Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

SAP #BOBJ #BI 4.1 Upgrade Webcast Series 6: User Authentication and SSO

5.668 Aufrufe

Veröffentlicht am

Obtain details about the authentication methods that are supported by SAP BusinessObjects BI 4.1 platform and how SSO can be achieved for the available BI clients. Also learn about new options to configure SSO for SAP HANA.

• Learn about the major authentication methods that are supported in BI 4.1
• Learn how to achieve SSO using various SSO mechanisms (e.g. Kerberos, CA Siteminder, SAP SSO tickets, etc.)
• Understand the authentication and SSO options available between BI 4.1 and SAP HANA
• Review authentication options available for BI client tools

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

SAP #BOBJ #BI 4.1 Upgrade Webcast Series 6: User Authentication and SSO

  1. 1. ©2012 SAP AG. All rights reserved. 1 SAP BusinessObjects BI 4.1 Upgrade Webinar Series BI 4.1 User Authentication and Single Sign-On Presenter: Tim Ziemba SAP Global Support Group Brought to you by the Customer Experience Group
  2. 2. ©2012 SAP AG. All rights reserved. 2 We bring to you all that you need to successfully upgrade to the SAP BusinessObjects BI Platform 4.1. You can find a BI 4.1 Upgrade Overview page on SCN at: http://scn.sap.com/docs/DOC- 56525 Webinars also complement these published resources: http://scn.sap.com/docs/DOC- 56308 SAP BusinessObjects BI Platform 4.1 Upgrade Enablement
  3. 3. BI4 Authentication and SSO
  4. 4. ©2012 SAP AG. All rights reserved. 4 Log on to the Web Tier •The following major logon methods are supported, with various methods of SSO: •Windows AD SSO achieved through Kerberos, using the Dell Java SSO plug-in Web application server can run on any platform; however, the Central Management Server MUST be on a Windows for full AD integration (as of SP05 CMS on unix/Linux will support using the plugin combined with trusted authentication to achieve SSO •LDAP SSO is supported via trusted authentication to virtually any 3rd party products •SAP SSO achieved by configuring SAP mySAPSSO2 tickets •Enterprise Native BI authentication SSO can also be achieved through “Trusted Authentication.”
  5. 5. ©2012 SAP AG. All rights reserved. 5 More About Kerberos SSO •Active Directory (AD) SSO into the BI portal or manually logging in with AD username and password allows for SSO to the database; however, there are a few limitations to keep in mind: Scheduling a report will not carry forward the Kerberos ticket (no SSO), even if you choose to “schedule now” It is not possible to set up Kerberos SSO for offline scheduling The CMS and processing servers must be on Windows •View time refresh will perform AD SSO to some supported DB’s •http://service.sap.com/sap/support/notes/1631734 •http://service.sap.com/sap/support/notes/1869952
  6. 6. ©2012 SAP AG. All rights reserved. 6 LDAP Front-End SSO •LDAP SSO can be attained using Trusted Authentication •Incoming trusted auth users cannot be used for any further SSO to database; front door entry only Secondary credentials or mix with SAP SSO methods for data access
  7. 7. ©2012 SAP AG. All rights reserved. 7 Web Services •Setting up Web services SSO for Windows Active Directory is required to enable SSO for the following clients: LiveOffice Query as a Web Services BI Widgets Crystal Reports for Enterprise Dashboard Designer Analysis for Office Design Studio •Setup is similar to configuring BI Launchpad, see SAP Note 1646920
  8. 8. ©2012 SAP AG. All rights reserved. 8 Trusted Authentication With BI’s native Enterprise authentication, it is possible to enable trusted authentication With “Trusted” authentication, BI is TRUSTING underlying application server to perform the authentication The application server passes a shared secret, and a user ID to BI. If the user ID exists in the BI system, a logon session for that user is created This allows most other external authentication methods to be used to logon to BI, such as X.509, SAML, SecureID, SAP Netweaver SSO etc. Important Note: none of the desktop client tools support Trusted Authentication
  9. 9. ©2012 SAP AG. All rights reserved. 9 Configuring Trusted Authentication •There are a number of ways to pass user information in trusted authentication Web Session HTTP Header URL Query User Principal (new method using JAAS authentication) Remote User (new method using JAAS authentication) Cookies not recommended, supported for legacy •It is possible to bind a different incoming user ID to an existing user in the BI system using trusted.auth.user.namespace.enabled •Will require the user to manually log on first, which will bind their incoming assertion user ID with whatever BI account they log on as •Remember, you are TRUSTING the application server, so you must secure the Web application on your app server
  10. 10. ©2012 SAP AG. All rights reserved. 10 New Semantic Layer Connectivity (.unx) •Kerberos SSO MS SQL Server Oracle DB SAP HANA •Security Token Service (STS, SNC) SAP NetWeaver BW •Applicable to the following clients: Crystal Reports for Enterprise Web Intelligence Dashboards Explorer OLAP Analysis
  11. 11. ©2012 SAP AG. All rights reserved. 11 Legacy Semantic Layer (.unv) •Kerberos SSO MS SQL Server Oracle DB •Server STS, SNC SAP NetWeaver BW •Stored user credentials All other databases •Applicable to the following clients: Crystal Reports 2011 Web Intelligence
  12. 12. ©2012 SAP AG. All rights reserved. 12 Propagating Additional Security Leverage additional information from your IDP like region, department and apply in universe security. Full overview on SCN http://scn.sap.com/community/bi- platform/blog/2012/07/05/user-attribute-mapping-in-bi4
