This blog is focused on the SAML 2.0 support improvements with BI 4.2 SP05.
The support for SAML 2.0 is available today as well. Basically, application server needs to be configured as SAML service provider and BO application needs to be configured for trusted authentication. And there has to be glue code/config that picks up user information from SAML assertion response and provide that to BO in the defined format. Once that happens BO logs you in as a user.
This support is documented for SAP NetWeaver
(BOE SAML with Netweaver). However, customers have struggled to set this up for other application servers as this required third-party SAML libraries and some custom code/configuration.
Key Summary of the changes
- Support is available from BI 4.2 SP05
- Support is available for Apache Tomcat application server
- Tomcat application server now is bundled with spring SAML libraries, which makes the required configuration minimal for customers
- This addresses the front-end logon via SAML Usecase. However, the same SAML ticket is not used for authentication to databases (DB SSO to HANA via SAML, to SAP BW via STS and to DBs via stored credentials would still work).
To use Tomcat Application Server as SAML Service Provider for BOE Web Applications
Follow the steps below:
1)Adding SAML Tomcat service provider jars.( This step is only for SAML Authentication for BOE Web Applications )
a).The spring saml service provider jars exists inside <BOE Install Dir> \SAP BusinessObjects Enterprise XI 4.0\SAMLJARS. Stop Tomcat.
Copy these jars to <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\lib.
b).Delete work from <BOE Install Dir>\tomcat.
c).Restart tomcat.Wait for tomcat work to be populated.
2)Configure Trusted Authentication with WebSession
a)Add the global.properties file under the custom folder <INSTALLDIR>\SAPBusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom. In case global.properties file exists under custom folder, the trusted authentication configuration has to be appended to the existing file.
Following is the content for global.properties:
sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=UserName
b)Configures Trusted Auth in CMC
Go to
CMC Application, Authentication , Enterprise . Refer Screen below
- Enable Trusted Authentication.
- Set the Validity.
- Choose New Shared Secret.
- To download the generated shared secret, choose Download Shared Secret.
The TrustedPrincipal.conf file is downloaded.
- Paste the TrustedPrincipal.conf file in <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64and <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x32
- Go to CMC Authentication Enterprise and choose Update.
- Restart Tomcat.
3)User Creation on BOE .
The IDP user has to created in BOE or imported through some SDK script or export using CSV option in CMC.The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.
If you are using SAP Cloud Platform Identity Provider, export all the users and then import them to the BI platform. Refer
How to import users in bulk from Central Management Console
To export SAP Cloud Platform users to CSV, refer
Export Existing Users of a Tenant of SAP Cloud Platform Identity Authentication Service
4)Edit the securityContext.xml file to enable SAML Endpoints
The securityContext.xml is located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF.
In the securityContext.xml file, locate the SAML entry point in the XML code as below. The SAML
Please see the section below
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<!-- Comment/Uncomment for Launchpad-->
<security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Opendocument-->
<!--<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for Fiori Launchpad-->
<!--<security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>-->
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
In general, the SAML authentication can be enabled
a) For BI Launchpad, by keeping this line uncommented <security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/> under SAML entry point.
b) For OpenDocument,by keeping this line uncommented <security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/> under saml entry point.
c)For Fiorified BI Launchpad, by keeping this line uncommented <security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/> under saml entry point.
Examples
1) Incase SAML authentication has to be enabled only for Opendocument alone and not BI LaunchPad and Firoufied BILaunchpad the line <security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/> has to be uncommented , comment the entry points for BI Launchpad and FioriBI Launchpad. In that case SAML entry point looks like below
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<!-- Comment/Uncomment for Launchpad-->
<!--<security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for Opendocument-->
<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Fiori Launchpad-->
<!--<security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>-->
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
2)Incase SAML authentication has to be enabled for FioriLaunchPad and Opendocument the line <security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>,<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/> has to be uncommented , comment the entry points for BI Launchpad . In that case SAML entry point looks like below
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<!-- Comment/Uncomment for Launchpad-->
<!--<security:intercept-url pattern="/BI" access="IS_AUTHENTICATED_FULLY"/>-->
<!-- Uncomment for Opendocument-->
<security:intercept-url pattern="/OpenDocument/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- Uncomment for Fiori Launchpad-->
<security:intercept-url pattern="/BILaunchpad" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
NOTE :The XML tag for Classical BI Launch Pad is enabled by default..
