on 2010 Apr 30 10:31 AM
Hi,
A BOBJ XI 3.1 system have been setup using Microsoft-AD authentication
and SSO using Kerberos. In the backend, it is linked to a BW 7.01 system(BW1) where SNC is enabled.This allows for SSO using Microsoft Active
Directory into BOBJ InfoView for User Group A.
We have a SAP CRM project coming in to implement BOBJ reporting on a
separate BW 7.01 system (BW2). Users will be logging into BOBJ InfoView
using a link from SAP Portal, and customization will be performed in SAPCRM to use the standard OpenDocument function to call on reports in BOBJ.
This setup will require Portal to use another LDAP directory as the UME
and implement SAPLogon tickets to achieve SSO for User Group B.
Can BOBJ Enterprise XI 3.1 support 2 SSO authentication mechanisms at the
same time, with 2 separate BW installations? (seamlessly, without the
user having to choose the authentication mechanism or system).
In addition, we have the following queries:
1) Parameters in web.xml files are required to change to use SAPLogon
tickets. eg: authentication.default & opendoc.authentication.default =
secSAPR3. Will this conflict with the Kerberos settings as the defaults
are now changed to SAPLogon tickets?
2) With 2 backend BW systems, will the SSO mechanism identify the correct
BW user ID to use in the respective universes? (Universe Designer ->
Connection Parameters -> "Use SSO when refreshing reports at view time").
3) In BOBJ Enterprise CMC, there is an authentication option for
"default" system. How will this setting affect which BW system is used to
authenticate? Can BOBJ know that the Kerberos token is for BW1 and
SAPLogon ticket is for BW2 and identify the respective system correctly?Do note that there might be overlaps between users in User Group A and Bie. a user can exist in both user groups.
Regards,
Medy
Hi Stratos,
Thank you for your reply.
We would like to link the user to their InfoView Homepage instead of a particular document hence we do not use OpenDocument. Is there a way to work around this?
Regards,
Medy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ingo,
Could you explain a little bit more on that concept. We have a similar problem when looking at the following scenario:
We have 2 groups of users that have a seperate SAP environment incl. BW and a NetWeaver portal. Currently Group A logs on to the Portal using SSO between SAP and the Portal and opens up the InfoView link via the browser session. This results in a SSO towards InfoView via the SAP logon cookie and the fact that SNC is configured. If Group B tries the same workflow but with a different SAP, BW and Portal. When Group B logs on, they receive an error message because in the CMC the BW backend of Group A has been defined as the default.
Is it possible to open the InfoView URL and add the parameters mentioned above in the topic to 'guide' the request to be validated against the SAP backend where the user resides?
Thanks for your response!
With kind regards,
Martijn van Foeken
Hi,
We have 2 groups of users that have a seperate SAP environment incl. BW and a NetWeaver portal. Currently Group A logs on to the Portal using SSO between SAP and the Portal and opens up the InfoView link via the browser session. This results in a SSO towards InfoView via the SAP logon cookie and the fact that SNC is configured.
>> The SSO to InfoView is based on the token from the portal - not related to SNC.
If Group B tries the same workflow but with a different SAP, BW and Portal. When Group B logs on, they receive an error message because in the CMC the BW backend of Group A has been defined as the default.
>> I assume in this case Group A and Group B are for systems and not real user groups
Is it possible to open the InfoView URL and add the parameters mentioned above in the topic to 'guide' the request to be validated against the SAP backend where the user resides?
>> don't think so and it won't help much as - I assume - you want SSO to all the SAP systems - or ? If so you need to configure SNC and User Aliases.
Ingo
Ingo,
Indeed the SSO is based on the Portal token and the groups are different BW systems. We also want SSO for all SAP systems.
Could you explain me a little bit more on user aliases? Is their no way to 'guide' which BW system to use to verify the SAP user name which is inside the SAP Logon Cookie?
Appriciate your help!
With kind regards,
Martijn van Foeken
Hi,
this then leads to SNC in the background (see Server Side trust in the Installation Guide) and then you create user aliases for th e users.
here is an example for actual client side SNC:
SNC Part 1
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2
SNC Part 2
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2
Ingo
Hi Ingo,
We are having BOBJ XI 3.1, BI 7.0 EHp1 and ECC 6.0.
We enabled SSO between BOBJ & BI using SNC and LDAP as our default authentication for CMC & Infoview and it works fine.
Now we are having scenario that we need to setup SSO between our ECC system & BOBJ as we are going to call opendocument urls from ecc.
So I followed the steps in your BLOG & imported roles from ECC system.
/people/ingo.hilgefort/blog/2008/09/19/businessobjects-and-sap--configure-sap-authentication
After importing roles I am able to see my ECC alias has been attached to BOBJ account in User properties screen.
And I made BI system as my default in SAP authentication Option screen.
I made secSAPR3 as my default authentication in Opendocument web.xml file
But when I access Opendocument url from ECC system its prompting me for login.
Please advice whether its possible to have this kind of dual SSO ?
Thanks
Sai
User | Count |
---|---|
70 | |
11 | |
10 | |
10 | |
9 | |
9 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.