sap #bobj #bi 4.1 upgrade webcast series 6: user authentication and sso
Post on 29-Nov-2014
966 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2012 SAP AG. All rights reserved. 1
SAP BusinessObjects BI 4.1 Upgrade
Webinar Series
BI 4.1 User Authentication and Single
Sign-On
Presenter: Tim Ziemba
SAP Global Support Group
Brought to you by the Customer Experience Group
© 2012 SAP AG. All rights reserved. 2
We bring to you all that you need
to successfully upgrade to the
SAP BusinessObjects BI Platform
4.1.
You can find a BI 4.1 Upgrade
Overview page on SCN at:
http://scn.sap.com/docs/DOC-
56525
Webinars also complement these
published resources:
http://scn.sap.com/docs/DOC-
56308
SAP BusinessObjects BI Platform 4.1 Upgrade
Enablement
BI4 Authentication and SSO
© 2012 SAP AG. All rights reserved. 4
Log on to the Web Tier
• The following major logon methods are supported, with various methods of SSO:
• Windows AD
SSO achieved through Kerberos, using the Dell Java SSO plug-in
Web application server can run on any platform; however, the Central Management Server MUST be on a Windows for full AD integration (as of SP05 CMS on unix/Linux will support using the plugin combined with trusted authentication to achieve SSO
• LDAP
SSO is supported via trusted authentication to virtually any 3rd party products
• SAP
SSO achieved by configuring SAP mySAPSSO2 tickets
• Enterprise
Native BI authentication SSO can also be achieved through “Trusted Authentication.”
© 2012 SAP AG. All rights reserved. 5
More About Kerberos SSO
• Active Directory (AD) SSO into the BI portal or manually logging in with AD
username and password allows for SSO to the database; however, there
are a few limitations to keep in mind:
Scheduling a report will not carry forward the Kerberos ticket (no SSO), even if you
choose to “schedule now”
It is not possible to set up Kerberos SSO for offline scheduling
The CMS and processing servers must be on Windows
• View time refresh will perform AD SSO to some supported DB’s
• http://service.sap.com/sap/support/notes/1631734
• http://service.sap.com/sap/support/notes/1869952
© 2012 SAP AG. All rights reserved. 6
LDAP Front-End SSO
• LDAP SSO can be attained using Trusted Authentication
• Incoming trusted auth users cannot be used for any further SSO to
database; front door entry only
Secondary credentials or mix with SAP SSO methods for data access
© 2012 SAP AG. All rights reserved. 7
Web Services
• Setting up Web services SSO for Windows Active Directory is required to
enable SSO for the following clients:
LiveOffice
Query as a Web Services
BI Widgets
Crystal Reports for Enterprise
Dashboard Designer
Analysis for Office
Design Studio
• Setup is similar to configuring BI Launchpad, see SAP Note 1646920
© 2012 SAP AG. All rights reserved. 8
Trusted Authentication
With BI’s native Enterprise authentication, it is possible to enable trusted
authentication
With “Trusted” authentication, BI is TRUSTING underlying application server to
perform the authentication
The application server passes a shared secret, and a user ID to BI. If the user ID
exists in the BI system, a logon session for that user is created
This allows most other external authentication methods to be used to logon to BI,
such as X.509, SAML, SecureID, SAP Netweaver SSO etc.
Important Note: none of the desktop client tools support Trusted Authentication
© 2012 SAP AG. All rights reserved. 9
Configuring Trusted Authentication
• There are a number of ways to pass user information in trusted
authentication
Web Session
HTTP Header
URL Query
User Principal (new method using JAAS authentication)
Remote User (new method using JAAS authentication)
Cookies not recommended, supported for legacy
• It is possible to bind a different incoming user ID to an existing user in the
BI system using trusted.auth.user.namespace.enabled
• Will require the user to manually log on first, which will bind their incoming assertion user
ID with whatever BI account they log on as
• Remember, you are TRUSTING the application server, so you must secure
the Web application on your app server
© 2012 SAP AG. All rights reserved. 10
New Semantic Layer Connectivity (.unx)
• Kerberos SSO
MS SQL Server
Oracle DB
SAP HANA
• Security Token Service (STS, SNC)
SAP NetWeaver BW
• Applicable to the following clients:
Crystal Reports for Enterprise
Web Intelligence
Dashboards
Explorer
OLAP Analysis
© 2012 SAP AG. All rights reserved. 11
Legacy Semantic Layer (.unv)
• Kerberos SSO
MS SQL Server
Oracle DB
• Server STS, SNC
SAP NetWeaver BW
• Stored user credentials
All other databases
• Applicable to the following clients:
Crystal Reports 2011
Web Intelligence
© 2012 SAP AG. All rights reserved. 12
Propagating Additional Security
Leverage additional information from your IDP like region, department
and apply in universe security.
Full overview on SCN http://scn.sap.com/community/bi-
platform/blog/2012/07/05/user-attribute-mapping-in-bi4
© 2012 SAP AG. All rights reserved. 13
Mobile
• Mobile currently uses
username and password
only
• The username and
password can be saved
locally on the device
© 2012 SAP AG. All rights reserved. 14
SAP HANA: What Are My Options?