5)Changes in properties for WebApplications
The property is
saml.enabled =true
As in any other properties’ setting, it is recommended to put this property in the /config/custom/<application>.properties file.
If you do not already have any custom property file here, please create an empty <application>.property. To be sure, refer to the exact name in the /config/default directory
For example:
(Assuming custom properties file does not exist. If it already does, only need to append the property
saml.enabled=true)
For Classic BI LaunchPad, create BIlaunchpad.properties under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom
For Fiorified BI LaunchPad create fioriBI.properties under under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom
For Opendocument create OpenDocument.properties under under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom
Add
saml.enabled =true.
NOTE: It is mandatory to uncomment the specific endpoint and also add saml.enabled =true properties in custom properties file for the respective webapp to enable SAML Authentication
6)Configurations in the deployment descriptor – web.xml
A new filter has been introduced for SAML. The relevant section in the web.xml will be kept commented by default.
Enable filters in web.xml of BOE webapp by uncommenting the SAML section(s).
Web.xml file path: <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF web.xml .
Uncomment the sections which have SAML Comment as Shown in the Images below.
1. Uncomment the listener and context param
Commented listener and context param
After uncommenting the listener and context param web.xml looks as below
2.Uncomment the SAML filters and mapping
Commented SAML filters and mapping
After Uncommenting the SAML filters and mapping
3.Save the web.xml with these changes.
5.Update IDP Metadata
To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF and rename it to
idp-meta-downloaded.xml . For more details on downloading the IDP metadata, refer
Tenant SAML 2.0 Configuration
If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.
i.e <value type="java.io.File">/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type="java.io.File">\WEB-INF\idp-meta-downloaded.xml</value> .
6).KeyStore Generation
This step is optional applicable only if you want to use your own keystore file.
SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019.sampletestKeystore.jks has an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:
- Navigate to <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
Example
keytool -genkeypair -alias TestAlias -keypass AliasPassword -keystore sampleKeystore.jks -validity 735 .
b.Run the command:
keytool -genkeypair -alias aliasname -keypass password -keystore samplekeystore.jks -validity numberofdays
- The following questions are prompted after executing the command:
- Enter keystore password: *****(Password1)
- Re-enter new password: *****(Password1)
- What is your first and last name? : Rohit Prasad
- What is the name of your organizational unit? : BusinessObjects
- What is the name of your organization? : SAP
- What is the name of your city and locality? : BLR
- What is the name of your State and Province? : KA
- What is the two-letter country code for this unit? : IN
- Stop the Tomcat application server.
The keystore file is generated at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin.
- Move the keystore file to <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF
- Edit the xmlfile located at <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF with the new alias name, password, and keystore file name. Refer the XML code below:
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> <constructor-arg value="/WEB-INF/sampleKeystore.jks"/><constructor-arg type="java.lang.String" value="Password1"/><constructor-arg><map><entry key=" TestAlias " value="AliasPassword"/></map></constructor-arg><constructor-arg type="java.lang.String" value=" TestAlias "/></bean>
Note: SP metadata has to be generated everytime this keystore file is changed.Our sample sp metadata will be working only with our sample keystore certificate.
7)Restart the Tomcat application server.
8)Generate and upload the service provider metadata.
Go to
http://host:port/BOE/BI/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider. Upload this in IDP using the relevant IDP’s feature support.
Note
You can use the default service provider metadata file spring_saml_metadata.xml located at<INSTALLDIR>\tomcat\webapps\BOE\WEB-INF instead of generating it manually. You must replace the XML tag <replace_withip> with the IP address of the machine and <replace_withport> with port number of the Tomcat application server. Replace HTTP with HTTPS if you have enabled HTTPS in Tomcat.
For example for HCP as IDP , Please follow following steps
SP metadata should be uploaded on creation of a SAML application in HCP.
1.Create a new app underapplications
App Creation
2. Upload SP metadata as shown in screenshot.
- If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.
- Restart the Tomcat application server.
Tip:To check if SAML integration is successful, once you launch the SAML configured application (BI launch pad, Fiorified BI launch pad or OpenDocument), you are redirected to the IDP.