- SAP Managed Tags:
This document summarizes the planned enhancements in the next SAP BI 4.2 Support Package 6 for BIPlatform.
SAP BI 4.2 SP06 is now generally available. Please refer the below blog for more details:
https://blogs.sap.com/2018/07/30/sap-businessobjects-business-intelligence-suite-4.2-sp06-sp6-releas...
Following the enhancements brought in SAP BI 4.2 and its Support Packages (see here for more details), SAP keeps investing in the most popular and used Analytics tool in the SAP Portfolio.
SAP BI 4.2 SP6 delivers many awaited features and incremental enhancements so as to create the foundation for all follow-up releases and meeting the high expectations of our large customer base.
In BI 4.2 SP05, the BIP RESTful web services can also be deployed in the default Tomcat application server. For more information please refer the below blog.
From BI4.2 SP06 onwards, BIPRestful web services can additionally be deployed on the supported websphere application server.
If you are using a non-WACS server such as WebSphere, you can set the RESTful Web service parameter values as part of server configuration.
To configure the RESTful web services for WebSphere application server, follow the procedure given below:
4. Restart the WebSphere server.
Note:
The default version of biprws.properties is available at <WebSphere-location>\webapps\biprws\WEB-INF\config\default and your configuration for above listed parameters in custom file path overrides the default settings once you restart the server.
Cloud applications are HTTP friendly as almost everything happens on that protocol. And hence, same is true for SAP Analytics cloud, SAP Analytics Hub which all support SAML as authentication mechanism.
From BI 4.2 SP05 onwards, Service provider implementation in BIPlatform supports SAML integration to BIPlatform for tomcat application server. However, the identity propagation is done though the User IDs.
Refer: https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/
Most of the cloud applications (SAP Analytics Cloud/SAP Analytics Hub) Login are based on Email. Hence, Now BIPlatform supports Email Authentication for SAML 2.0 integration.
Configuration steps for configuring Email authentication for SAML 2.0 integration to BIPlatform:
Edit the properties file by adding below fields and also Refer the filenames and its location below:
saml.enabled=true
saml.isUseEmailAddress = true
saml.authType = secEnterprise
The second parameter takes Boolean values and the third parameter denotes the authentication type of the user/alias details with which the login is expected to happen.
The email feature can be handled individually for each application stated above.
If saml.isUseEmailAddress is set to false , then the exception is that login will happen based on the name parameter.
If set to true , then the exception is that login will happen based on the email parameter.
The purpose of the third parameter is to check for duplicity in the system , which ensures no two aliases of same authentication type can have the same email address as in this case , there is a conflict of which authentication type to use to authenticate and create session.
If in case , if any duplicity exists in the system , "alias name or email is not unique error" will be thrown at the interception screen.
Note:
Note:
Set up the following prerequisites to use the SAML authentication feature to login via the email address of:
Use the command line parameter “-importtpemailduringsync” to enable the import of email addresses from a third-party system:
1. Add the parameter “-importtpemailduringsync” to CMS -->properties -->Command Line Parameters
2. Restart the CMS
3. Do the third-party authentication update of the third-party whose user’s email you want to use for login. The supported third-party authentication types for this feature are SAP, LDAP and WinAD.
If you are using SAP cloud Identity provider, Below are the steps to Configure for EMAIL support :
Refer the below link for more details:
https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1d020e3a3ba34c43a71fde70bfa...
Note:
The URL has the https://<tenant ID>.accounts.ondemand.com/admin pattern.
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID.
This operation opens a list of the applications.
Note:
Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
If you do not have a created application in your list, you can create one. For more information, see Create a New Application.
E-Mail
Once the application has been changed, the system displays the message Application <name of application> updated.
Tip:
Import all the IDP users with the E-mail address to BIPlatform and now if you access any of the SAML 2.0 configured BIPlatform applications (BILP, Fiori BILP, Open document, CMC) it redirects to IDP logon page.
Once the E-mail address and Password credentials are valid, It will provide the access to BIPlatform resources.