• If you are running BI on any OS (Windows, Linux, Unix)
Logon to BI Lauchpad in any way (SSO or manual)
— SSO at view time or scheduling using SAML SSO to HANA
• If you are running BI on Windows:
Set up Windows SSO to BI Portal, or manually log on using AD credentials
— SSO at view time using Exploration view, Semantic Layer (Web Intelligence, Crystal
Reports), OLAP Analysis
— Still no scheduling SSO using Kerberos
• If you are running BI on SUSE 11 Linux:
Configure LDAP connectivity for MS AD
Enable Kerberos authentication from your LDAP authentication plug-in
Manually log on, then SSO to database possible
• Any platform, all clients:
Set up user database credentials for Direct DB authentication, exposed through CMC
Can be scripted
© 2012 SAP AG. All rights reserved. 15
Reporting on HANA Client and Connectivity Options Using
Kerberos SSO
JDBC JDBC ODBC
SAP HANA Database
JDBC ODBC
Web
Intelligence
Dashboards Crystal Reports for
Enterprise
Semantic Layer
(relational universe UNX)
Exp
lore
r
CR
2
01
1
© 2012 SAP AG. All rights reserved. 16
HANA SSO Summarized
Authentication Internal
(Direct)
External
(Kerberos
Delegated)
SAML Trust
(with BI 4.1)
Explorer Y Y (1) Y
Dashboards Y Y (1) Y
Web Intelligence Y Y (1) Y
Crystal Reports
2011
Y Y (1) Y
Crystal Reports for
Enterprise
Y Y (1) Y
Analysis, Edition for
Office
Y Y (1) Y
Analysis, Edition for
OLAP
Y N Y
(1) Support on Linux and Windows platforms only
© 2012 SAP AG. All rights reserved. 17
New option to configure HANA SSO
• Accessible under Applications, “HANA
Authentication”
• Based on trust configured between BI and HANA
• Less work to setup than kerberos
• User ID’s must match between HANA & BI system
• Works with any type of authentication to BOE:
Enterprise, AD, LDAP, SAP, and supports all
platforms.
• Based on system trust. HANA trusts BI to do the
authentication. Once a user is authenticated to BI,
BI creates SAML assertions on behalf of users to
pass to HANA for SSO
• Supported with all BI Clients except ZEN and A-
Office. ETA SP1 (requires Web service SDK
support).
© 2012 SAP AG. All rights reserved. 18
Configuration in the CMC
Enter HANA server details
Generate a certificate on the BI
side to import into the HANA
server. (copy & paste)
Once both systems are setup, user
can test connection from CMC
directly to validate setup.
© 2012 SAP AG. All rights reserved. 19
HANA certificate import
Import Certificate into HANA (SPS5)
© 2012 SAP AG. All rights reserved. 20
User authenticates against BOE server with one of the mechanisms supported by BOE
1. BOE securely forwards the user identity to SAP HANA with one of the following methods
– User name/password
o SAP HANA database user name/password stored in BOE server
o Manual synchronization
– Kerberos (As of SP4) SAP Note 1837331 & 1813724 HANA.
o Users must log on to BOE server using Active Directory authentication
o BOE server must run on Linux or Microsoft Windows
– SAML (NEW with 4.1)
oBOE server acts as identity provider
oBOE server generates SAML ticket for the user, sends it to the
SAP HANA database to validate -> if valid session will be
established for this user
• Protocol (SAML) is irrelevant here. Just think of trust
between systems.
oUsing SSL transport security between BOE and HANA is highly
recommended
SAP
HANA
Database
BOE
Server
Individual
end users
Summary of HANA authentication
© 2012 SAP AG. All rights reserved. 21
Database Credentials
• It is possible to save database
credentials to use for SSO using
the database’s native
authentication
• These can be automatically
captured if the user manually logs
on through a configuration option
in the authentication plug-in
© 2012 SAP AG. All rights reserved. 22
Web Intelligence: Review Your Options
• Reporting from SQL Server, Oracle DB
Kerberos SSO (Windows only)
Saved credentials (all platforms)
Predefined credentials (shared user) – (all platforms)
• Reporting from SAP HANA
Kerberos SSO (Windows/Linux only)
SAML SSO (all platforms)
Saved credentials (all platforms)
Predefined credentials (shared user) – (all platforms)
• Reporting from SAP NetWeaver BW
STS (all platforms –.unx, CR4E, analysis, dashboards)
SNC (all platforms – .unv, CR 2011)
Saved credentials
— If logging on to BI with SAP credentials, these can be used for view time refresh
(SSO)
© 2012 SAP AG. All rights reserved. 23
OLAP ANALYSIS: Review Your Options
• Reporting from Microsoft Analysis Services
Kerberos SSO (Windows only) – Requires user to log on manually using AD or to have
SSO setup
Saved credentials (all platforms)
Predefined credentials (shared user) – (all platforms)
• https://websmp230.sap-ag.de/sap/support/notes/1688079 *
• Reporting from SAP NetWeaver BW
STS (all platforms)
* Requires login credentials to the SAP Service Marketplace
© 2012 SAP AG. All rights reserved. 24
Java Desktop Client Tools – Kerberos SSO
The new Information design tool is written in Java
This means we need some java magic to get AD SSO working
• Krb5.ini, bscLogin.conf on the client side
Referenced in “C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects
Enterprise XI 4.0\win32_x86\InformationDesignTool.ini
-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf
-Djava.security.krb5.conf=C:\WINNT\krb5.ini
• See SAP Note 1621106
© 2012 SAP AG. All rights reserved. 25
SAP BusinessObjects BI 4.1 Upgrade
Webinar Series
BI 4.1 User Authentication and Single
Sign-On
Q & A
Brought to you by the Customer Experience Group
Thank you
top related