In this blog we have a mentioned all the steps that needs to be performed to achieve the SAML configuration for BOBJ 4.3 SP03 BI launchpad URL.
We have also converted in this blog for
BOBJ to S4HANA SSO (STS) and
BOBJ to HANA (SAML2) Configurations, this steps only for business users can able to access the BOBJ reports (S4HANA /HANA) without any backend systems logins.
Environment details:
SAP BUSINESS OBJECTS 4.3 SP03 (Service Provider)
Operating system: SUSE Linux
Identity Provide as Microsoft Azure.
Overall summary of the configuration steps involved in this blog is: -
Part # 1.
Configure SAML2 authentication for SAP BOBJ 4.3 Tomcat Launchpad URL.
Part # 2 SSO configuration from BOBJ to S4HANA (STS)
Part # 3 SSO configuration from BOBJ to HANA (SAML2)
Please see the below blog for the configuration.
https://blogs.sap.com/2023/08/23/how-to-configure-single-sign-on-saml2-with-hana-using-saml2-and-sap...
Note : In this blog we have only covered PART # 1 Configure SAML2 authentication for SAP BOBJ 4.3 Tomcat Launchpad URL.
Part # 2 and
Part # 3 configurations are shared in other blogs .
The following architecture diagram shows the BOBJ authentication procedure.
As a standard BOBJ authentication mechanism, the users can access the BOBJ launchpad through enterprise/SAP authentications.
Once we configure SAP SAML2 for BOBJ launchpad we can be able to access BOBJ launchpad via AD logins no need to enter sperate logins.
PART # 1 Configure SAML Authentication for BOBJ BI Launchpad.
SAP BOBJ 4.3 SP03.
Service Provides as SAP BOBJ 4.3 SP03
Identity Provider that supports SAML 2.0 standards (such as AD FS, Azure AD, OKTA, Ping Federator, and SAP Cloud Identity Provider)
The following PREREQUISUITES are needed before starting SAML2 CONFIGURATION.
- Trusted Authentication via QUERY_STRING should have been tested to confirm that there is a valid shared secret configured in the environment.
See KBA 1593628
- (RECOMMENDED) HTTPS protocol should be configured for Tomcat. There are some IDPs that may require it (Azure/ADFS for example). See KBA 1648573
- A user in BI with the same account name as the IDP user needs to be created or imported through some supported method. The account type in BI can be any authentication alias (secEnterprise, secLDAP, secWinAD, secSAPR3) as long as the account names match.
From BI 4.2 SP06, all the SAML related Jars are copied automatically during the BOE default installation with Tomcat application server.
However, this still may need to be performed manually if you have a distributed environment or multiple tomcat web applications.
- Navigate to the location containing the SAML libraries (Default location: <BOEInstallDir>\SAP BusinessObjects Enterprise XI 4.0\SAMLJARS)
- Copy all the JAR files to the BOE web application library directory (Default location: <BOEInstallDir>\tomcat\webapps\BOE\WEB-INF\lib
- Restart Tomcat and wait for the Tomcat work directory to be populated
Configure Trusted Authentication with Web Session
VALIDATION STEP
It is
strongly recommended that you ensure Trusted Authentication works with Query_String method before moving forward. A common issue encountered is the trusted authentication shared secret is not configured correctly causing the SAML workflow to stop from logging the IDP user in successfully.
See KBA 1593628 and do not proceed until QUERY_STRING Trusted Authentication is validated.
Once met all the pre-steps we have to proceed with below configuration steps.
- Modify the properties file under the Custom folder (Default location: <BOEInstallDir>\tomcat\webapps\BOE\WEB-INF\config\custom).
We have to remove query string parameters as we added in the pre-steps that needs to be removed and add to below parameters
sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=MyUser
Restart Tomcat for the changes to take effect
Enable the SAML Endpoints
SAML Authentication can be enabled for specific parts of the BOE web application (For example: BI Launchpad, OpenDocument, Fiori Launchpad).
1.Modify the securitycontext.xml file (Default Location: <BOEInstallDir>\tomcat\webapps\BOE\WEB-INF\) to enable the desired endpoints. Here we will enable OpenDocument.