Note :
Go to http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider. Upload this in IDP using the relevant IDP’s feature support.
if SP metadata file end-point is always generates with http or localhost and you need to generate with FQDN and with https then below are the steps to achieve this:
In BI 4.2 SP05 release, SAML 2.0 Service provider implementation for Tomcat Application Server using SAML 2.0 is supported for BIPlatform thin Clients (BILP, FBILP, OpenDocument).
Now, BI 4.2 SP06 onwards, Central Management console Application is also supported.
Configure SAML 2.0 integration to BIPlatform. Refer the below blog for more details.
https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/
For CMC, go to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\custom and edit the CMCApp.properties file.
Ex:
saml.enabled=true
sso.supported.types = trustedSession
Note:
For CMC, you should set another property sso.supported.types = trustedSession in the CMCApp.properties file.
Using the Spring SAML implementation and SP configuration from BIPlatform, SAML 2.0 is supported for all BIP thin clients (BILP, FBILP, OpenDocument, CMC) for websphere application server.
Note:
The topic contains instructions to configure the WebSphere application server for SAML 2.0 authentication.
Follow the steps below:
2. To configure trusted authentication with web session, follow the steps below:
sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=UserName
The TrustedPrincipal.conf file is downloaded.
To export SAP Cloud Platform users to CSV, refer
Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service
In securityContext.xml file, locate the SAML entry point in the XML code as below:
Sample Code:
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<!-- Comment/Uncomment for Launchpad-->
<security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Opendocument-->
<!--<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for Fiori Launchpad-->
<!--<security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for CMC-->
<!--<security:intercept-url pattern="/CMC" access="IS_AUTHENTICATED_FULLY"/>--><security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
Note:
If the application does not contain the custom properties file, create a new one.
6. Activate the XML tags in the web.xml file.
7. To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\WebSphere\webapps\BOE\WEB-INFand rename it to idp-meta-downloaded.xml .
For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration
Note: A new algorithm SHA-256 is now supported for the SAML integration.
8. Restart the WebSphere application server.
Note :
If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\WebSphere\webapps\BOE\WEB-INF.
i.e <value type="java.io.File">/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to<value type="java.io.File">\WEB-INF\idp-meta-downloaded.xml</value> .
To generate keystore for enabling SAML 2.0 (optional)
This step is applicable only if you want to use your own keystore file.
SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019. sampletestKeystore.jkshas an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:
The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
Sample Code:
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="/WEB-INF/sampleKeystore.jks"/>
<constructor-arg type="java.lang.String" value="Password1"/>
<constructor-arg>
<map>
<entry key="aliasname" value="password"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="Testkey"/>
</bean>
9. Generate and upload the service provider metadata.
Note:
You can use the default service provider metadata file spring_saml_metadata.xml located at<INSTALLDIR>\WebSphere\webapps\biprws\WEB-INF instead of generating it manually. You must replace the XML tag <replace_withip> with the IP address or hostname of the machine based on your network, and <replace_withport> with port number of the WebSphere application server. Replace HTTP with HTTPS if you have enabled HTTPS in WebSphere.
10. If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
11. Restart the WebSphere application server.
Note:
The latest service provider metadata must be generated after the keystore file is modified.
Tip:
To check if SAML integration is successful, once you launch the SAML configured application (BI launch pad, Fiori BI launch pad or OpenDocument), you are redirected to the IDP.
SAML integration to BIPlatform delivered in BI 4.2 SP05 release works only with SHA-1 certificate.
From BI 4.2 SP06 onwards, SHA-2 certificate is supported for SAML 2.0 integration to BIPlatform using ADFS/SAP cloud Identity providers.
As part of BI 4.2 SP05 release, SAML integration into BI platform is supported using Open SAML 2.0 for tomcat application server.
In one of the confirmation steps, SAML related Jars has to be manually copied into the BOE/WEBI-INF/lib folder.
Copying all Jars manually will increase the Configuration process and time.
For BI 4.2 SP06 above steps are simplified and all the SAML related Jars are copied automatically during the BOE default installation with Tomcat application server.
Till BI 4.2 SP05 release, BI workspace doesn't support Lumira documents.
Most ask from the customers is to have a support of Lumira documents in BIworkspace.
From BI 4.2 SP06 release, Modules and BIworkspace can be created and be viewed in BILaunchpad successfully for Lumira documents.
