Dear all,
we want to establish an SSO to a single BO system (BI Launchpad and OpenDocument) from both(!) a single Portal system and a single Fiori system. We also only have one BW system. Preferably I wanna do this via logon tickets.
I admit, that I don't fully understand the possibilities but in this area, I think SAP's architectural design is near madness... 🙂
Anyways, here's what I understood so far (might be wrong, please correct me)
- To setup SSO between Portal and BO you have a menage a trois between BW, Portal and BO
- You will configure the BW System as entitlement system
- (?) You will configure the BW System as default system (?)
- You will establish a trust between Portal and BO using a shared secret
- You will establish trust between BO and BW using a certificate (private key in BO, import public key in BW)
- You will establish trust between BW and Portal using a certificate (private key in Portal, import public key in BW)
- You will configure BO as special system in Portal using "SAP BusinessObject" Template
- You will need special iView Templates in Portal for BO "SAP BusinessObjects Document Viewer" / "SAP BusinessObjects Document List"
- (?) You generate iViews from that templates and need to enter some Alias (?)
- (?) You can only have SSO to BO via Logon Tickets from ONE calling system (?)
- (?) You cannot have (at least frictionless?) support for both SAML SSO and other SSO methods like AD (Kerberos) or Logon Tickets (?)
My Questions:
- (See Figure 3) Which system will you configure as a default system assuming that the main entry point should be enterprise portal
- (See Figure 😎 Which Alias would I need to enter in the BP iView "SAP BusinessObjects Document Viewer" assuming I want to have Logon Ticket SSO from Portal to BO. And where to put that Alias in BO (CMC)
- (See Figure 10) This is a main concern:
In https://launchpad.support.sap.com/#/notes/1495354 SAP states "The BI system will append the default system information to the front of the MYSAPSSO2 token received, so SSO will only work for users coming in from the same SAP system defined as the default. If you are using iViews for Enterprise Portal, then there is a solution available in KBA 1507252 with Multiple BW SAP Systems via the SAP Portals [...] Currently, there is no similar workaround or solution for the Fiori Portal. SSO will only function for the default SAP system defined.
--> I only have one BW system and one Portal system (and one BO system), where the note speaks of Systems.
In https://launchpad.support.sap.com/#/notes/1701240 SAP states "mysapsso2 tokens can be used to authenticate to BI from various SAP applications (CRM, fiori, EP, KM), they all require a similar configuration but the front end application steps may vary".
--> Now who is right? Will I be able to have a SSO via logon tickets for both clients reaching BO via Portal and clients reaching BO via Fiori?
- (See figure 11) In https://launchpad.support.sap.com/#/notes/2760952 SAP states that there's no simultaneous SSO possible when SAML is configured. This is nonsense from a integration point of view but at least clearly stated.
-->What would be the consequences to have that double BOE web application directory in terms of user management, deployment of content, ...?
Many(!) thanks for input to any of the 4 questions. I really like to get my head around this topic 🙂
Cheers
Jens
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.