  13. 13. ©2012 SAP AG. All rights reserved. 13 Mobile •Mobile currently uses username and password only •The username and password can be saved locally on the device
  14. 14. ©2012 SAP AG. All rights reserved. 14 SAP HANA: What Are My Options? •If you are running BI on any OS (Windows, Linux, Unix) Logon to BI Lauchpad in any way (SSO or manual) —SSO at view time or scheduling using SAML SSO to HANA •If you are running BI on Windows: Set up Windows SSO to BI Portal, or manually log on using AD credentials —SSO at view time using Exploration view, Semantic Layer (Web Intelligence, Crystal Reports), OLAP Analysis —Still no scheduling SSO using Kerberos •If you are running BI on SUSE 11 Linux: Configure LDAP connectivity for MS AD Enable Kerberos authentication from your LDAP authentication plug-in Manually log on, then SSO to database possible •Any platform, all clients: Set up user database credentials for Direct DB authentication, exposed through CMC Can be scripted
  15. 15. ©2012 SAP AG. All rights reserved. 15 Reporting on HANA Client and Connectivity Options Using Kerberos SSO JDBC JDBC ODBC SAP HANA Database JDBC ODBC Web Intelligence Dashboards Crystal Reports for Enterprise Semantic Layer (relational universe UNX) Explorer CR 2011
  16. 16. ©2012 SAP AG. All rights reserved. 16 HANA SSO Summarized Authentication Internal (Direct) External (Kerberos Delegated) SAML Trust (with BI 4.1) Explorer Y Y (1) Y Dashboards Y Y (1) Y Web Intelligence Y Y (1) Y Crystal Reports 2011 Y Y (1) Y Crystal Reports for Enterprise Y Y (1) Y Analysis, Edition for Office Y Y (1) Y Analysis, Edition for OLAP Y N Y (1) Support on Linux and Windows platforms only
  17. 17. ©2012 SAP AG. All rights reserved. 17 New option to configure HANA SSO •Accessible under Applications, “HANA Authentication” •Based on trust configured between BI and HANA •Less work to setup than kerberos •User ID’s must match between HANA & BI system •Works with any type of authentication to BOE: Enterprise, AD, LDAP, SAP, and supports all platforms. •Based on system trust. HANA trusts BI to do the authentication. Once a user is authenticated to BI, BI creates SAML assertions on behalf of users to pass to HANA for SSO •Supported with all BI Clients except ZEN and A- Office. ETA SP1 (requires Web service SDK support).
  18. 18. ©2012 SAP AG. All rights reserved. 18 Configuration in the CMC Enter HANA server details Generate a certificate on the BI side to import into the HANA server. (copy & paste) Once both systems are setup, user can test connection from CMC directly to validate setup.
  19. 19. ©2012 SAP AG. All rights reserved. 19 HANA certificate import Import Certificate into HANA (SPS5)
  20. 20. ©2012 SAP AG. All rights reserved. 20 User authenticates against BOE server with one of the mechanisms supported by BOE 1.BOE securely forwards the user identity to SAP HANA with one of the following methods –User name/password oSAP HANA database user name/password stored in BOE server oManual synchronization –Kerberos (As of SP4) SAP Note 1837331 & 1813724 HANA. oUsers must log on to BOE server using Active Directory authentication oBOE server must run on Linux or Microsoft Windows –SAML (NEW with 4.1) oBOE server acts as identity provider oBOE server generates SAML ticket for the user, sends it to the SAP HANA database to validate -> if valid session will be established for this user •Protocol (SAML) is irrelevant here. Just think of trust between systems. oUsing SSL transport security between BOE and HANA is highly recommended SAP HANA Database BOE Server Individual end users Summary of HANA authentication
  21. 21. ©2012 SAP AG. All rights reserved. 21 Database Credentials •It is possible to save database credentials to use for SSO using the database’s native authentication •These can be automatically captured if the user manually logs on through a configuration option in the authentication plug-in
  22. 22. ©2012 SAP AG. All rights reserved. 22 Web Intelligence: Review Your Options •Reporting from SQL Server, Oracle DB Kerberos SSO (Windows only) Saved credentials (all platforms) Predefined credentials (shared user) – (all platforms) •Reporting from SAP HANA Kerberos SSO (Windows/Linux only) SAML SSO (all platforms) Saved credentials (all platforms) Predefined credentials (shared user) – (all platforms) •Reporting from SAP NetWeaver BW STS (all platforms –.unx, CR4E, analysis, dashboards) SNC (all platforms – .unv, CR 2011) Saved credentials —If logging on to BI with SAP credentials, these can be used for view time refresh (SSO)
  23. 23. ©2012 SAP AG. All rights reserved. 23 OLAP ANALYSIS: Review Your Options •Reporting from Microsoft Analysis Services Kerberos SSO (Windows only) – Requires user to log on manually using AD or to have SSO setup Saved credentials (all platforms) Predefined credentials (shared user) – (all platforms) •https://websmp230.sap-ag.de/sap/support/notes/1688079 * •Reporting from SAP NetWeaver BW STS (all platforms) * Requires login credentials to the SAP Service Marketplace
  24. 24. ©2012 SAP AG. All rights reserved. 24 Java Desktop Client Tools – Kerberos SSO The new Information design tool is written in Java This means we need some java magic to get AD SSO working •Krb5.ini, bscLogin.conf on the client side Referenced in “C:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win32_x86InformationDesignTool.ini -Djava.security.auth.login.config=C:WINNTbscLogin.conf -Djava.security.krb5.conf=C:WINNTkrb5.ini •See SAP Note 1621106
  25. 25. ©2012 SAP AG. All rights reserved. 25 SAP BusinessObjects BI 4.1 Upgrade Webinar Series BI 4.1 User Authentication and Single Sign-On Q & A Brought to you by the Customer Experience Group
  26. 26. Thank you

×