BI platform key user creates new BI reports for the end users on Fiori LaunchPad (FLP) on SAP NetWeaver Enterprise Portal (EP). The reports are visible on FLP on EP without a delay and an additional effort EP administrator side.
In BI 4.2 SP04 release, BIPlatform public folders content in Fiori Launchpad is integrated to SAP NetWeaver Enterprise Portal by exposing Odata services.
Refer below links for more details :
https://blogs.sap.com/2017/05/15/bi-platform-odata-service-for-sap-fiori-launchpad/
https://blogs.sap.com/2017/05/14/business-objects-enterprise-integration-with-sap-fiori-launchpad-on...
From BI 4.2 SP06 onwards, Odata services implemented to support BIPlatform Personal folders and Inbox contents.
Currently OData Services can only be deployed in Tomcat Application server.
From BI 4.2 Sp06 onwards, OData war file can be deployed in SAP NetWeaver application server.
In BI 4.2 SP05 GDPR Data protection Pop up message is mandated for all users as part of GDPR regulations for Data protection when logging to BILaunchpad, CMC, Fiori BILaunchpad and Open Document.
From BI 4.2 SP06 onwards, Fiori BILaunchpad now has an option to remove favorites by clicking on the star for the tile view and list view in Home page.
In BI 4.2 SP05 release, Adding custom images for categories are supported. But there is no option to delete these custom images.
From BI 4.2 SP06 onwards, FBILP categories supports deleting the custom images in Tile view. Default category images are applied once the custom images are deleted.
From BI 4.2 SP06 release, Fiori BILP supports additional rights for scheduling destinations. Ie., we can now control the rights of scheduling destination individually i.e. for
FTP,
SFTP,
SMTP,
File system
BI Inbox
Today if administrator has enabled any destination in job server, then for any user having the right to schedule, can select any of the destinations.
SharePoint 2013 is in end of life mode and IOMS is now supports SharePoint 2016.
From BI 4.2 SP06 release, IOMS is certified and supports Microsoft SharePoint 2016.
All existing supported BOE web parts in IOMS with SharePoint 2013 is now can be deployed successfully in SharePoint 2016.
When Scheduling a report, there are multiple placeholders allows the scheduler to append a piece of metadata to the name of the report being exported.
Currently we have Datetime placeholder which is translated as: %SI_STARTTIME%.
When Date Time is added as a placeholder, it will add data and time like "2018-19-03-27-21".
There is no option if user wants only Date but not time.
In BI 4.2 SP06 release, A new placeholder for Date, %SI_DATE% has been introduced.
When this placeholder is used, it translates to Date in the runtime
For Ex:
%SI_DATE% - 2018-05-30
A new property has been added to get the number of cores per CPU.
In BI 4.2 SP06 release, Started supporting TLS 1.2 communication from BOE to LDAP servers.
It supports all platforms except Linux this will work out of the box.
Note :
For Linux, customer needs to manually replace the ldap binaries from collateral folder. Please refer Note 2623529
Wireshark traces for BI 4.2 SP06:
Important Links:
https://blogs.sap.com/2017/11/07/sap-bi-4.2-sp05-decoupling-of-bi-platform-restful-web-services-from...
https://blogs.sap.com/2017/11/06/sap-bi-4.2-sp05-whats-new-in-fiori-bi-launchpad/
https://blogs.sap.com/2017/05/18/fiori-bi-launchpad-administrator-configurations-and-settings/
https://blogs.sap.com/2017/12/19/sap-analytics-hub-saml-sso-to-biplatform-content/
https://blogs.sap.com/2018/05/16/how-to-disable-gdpr-data-protection-pop-up-message-in-cmc-bilaunchp...
SAP BI 4.2 SP06 is now generally available. Please refer the below blog for more details:
https://blogs.sap.com/2018/07/30/sap-businessobjects-business-intelligence-suite-4.2-sp06-sp6-releas...
Following the enhancements brought in SAP BI 4.2 and its Support Packages (see here for more details), SAP keeps investing in the most popular and used Analytics tool in the SAP Portfolio.
SAP BI 4.2 SP6 delivers many awaited features and incremental enhancements so as to create the foundation for all follow-up releases and meeting the high expectations of our large customer base.
