cancel
Showing results for 
Search instead for 
Did you mean: 

Integrate BI Enterprise authentication with SAP BW with SSO

Former Member
0 Kudos

We have an existing BW 7.31 on HANA and planning a BI 4.1 deployment on top of that using BICS interface, since we have made a lot of investment in BEX queries already (currently running on Enterprise Portal)

I have a done some reading on SCN/Notes/KB etc. and have a few questions.

Our BOE environment is a shared platform, with various backends. We one trying to get onto it with our BW backend. BI platform is using Enterprise Authentication. So the users login with corporate email address/password on BI

Our SAP BW environment runs with employee ID access

Now,

  • If I enable SAP authentication between BI and BW, I will get prompted twice to login. Am I right? once for email to login to BI and once for employee ID access into BW
  • From what I had read, this can be avoided by establishing a certificate trust using STS and performing an ‘SAML’ mapping between the BI employee IDs and BW employee IDs. And this needs to be done for each individual user.
    • But we have more than to 7500 users; we need to map existing users
    • Map new users as they get created

How do we accomplish this? Are there recommended ways to automate these processes?

Please let me know if you need additional detail.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

We had this resolved now and wanted to post we had to do to get this working for the benefit of some of you...

1/ Make sure that, STS exists on all the Adaptive Processing Servers on the BOE platform

2/ While setting up STS, on the BW side, we had to give client as 000, the system client

3/ The BW system needs to be included in the /etc/hosts file on the BO server side as follows

     sapms<BW SYSTEM ID>     <port#>3600/tcp (port# in our case was 3600 or 3601)

Not sure, how mandatory are the following; but we did it anyway as per SAP's recommendations

1/ The communication user for BO-BW link should have a password with no special characters. It can only be alphanumeric

2/ While creating the certificate on BO side, the BO server should be in uppercase

3/ The alias used in creating the certificate should be uppercase


A restart of the BOE instance was recommended to clear out any caching of the passwords or user lockouts.

Regards

Raju

Answers (1)

Answers (1)

IngoH
Active Contributor
0 Kudos

Hello Raju,

you should integrate the SAP and Enterprise Authentication by using Aliases on the BOE Server. The mapping doesn't have to be done manually assuming the user names are the same.

You could also use scripting for this.

regards

Ingo Hilgefort, Visual BI

Former Member
0 Kudos

Hi Ingo

I was delighted to see your response. Many thanks. But I have more questions now.

Actually thats the biggest issue. The users IDs on BOE are corportate email addresses those on SAP BW are employee IDs. Can you recommend the best option in this scenario?

If I use SAP authentication, how does it actually work?

I am in the process of creating a generic user on the BW environment as per the recommendation in the admin guide for SAP authetication. Does this achieve SSO? If yes, how exactly does this work?

Any help would be greatly appreciated.

Regards

Raju

IngoH
Active Contributor
0 Kudos

Hi Raju,

SAP authentication would mean to import the SAP roles into the SAP BusinessObjects Server and then users are able to authenticate with their SAP credentials.

Not sure what you are referring to with a generic user, but that would mean that you won't have things like data level security and I would be very much surprised if that is recommended anywhwere.

You would setup your users in the SAP system and then import those users to the BI Server and people would logon with the SAP Authentication.

regards

Ingo Hilgefort, Visual BI

carlos_weffer
Participant
0 Kudos

Hi Raju

SAP Authentication is required only by users that need access to reports sourcing data from SAP BW via BICS.

Other users can keep using BO Enterprise Authentication.

Users can select their authentication method at login time.

Regards

Carlos Weffer

Former Member
0 Kudos

Ingo, Carlos...many thanks for the replies.

Hi Ingo

The generic role/user that I was mentioning is the CRYSTAL_ENTITLEMENT role and user described in BO 4.1 SP6 admin guide section 9.5.2.

I thought it was a requirement to have this for setting up SAP Authentication and SSO. I understand your point on data security. Please help

me understand the purpose of this user.

Now, to you both...

Please allow me to share little more detail on our setup...

Our BOE is a shared platform hosting about 100 applications. We are their first SAP tenant. Also with is, they have the added complexity of user IDs not matching.

BOE platform is setup with Enterprise SSO with SIteinder  Auth. So when the user opens the BI Launchpad URL it prompts for the corporate digital badge (basically built upon email and pwd)

and the user sees no more login prompts at all.

Now as we come up with SAP BW, I am trying to understand how it works.

1/ SAP Authetication : I realize that, the SAP BW roles and hence the users are imported into BO. But how do we setup SSO in this option in such a way that,

- the users can login to BI launchpad using digital badge with Siteminder authetication and

- they get prompted for BW credentials when they click on a report created with our BICS connection? Is it possible ?

2/ If we do not go for SAP Authetication or if the above is not possible, then, is there any option to perform a mapping at a USER GROUP level (rather

than at a USER level), indicating which BO groups are mapped to which BW imported roles? I have heard about Win AD with Kerberos accompanied with

STS may provide such alternative. Can you please help throw some light on this?

As always any help or POINTERS will be of immense help

Regards

Raju

IngoH
Active Contributor
0 Kudos

Hello Raju,

in case you talking about the user for the Entitlement System - yes that is a generic user but thats a user that your actual users will never see. The user will only be used for communication between the systems.

In regards to your scenario:

The BI platform has a concept of user aliases and a user could potentially logon with USERA in Enterprise Authentication but have USERB for SAP authentication setup as a user alias.

In general you will have to get the SAP authentication setup as otherwise you would not have the data level security towards the BW system.

I would suggest you sit down with the folks that have configured the Siteminder part and explain the issue as I am sure they already have solved a similar scenario

regards

Ingo Hilgefort, Visual BI

Former Member
0 Kudos

Hi Ingo

One more question, if I may...you had mentioned in one of your replies the following:

>>you should integrate the SAP and Enterprise Authentication by using Aliases on the BOE Server. The >>mapping doesn't have to be done manually assuming the user names are the same.

>>>You could also use scripting for this.

As I had mentioned, in our case, the BO IDs and BW IDs are not the same. Can we still use scripting to perform a '"Mass Alias Assign" ? If yes, can you please let me know the pointers to such scripting?

Regards

Raju

IngoH
Active Contributor
0 Kudos

Hello Raju,

that is why I suggested it. The scripting would follow the standard BI Platform SDKs and there are different options - Java SDK, Rest API, ...

regards

Ingo

Former Member
0 Kudos

Hello Ingo

Thanks.

Couple of questions.

I went thru your blog from a long time 2008 ago ... a step by step process to setup SAP authentication. There you had mentioned a user and password (of entitlement user). The options screen has a checkbox for AUTOMATICALLY IMPORT USERS. But the current version does not. And when I configured the entitlement role exactly as in the admin manual and specified it in SAP Authentication. I was expecting to import the role and all the users (1000s of them) into BO. But when I specified a role for import, I could not see a single user being imported.  What may I be missing?

Secondly, once I am able to import users, then the question of assigning aliases arises. The scripts that you were mentioning above...are there any samples out there that I can use, to do assign aliasses in bulk ? May be usiing an excel file or something?

Regards

Raju

IngoH
Active Contributor
0 Kudos

Hello Raju,

when you import the groups, the users will get imported - latest on their first logon.

As mentioned before the aliases will happen automatically assuming the user name is identical - otherwise it will have to be done manually or via scripting.

You can find the manual process also in the Admin Guide.

regards

Ingo Hilgefort, Visual BI