cancel
Showing results for 
Search instead for 
Did you mean: 

Dual SSO and BW for BOBJ

Former Member
0 Kudos
149

Hi,

A BOBJ XI 3.1 system have been setup using Microsoft-AD authentication

and SSO using Kerberos. In the backend, it is linked to a BW 7.01 system(BW1) where SNC is enabled.This allows for SSO using Microsoft Active

Directory into BOBJ InfoView for User Group A.

We have a SAP CRM project coming in to implement BOBJ reporting on a

separate BW 7.01 system (BW2). Users will be logging into BOBJ InfoView

using a link from SAP Portal, and customization will be performed in SAPCRM to use the standard OpenDocument function to call on reports in BOBJ.

This setup will require Portal to use another LDAP directory as the UME

and implement SAPLogon tickets to achieve SSO for User Group B.

Can BOBJ Enterprise XI 3.1 support 2 SSO authentication mechanisms at the

same time, with 2 separate BW installations? (seamlessly, without the

user having to choose the authentication mechanism or system).

In addition, we have the following queries:

1) Parameters in web.xml files are required to change to use SAPLogon

tickets. eg: authentication.default & opendoc.authentication.default =

secSAPR3. Will this conflict with the Kerberos settings as the defaults

are now changed to SAPLogon tickets?

2) With 2 backend BW systems, will the SSO mechanism identify the correct

BW user ID to use in the respective universes? (Universe Designer ->

Connection Parameters -> "Use SSO when refreshing reports at view time").

3) In BOBJ Enterprise CMC, there is an authentication option for

"default" system. How will this setting affect which BW system is used to

authenticate? Can BOBJ know that the Kerberos token is for BW1 and

SAPLogon ticket is for BW2 and identify the respective system correctly?Do note that there might be overlaps between users in User Group A and Bie. a user can exist in both user groups.

Regards,

Medy

View Entire Topic
Former Member
0 Kudos

Hi Stratos,

Thank you for your reply.

We would like to link the user to their InfoView Homepage instead of a particular document hence we do not use OpenDocument. Is there a way to work around this?

Regards,

Medy

IngoH
Active Contributor
0 Kudos

hi,

then you would have to use SNC and create user aliases between the credentials of the different SAP BW systems.

ingo

Former Member
0 Kudos

Ingo,

Could you explain a little bit more on that concept. We have a similar problem when looking at the following scenario:

We have 2 groups of users that have a seperate SAP environment incl. BW and a NetWeaver portal. Currently Group A logs on to the Portal using SSO between SAP and the Portal and opens up the InfoView link via the browser session. This results in a SSO towards InfoView via the SAP logon cookie and the fact that SNC is configured. If Group B tries the same workflow but with a different SAP, BW and Portal. When Group B logs on, they receive an error message because in the CMC the BW backend of Group A has been defined as the default.

Is it possible to open the InfoView URL and add the parameters mentioned above in the topic to 'guide' the request to be validated against the SAP backend where the user resides?

Thanks for your response!

With kind regards,

Martijn van Foeken

IngoH
Active Contributor
0 Kudos

Hi,

We have 2 groups of users that have a seperate SAP environment incl. BW and a NetWeaver portal. Currently Group A logs on to the Portal using SSO between SAP and the Portal and opens up the InfoView link via the browser session. This results in a SSO towards InfoView via the SAP logon cookie and the fact that SNC is configured.

>> The SSO to InfoView is based on the token from the portal - not related to SNC.

If Group B tries the same workflow but with a different SAP, BW and Portal. When Group B logs on, they receive an error message because in the CMC the BW backend of Group A has been defined as the default.

>> I assume in this case Group A and Group B are for systems and not real user groups

Is it possible to open the InfoView URL and add the parameters mentioned above in the topic to 'guide' the request to be validated against the SAP backend where the user resides?

>> don't think so and it won't help much as - I assume - you want SSO to all the SAP systems - or ? If so you need to configure SNC and User Aliases.

Ingo

Former Member
0 Kudos

Ingo,

Indeed the SSO is based on the Portal token and the groups are different BW systems. We also want SSO for all SAP systems.

Could you explain me a little bit more on user aliases? Is their no way to 'guide' which BW system to use to verify the SAP user name which is inside the SAP Logon Cookie?

Appriciate your help!

With kind regards,

Martijn van Foeken

IngoH
Active Contributor
0 Kudos

Hi,

this then leads to SNC in the background (see Server Side trust in the Installation Guide) and then you create user aliases for th e users.

here is an example for actual client side SNC:

SNC Part 1

/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2

SNC Part 2

/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2

Ingo

SaiKondapaneni
Explorer
0 Kudos

Hi Ingo,

We are having BOBJ XI 3.1, BI 7.0 EHp1 and ECC 6.0.

We enabled SSO between BOBJ & BI using SNC and LDAP as our default authentication for CMC & Infoview and it works fine.

Now we are having scenario that we need to setup SSO between our ECC system & BOBJ as we are going to call opendocument urls from ecc.

So I followed the steps in your BLOG & imported roles from ECC system.

/people/ingo.hilgefort/blog/2008/09/19/businessobjects-and-sap--configure-sap-authentication

After importing roles I am able to see my ECC alias has been attached to BOBJ account in User properties screen.

And I made BI system as my default in SAP authentication Option screen.

I made secSAPR3 as my default authentication in Opendocument web.xml file

But when I access Opendocument url from ECC system its prompting me for login.

Please advice whether its possible to have this kind of dual SSO ?

Thanks

Sai

IngoH
Active Contributor
0 Kudos

Hi,

what is the initial authentication for the user ? Portal ? token ?

is it the BW user or the ECC user ?

Ingo

SaiKondapaneni
Explorer
0 Kudos

Initially user logs in into ECC, from there opendocument URL will be called using cl_gui_frontend_services->execute.

Thanks for yur help

Sai

IngoH
Active Contributor
0 Kudos

Hi,

ECC is not providing you a token. ECC is a THICK Client and can't give you a token for a browser session.

Ingo

SaiKondapaneni
Explorer
0 Kudos

Can you please advice any other alternative approach for this scenario ?

We are having EP 7.0, can we make use of portal and setup SSO ?

Thanks

Sai

IngoH
Active Contributor
0 Kudos

Hi,

I would suggest you talk to the SAP admin looking after the landscape. Yes - the portal is one option.

ingo

SaiKondapaneni
Explorer
0 Kudos

You mentioned to add login/create_sso2_ticket parameter in the blog "BusinessObjects and SAP - Configure SAP Authentication

"

Can you please advice the purpose login/create_sso2_ticket, when its not possible to create token from sapgui.

Thanks

Sai

IngoH
Active Contributor
0 Kudos

Hi,

the blog is not focusing on SSO from the SAP GUI. The blog talks about SSO in general and those parameters are there to accept logon tokens from a portal for example.

regards

Ingo