Below are the New features for BI 4.2 SP06 release from BIPlatform:
1. Decoupling BIP RestSDK stack out of WACS for WebSphere
2. SAML 2.0 Enhancements:
- Email support in SAML Integration to BI Platform
- SAML 2.0 support for Central Management console.
- SAML 2.0 authentication Support for BI Platform thin Clients (BILP, FBILP, OpenDocument and CMC) with Websphere Application Server.
- SAML 2.0 integration in BIPlatform with SHA-2 support
- Simplify the SAML authentication configurations in BI Platform.
- logonNoSso.jsp is now supported for SAML 2.0 SSO
3. Lumira documents are now supported in BIworkspace.
4. BI platform supports OData services for the integration between the Fiori Launchpad and SAP Enterprise Portal
5. BI Platform now supports OData Services in NetWeaver application server
6. Disabling the GDPR Popup Message
7. What's New in Fiorified BI Launch Pad:
- You can now remove an item from your list of Favorites by choosing the * icon on the item previously marked as favorite.
- You can now delete custom images you added to a category.
- Destination rights in Fiori BILP
8. Sharepoint 2016 support.
9. Introduction of Date placeholder
10. Licensing enhancement - Number of core information on servers
11. TLS 1.2 Support for LDAP
12. Audit DB Changes
1. Decoupling BIP RestSDK stack out of WACS for WebSphere :
In BI 4.2 SP05, the BIP RESTful web services can also be deployed in the default Tomcat application server. For more information please refer the below blog.
From BI4.2 SP06 onwards, BIPRestful web services can additionally be deployed on the supported websphere application server.
1.1 Configuring RESTful Web Services for WebSphere Server:
If you are using a non-WACS server such as WebSphere, you can set the RESTful Web service parameter values as part of server configuration.
To configure the RESTful web services for WebSphere application server, follow the procedure given below:
- Stop the WebSphere server.
- Access the file propertiesin the following file-path: <WebSphere-location>\webapps\biprws\WEB-INF\config\custom.
- Specify the values of following parameters in the file based on your custom requirements and save the file.
- <Default_Number_Of_Objects_On_One_Page>
- <Enterprise_Session_Token_Timeout_In_Minutes>
- <Session_Pool_Size>
- <Session_Pool_Timeout_In_Minutes>
- <Log_Level>
- <Log_Location>
4. Restart the WebSphere server.
Note:
The default version of biprws.properties is available at <WebSphere-location>\webapps\biprws\WEB-INF\config\default and your configuration for above listed parameters in custom file path overrides the default settings once you restart the server.
2. SAML 2.0 Enhancements:
2.1 Email support in SAML Integration to BI Platform :
Cloud applications are HTTP friendly as almost everything happens on that protocol. And hence, same is true for SAP Analytics cloud, SAP Analytics Hub which all support SAML as authentication mechanism.
From BI 4.2 SP05 onwards, Service provider implementation in BIPlatform supports SAML integration to BIPlatform for tomcat application server. However, the identity propagation is done though the User IDs.
Refer: https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/
Most of the cloud applications (SAP Analytics Cloud/SAP Analytics Hub) Login are based on Email. Hence, Now BIPlatform supports Email Authentication for SAML 2.0 integration.
Configuration steps for configuring Email authentication for SAML 2.0 integration to BIPlatform:
Edit the properties file by adding below fields and also Refer the filenames and its location below:
saml.enabled=true
saml.isUseEmailAddress = true
saml.authType = secEnterprise
The second parameter takes Boolean values and the third parameter denotes the authentication type of the user/alias details with which the login is expected to happen.
The email feature can be handled individually for each application stated above.
If saml.isUseEmailAddress is set to false , then the exception is that login will happen based on the name parameter.
If set to true , then the exception is that login will happen based on the email parameter.
The purpose of the third parameter is to check for duplicity in the system , which ensures no two aliases of same authentication type can have the same email address as in this case , there is a conflict of which authentication type to use to authenticate and create session.
If in case , if any duplicity exists in the system , "alias name or email is not unique error" will be thrown at the interception screen.
- For BI Launch Pad, go to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\customand edit the properties file.
- For Fiorified BI Launch Pad, go to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\customand edit the properties file.