NOTE: Depending on the BI version you are configuring, the endpoints configurations may differ. Base your configuration off the default settings of your securitycontext.xml file and not directly from this article.
Original |
Modified |
<!-- Secured pages with SAML as entry point -->
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<!-- Comment/Uncomment for Launchpad-->
<security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Opendocument-->
<!--<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for Fiori Launchpad-->
<!--<security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for CMC-->
<!--<security:intercept-url pattern="/CMC" access="IS_AUTHENTICATED_FULLY"/>--> |
<!-- Secured pages with SAML as entry point -->
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<!-- Comment/Uncomment for Launchpad-->
<security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Opendocument-->
<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Fiori Launchpad-->
<!--<security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for CMC-->
<!--<security:intercept-url pattern="/CMC" access="IS_AUTHENTICATED_FULLY"/>--> |
2.The associated. properties file for each endpoint also needs to be updated to enable SAML. Add the following parameter to the BIlaunchpad.properties and OpenDocument.properties file in the custom folder (Default location: <BOEInstallDir>\tomcat\webapps\BOE\WEB-INF\config\custom).
saml.enabled=true
Configure the Deployment Descriptor
A new filter was added for SAML that needs to be activated in the web.xml file.
Update IDP Metadata
- Obtain the IDP metadata from the IDP provider. It should be in .xml format.
- Copy the IDP metadata file to the BOE Web application (<BOEInstallDir>\tomcat\webapps\BOE\WEB-INF\)
- Rename the xml file to idp-meta-downloaded.xml .
saml.enabled=true
Keystore / Certificate Generation
By default, a sample keystore is shipped with the BI Platform. However, the shipped certificate has an expiration date set. It is recommended that you create a new keystore and enable SHA-256 level encryption.
- In a command console, navigate to the SAPJVM directory (Default Location: <BOEInstallDir>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin)
- Run the following commands to generate a new certificate keystore
keytool -genkeypair -alias <aliasname> -keypass <Password> -keystore <keystore-filename.jks> -keyalg RSA -validity <numberofdays>.
3 Copy the generated .jks file from the /bin directory to the BOE web application (<BOEInstallDir>\tomcat\webapps\BOE\WEB-INF\)
4 Modify the securitycontext.xml to update the keystore information with the information used to generate the certificate.
Original |
New Certificate |
<constructor-arg value="/WEB-INF/sampletestKeystore.jks"/>
<constructor-arg type="java.lang.String" value="Password1"/>
<constructor-arg>
<map>
<entry key="Testkey" value="Password1"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="Testkey"/>
</bean> |
<constructor-arg value="/WEB-INF/<keystore-filename.jks>"/>
<constructor-arg type="java.lang.String" value="<Password>"/>
<constructor-arg>
<map>
<entry key="<aliasname>" value="<Password>"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="<aliasname>"/>
</bean> |
- Save the changes
- Restart Tomcat to apply all of the recent changes.
Generate SP metadata
- In a web browser, navigate to the metadata generator URL (default: https://<hostname>:<https_port>/BOE/saml/metadata)
Note: It is important to generate the metadata through the URL that your business users are expected to use. This will generate the metadata details to use those parameters. For example, if you access the metadata URL from http://localhost:8080, then the metadata will generate with those values.
- An XML file should appear (either in the browser, or as a download file request). Save this XML file.
- View and verify that the metadata contents generated correctly (using the desired hostname and port, instead of localhost details).
Upload the SP metadata to the IDP
Once the metadata file is generated with the desired information, you can provide the metadata .xml file to the IDP to import. This is different for every IDP. Once the configuration is applied, the IDP will have the details needed to redirect the business users back to the BI Platform once they are fully authenticated.
Test SAML workflow
If it has not yet been applied, the SAML logging should be configured to help isolate issues should they appear. Logs from the IDP will also be helpful.
- Access the BI Launchpad (or another configured endpoint)
2.The user should be automatically directed to the IDP logon page (or automatically authenticated by the IDP if that is the configuration)
- Upon successful authentication, the user should automatically be redirected back to the BI web application (BI Launchpad, for example)
- The trusted authentication workflow takes over and the user should automatically be logged in to the desired endpoint in the web application.
Refer the below KBA's to finish all the configuration steps.
2788146
1593628