on 04-08-2016 8:44 AM
Hi experts,
We are currently facing a strange behavior in our BI environments.
We have set up SAP authentication and SSO from BW to BO according to this documentation "How to setup SSO against SAP BW with SAP BO BI4.0"
And it worked fine according to KBA 1767629.
However, since a few days, all the new users for which we have created an Enterprise account aliased with an SAP account fail to leverage the SSO connection to BW data through BICS.
Strangely, we are still able to leverage SSO with all the accounts created a few months ago.
So far, we've checked roles in BW and permissions in BO (all users have the exact same profile) and almost all the steps from note 1976414 seem to be fine.
Any lead on what could be wrong?
Thanks in advance for your expertise.
Regards,
Elodie
Last update on this post before closing it.
I used the BIsupportTool to reconfigure SSO from scratch and it did trick.
So thanks all for your support.
Regards,
Elodie
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sateesh,
I think it is a fairly recent feature of the tool (version 2.0.3).
All you need to do log on to your CMS, and perform an analysis on authentication ("create report" tab). This will tell you if a certificate or a keystore is found. (however, there are records on the SNC saying that the analysis can be bugged).
Then, go to "Authentication wizards" tab and choose SAP. Then select the appropriate wizard and just follow the instructions and spam the "next" button
For the STRUST part, the wizard generates an email and a word tutorial telling your basis team what to do.
I could however find one little negative point to the tool, you cannot set a custom validity for your certificate. But, I am okay with it being a 10-year validity.
Regards,
Elodie
Hi again,
I checked STRUSTSSO2 in BW just to make sure that it wasn't the certificate expiring or something alike.
I noticed that for QA and DEV, there is an error message when I try to switch from Display to Edit mode : "PSE missing on database".
For Production, I can switch mode.
Could that be a new lead?
Thanks for your help.
Elodie
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Elodie,
You can follow the link below to configure SSO.
~Swapnil
Hi Elodie,
can you check whether BW sso is working for sap users without assigning / before assigning alias to enterprise user.
if sso is working then there is a problem in assigning alias.
else if sso is not working for sap users then it a problem with configuration.
can you also try assigning alias after updating the entitlement and roles section in sap authentication.
Thanks
Ashraf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Elodie ,
Can you try log in using SAP authentication with the user ?
Check connection type using for the OLAP connection ? it could be other than SSO!
I wonder why enterprise alias not getting created for SAP users ? It should work .
any updates happened to your BW systems recently ? If yes , try re configuring SSO as suggested by team .
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sateesh,
OLAP connection works perfectly fine when using SAP authentication.
As for the second point you mentionned, we actually had maintenance on the BO server recently as we installed add-ons (analysis, lumira). However, the issue is only happening on Dev and QA environment, Prod works fine.
I've asked the admin to reconfigure SSO from scratch and will keep you posted.
Regards
Elodie
Hi Elodie,
On top of all the suggestion made by others can you check once for the Timestamp between your BO and BW systems and make sure both are in sync.
Rgds,
Sethu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Does the new user has "initail" password set at BW.?
Are these user able to login in sap gui and then SSO failing for them in BO?
What is the password policy for these user on BW?
Update the SAP Authentication tab and then try SSO
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raunak kumar,
Please find the answers to your questions:
Does the new user has "initail" password set at BW.?
No, users have been using BW for a while so their passwords have already been changed via SAP LOGON.
Are these user able to login in sap gui and then SSO failing for them in BO?
Actually, connection to BO via SAP authentication works fine. But SSO fails when using AOLAP after a connection via Enterprise authentication.
What is the password policy for these user on BW?
Password never expires
Update the SAP Authentication tab and then try SSO
Pushed "update" button in SAP authentication tab, then updated roles in last tab (though this task is scheduled every hour on our servers).
Hope it helps!
Thanks
Elodie
Hi Elodie,
I would sugegst to try the following steps.
Note: Follow the steps below for only one enterprise user at first.
- Delete the SAP alias of a single problematic user.
- Go to SAP Roles tab and update it.
- Check the same user's properties whether the update of SAP plugin has added an SAP alias to that user or not.
- If added then test the report and connection with SSO.
If you still face the same issue then go with what Rauni has suggested.
~Swapnil
Hi again,
I'm not quite sure I understand the 3rd step.
Check the same user's properties whether the update of SAP plugin has added an SAP alias to that user or not.
Does it mean that the alias should be automatically added to the Enterprise User?
Currently, updating the SAP roles re-creates the BW user with sec:SAP. I have to assign it manually to the Enterprise user.
What am I missing here?
Elodie
Hi Elodie,
Could you please share the screenshots for the below workflows? Also please ensure that you have assigned SAP aliases to the problematic enterprise users.
~Swapnil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.