- For Open Document, go to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\customand edit the properties file.
- For CMC, go to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\customand edit the properties file.
Note:
- For CMC, you should set another property sso.supported.types = trustedSession in the CMCApp.properties file.
- If the application does not contain the custom properties file, create a new one.
Note:
Set up the following prerequisites to use the SAML authentication feature to login via the email address of:
- Third-party users:
Use the command line parameter “-importtpemailduringsync” to enable the import of email addresses from a third-party system:
1. Add the parameter “-importtpemailduringsync” to CMS -->properties -->Command Line Parameters
2. Restart the CMS
3. Do the third-party authentication update of the third-party whose user’s email you want to use for login. The supported third-party authentication types for this feature are SAP, LDAP and WinAD.
- For Enterprise users Refer to SAP note 2642247 .
If you are using SAP cloud Identity provider, Below are the steps to Configure for EMAIL support :
Refer the below link for more details:
https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1d020e3a3ba34c43a71fde70bfa...
- Access the tenant's administration console for SAP Cloud Platform Identity Authentication service by using the console's URL.
Note:
The URL has the https://<tenant ID>.accounts.ondemand.com/admin pattern.
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID.
- Choose the Applications
This operation opens a list of the applications.
- Choose the application that you want to edit.
Note:
Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
If you do not have a created application in your list, you can create one. For more information, see Create a New Application.
- Choose the Trust
- Under SAML 2.0, choose Name ID Attribute.
- Select the name ID Attribute from the following:
- Save your selection.
Once the application has been changed, the system displays the message Application <name of application> updated.
Tip:
Import all the IDP users with the E-mail address to BIPlatform and now if you access any of the SAML 2.0 configured BIPlatform applications (BILP, Fiori BILP, Open document, CMC) it redirects to IDP logon page.
Once the E-mail address and Password credentials are valid, It will provide the access to BIPlatform resources.
Note :
Generate and upload the service provider metadata:
Go to http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider. Upload this in IDP using the relevant IDP’s feature support.
if SP metadata file end-point is always generates with http or localhost and you need to generate with FQDN and with https then below are the steps to achieve this:
- For the first time, if you are generating the SP Metadata.xml with FQDN and http then it will continue always with FQDN name and http only even if you try with localhost/vmname or https. Since it will be cached in the tomcat work folder.
- If you want the name to be populated with the actual name, then the possible solution to clean the tomcat work folder and generate the SP meatdata.xml.
- if above steps are not working then Full Restart on all systems might solve this issue.
2.2 SAML 2.0 support for Central Management console:
In BI 4.2 SP05 release, SAML 2.0 Service provider implementation for Tomcat Application Server using SAML 2.0 is supported for BIPlatform thin Clients (BILP, FBILP, OpenDocument).
Now, BI 4.2 SP06 onwards, Central Management console Application is also supported.
Configure SAML 2.0 integration to BIPlatform. Refer the below blog for more details.
https://blogs.sap.com/2017/11/17/saml-authentication-for-boe-on-tomcat/
For CMC, go to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\custom and edit the CMCApp.properties file.
Ex:
saml.enabled=true
sso.supported.types = trustedSession
Note:
For CMC, you should set another property sso.supported.types = trustedSession in the CMCApp.properties file.
2.3 SAML 2.0 authentication Support for BI Platform thin Clients (BILP, FBILP, OpenDocument and CMC) with Websphere Application Server:
Using the Spring SAML implementation and SP configuration from BIPlatform, SAML 2.0 is supported for all BIP thin clients (BILP, FBILP, OpenDocument, CMC) for websphere application server.
Note:
- SAML 2.0 implementation is supported for websphere 9.
- The steps mentioned below use SAP Cloud Identity Provider as the default identity provider.
The topic contains instructions to configure the WebSphere application server for SAML 2.0 authentication.
Follow the steps below:
- Add the SAML WebSphere service provider jars.
- Copy the SAML jars present in to <BOE Install Dir>\WebSphere\webapps\BOE\WEB-INF\lib<BOE Install Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS.
- Stop WebSphere.
- Delete the Workfolder from <BOE Install Dir>\WebSphere.
- Restart WebSphere.
