. sso.types.and.order=sapSSO

5. sso.enabled=true

ii. ICCExplorer.properties file

1. disable.locale.preference=true

2. authentication.default=secSAPR3

3. cms.default=:6400

c. afterwards we rebooted the whole server

Finally I (as an external user without an SAP user in the entitlement system defined above, but with a CMC user with Enterprise authentication) am able to automatically log-in to Information Steward (I just enter the URL for IS in the browser and I‘m automatically logged in to IS).

But the internal user (the one who successfully tested the logon to IS with his SAP credentials as mentioned above) gets an error message whenever he wants to start IS (see attached screen shot for the displyed error).

In the InformationSteward.Explorer.log file (under D:\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\logging ) we can see the following error messages:

[E] 2015-10-12 09:26:57.548 [Administrator][http-bio-8080-exec-3] Uncaught exception: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)

[E] 2015-10-12 09:26:57.548 [Administrator][http-bio-8080-exec-3] Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)

[E] 2015-10-12 09:26:57.548 [Administrator][http-bio-8080-exec-3] com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)

For me it seems as if still the Enterprise authentication is used even though we defined SAP authentication as the default (“authentication.default=secSAPR3” in the ICCExplorer.properties file).

What did we miss? Or what did we wrong?

Thanks in advance for your support.

Best regards

Marcus

Accepted Solutions (1)

Accepted Solutions (1)

MarcusZwirner
Product and Topic Expert
Product and Topic Expert
0 Kudos

The issue is solved. .

In addition to the settings mentioned above the following settings are required as well:

  • global.properties  
    • trusted.auth.user.namespace.enabled=true
  • ICCExplorer.properties  
    • logontoken.enabled=false

Changing those settings and restarting Tomcat result in a successful SSO with SAP authentication.

Best regards

Marcus

Answers (0)