2. To configure trusted authentication with web session, follow the steps below:
- Add the global.properties file under the custom folder <INSTALLDIR>\SAP BusinessObjects\WebSphere\webapps\BOE\WEB-INF\config\custom. Following is the content for global.properties:
sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=UserName
- Go to CMCAuthentication Enterprise.
- Enable Trusted Authentication.
- Set the Validity.
- Choose New Shared Secret.
- To download the generated shared secret, choose Download Shared Secret.
The TrustedPrincipal.conf file is downloaded.
- Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64
- Go to CMCAuthentication Enterprise and choose Update.
- Restart WebSphere.
- If you are using SAP Cloud Platform Identity Provider, export all the users and then import them to the BI platform. Refer How to import users in bulk from Central Management Console
To export SAP Cloud Platform users to CSV, refer
Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service
- Edit the xmlfile located at <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF.
In securityContext.xml file, locate the SAML entry point in the XML code as below:
Sample Code:
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<!-- Comment/Uncomment for Launchpad-->
<security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Opendocument-->
<!--<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for Fiori Launchpad-->
<!--<security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for CMC-->
<!--<security:intercept-url pattern="/CMC" access="IS_AUTHENTICATED_FULLY"/>--><security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
- For OpenDocument, uncomment <security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>
- For Fiorified BI Launch Pad, uncomment <security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>NoteThe XML tag for Classical BI Launch Pad is enabled by default..
- For CMC, uncomment <security:intercept-url pattern="/CMC" access="IS_AUTHENTICATED_FULLY"/>
- Edit the properties file by adding enabled=true. Refer the filenames and its location below:
- For BI Launch Pad, go to <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF\config\custom and edit the properties file.
- For Fiorified BI Launch Pad, go to <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF\config\customand edit the properties file.
- For Open Document, go to <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF\config\custom and edit the properties file.
- For CMC, go to <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF\config\customand edit the properties file.NoteFor CMC, you should set another property sso.supported.types = trustedSession in the CMCApp.properties file.
Note:
If the application does not contain the custom properties file, create a new one.
6. Activate the XML tags in the web.xml file.
- Go to <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF.
- Open xml.
- Search for filter in the xml file.
- Uncomment filter to enable SAML.
- Search for filter-mapping in the xml file.
- Uncomment filter-mapping to enable SAML.
- Similarly, search for context-param and listener.
- Uncomment context-param and listener.
- Save the file.
7. To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\WebSphere\webapps\BOE\WEB-INFand rename it to idp-meta-downloaded.xml .
For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration
Note: A new algorithm SHA-256 is now supported for the SAML integration.
8. Restart the WebSphere application server.
Note :
If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\WebSphere\webapps\BOE\WEB-INF.
i.e <value type="java.io.File">/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to<value type="java.io.File">\WEB-INF\idp-meta-downloaded.xml</value> .
To generate keystore for enabling SAML 2.0 (optional)
This step is applicable only if you want to use your own keystore file.
SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019. sampletestKeystore.jkshas an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:
- Navigate to <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
- Run the command: keytool -genkeypair -alias aliasname -keypass password -keystore samplekeystore.jks -validity numberofdays
| Command | Description |
| -alias | Enter the alias name of the certificate |
| -keypass | Enter the certificate’s password |
| -keystore | Name of the keystore file |
| -validity | Validity of the certificate |
| numberofdays | Number of days for which the self-signed certificate is valid. |
- The following questions are prompted after executing the command:
- Enter keystore password: *****
- Re-enter new password: *****
- What is your first and last name? : Ashok Rajashekar
- What is the name of your organizational unit? : BusinessObjects
- What is the name of your organization? : SAP
- What is the name of your city and locality? : BLR
- What is the name of your State and Province? : KA
- What is the two-letter country code for this unit? : IN
- Stop the WebSphere application server.
The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
- Move the keystore file to <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF
- Edit the xmlfile located at <INSTALLDIR>\WebSphere\webapps\BOE\WEB-INF with the new alias name, password, and keystore file name. Refer the XML code below:
Sample Code:
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="/WEB-INF/sampleKeystore.jks"/>
<constructor-arg type="java.lang.String" value="Password1"/>
<constructor-arg>
<map>
<entry key="aliasname" value="password"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="Testkey"/>
</bean>
| Refer the table below for understanding the arguments: | ||
| XML Tag | Description | |
| <constructor-arg value="/WEB- INF/sampleKeystore.jks"/> | Locates the keystore file. | |
| <constructor-arg type="java.lang.String" value="Password1"/> | Password for the keystore file. | |
| <entry key="aliasname" value="password"/> | Alias password | |
| <constructor-arg type="java.lang.String" value="Testkey"/> | Alias of the default certificate | |
9. Generate and upload the service provider metadata.
- Go to http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.
- Upload the XML file to the identity provider.
Note:
You can use the default service provider metadata file spring_saml_metadata.xml located at<INSTALLDIR>\WebSphere\webapps\biprws\WEB-INF instead of generating it manually. You must replace the XML tag <replace_withip> with the IP address or hostname of the machine based on your network, and <replace_withport> with port number of the WebSphere application server. Replace HTTP with HTTPS if you have enabled HTTPS in WebSphere.
10. If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
11. Restart the WebSphere application server.
Note:
The latest service provider metadata must be generated after the keystore file is modified.
Tip:
To check if SAML integration is successful, once you launch the SAML configured application (BI launch pad, Fiori BI launch pad or OpenDocument), you are redirected to the IDP.
2.4 SAML 2.0 integration in BIPlatform with SHA-2 support:
SAML integration to BIPlatform delivered in BI 4.2 SP05 release works only with SHA-1 certificate.
From BI 4.2 SP06 onwards, SHA-2 certificate is supported for SAML 2.0 integration to BIPlatform using ADFS/SAP cloud Identity providers.
2.5 Simplify the SAML authentication configurations in BI Platform:
As part of BI 4.2 SP05 release, SAML integration into BI platform is supported using Open SAML 2.0 for tomcat application server.
In one of the confirmation steps, SAML related Jars has to be manually copied into the BOE/WEBI-INF/lib folder.
Copying all Jars manually will increase the Configuration process and time.
For BI 4.2 SP06 above steps are simplified and all the SAML related Jars are copied automatically during the BOE default installation with Tomcat application server.
2.6 logonNoSso.jsp is now supported for SAML 2.0 SSO:
From BI 4.2 SP06 onwards, logonNoSso.jsp is supported for BIP thin clients (BILaunchpad, Fiori BILaunchpad and CMC) using SAML 2.0 SSO. This is mainly used to login to BIPlatform without SSO and by entering the credentials manually.
3. Lumira documents are now supported in BIworkspace:
Till BI 4.2 SP05 release, BI workspace doesn't support Lumira documents.
Most ask from the customers is to have a support of Lumira documents in BIworkspace.
From BI 4.2 SP06 release, Modules and BIworkspace can be created and be viewed in BILaunchpad successfully for Lumira documents.
4. Support of BIPlatform Personal folders and Inbox in NW Fiori Launchpad Enterprise portal:
BI platform key user creates new BI reports for the end users on Fiori LaunchPad (FLP) on SAP NetWeaver Enterprise Portal (EP). The reports are visible on FLP on EP without a delay and an additional effort EP administrator side.
In BI 4.2 SP04 release, BIPlatform public folders content in Fiori Launchpad is integrated to SAP NetWeaver Enterprise Portal by exposing Odata services.
Refer below links for more details :
https://blogs.sap.com/2017/05/15/bi-platform-odata-service-for-sap-fiori-launchpad/
https://blogs.sap.com/2017/05/14/business-objects-enterprise-integration-with-sap-fiori-launchpad-on...
From BI 4.2 SP06 onwards, Odata services implemented to support BIPlatform Personal folders and Inbox contents.
5. BI Platform now supports OData Services in NetWeaver application server:
Currently OData Services can only be deployed in Tomcat Application server.
From BI 4.2 Sp06 onwards, OData war file can be deployed in SAP NetWeaver application server.
6. Disabling the GDPR Popup Message:
In BI 4.2 SP05 GDPR Data protection Pop up message is mandated for all users as part of GDPR regulations for Data protection when logging to BILaunchpad, CMC, Fiori BILaunchpad and Open Document.
The Data Protection pop-up should not, and cannot be disabled proactively. To ensure compliance with EU GDPR, all users of these applications must actively accept this message before proceeding.
By knowing GDPR Data protection message is mandate and still if customers want to disable this message then they will have an option to disable this Data protection Pop up from BI 4.2 SP05 Patch 3 and BI 4.2 SP06 onwards.
Please refer the below blog for more details :
7. What's New in Fiori BI Launch Pad:
7.1 Customize the list view Would like to « unfavorite » a document by clicking on the star:
From BI 4.2 SP06 onwards, Fiori BILaunchpad now has an option to remove favorites by clicking on the star for the tile view and list view in Home page.
7.2 Option to delete the custom images added in the category Tile view:
In BI 4.2 SP05 release, Adding custom images for categories are supported. But there is no option to delete these custom images.
From BI 4.2 SP06 onwards, FBILP categories supports deleting the custom images in Tile view. Default category images are applied once the custom images are deleted.
7.3 Destination rights in Fiori BILP:
From BI 4.2 SP06 release, Fiori BILP supports additional rights for scheduling destinations. Ie., we can now control the rights of scheduling destination individually i.e. for
FTP,
SFTP,
SMTP,
File system
BI Inbox
Today if administrator has enabled any destination in job server, then for any user having the right to schedule, can select any of the destinations.
8. Microsoft SharePoint 2016 Support in BI Platform:
SharePoint 2013 is in end of life mode and IOMS is now supports SharePoint 2016.
From BI 4.2 SP06 release, IOMS is certified and supports Microsoft SharePoint 2016.
All existing supported BOE web parts in IOMS with SharePoint 2013 is now can be deployed successfully in SharePoint 2016.
9. Introduction of Date placeholder :
When Scheduling a report, there are multiple placeholders allows the scheduler to append a piece of metadata to the name of the report being exported.
Currently we have Datetime placeholder which is translated as: %SI_STARTTIME%.
When Date Time is added as a placeholder, it will add data and time like "2018-19-03-27-21".
There is no option if user wants only Date but not time.
In BI 4.2 SP06 release, A new placeholder for Date, %SI_DATE% has been introduced.
When this placeholder is used, it translates to Date in the runtime
For Ex:
%SI_DATE% - 2018-05-30
10. Licensing enhancement - Number of core information on servers:
A new property has been added to get the number of cores per CPU.
11. TLS 1.2 Support for LDAP:
In BI 4.2 SP06 release, Started supporting TLS 1.2 communication from BOE to LDAP servers.
It supports all platforms except Linux this will work out of the box.
Note :
For Linux, customer needs to manually replace the ldap binaries from collateral folder. Please refer Note 2623529
Wireshark traces for BI 4.2 SP06:
12. Audit DB Changes:
12.1 SQL Anywhere:
- Event_Detail_Value column in the Audit BD was previously set as NVarchar, data beyond 32K Character gets truncated
- In BI4.2 SP6 the Event_Detail_Value column was changed to long NVarchar which can accommodate 2gb. This is for GDPR compliance.
12.2 Sybase ASE and Oracle CMS DB:
- Some concerns on performance degradation and CMS DB deadlocks reported on Sybase ASE and Oracle reported.
- In BI4.2 SP6, added primary keys in Oracle and Sybase ASE which internally supports unique index to the corresponding tables (CMS_INFOOBJECT7, CMS_SESSIONS7,CMS_LOCKS7 and CMS_RELATIONS7)
Important Links:
- SAP Notes (2552129 - BI performance degradation, slowness and CMS DB deadlocks reported)
Learn More:
https://blogs.sap.com/2017/11/07/sap-bi-4.2-sp05-decoupling-of-bi-platform-restful-web-services-from...
https://blogs.sap.com/2017/11/06/sap-bi-4.2-sp05-whats-new-in-fiori-bi-launchpad/
https://blogs.sap.com/2017/05/18/fiori-bi-launchpad-administrator-configurations-and-settings/
https://blogs.sap.com/2017/12/19/sap-analytics-hub-saml-sso-to-biplatform-content/
https://blogs.sap.com/2018/05/16/how-to-disable-gdpr-data-protection-pop-up-message-in-cmc-bilaunchp...
28 Comments
