Skip to Content

Complete SSO overview


The following document is intended to summarize the various SSO options available to users, from authenticating to the BI platform all the way down to the database.  The document does not cover the 'how to' as various white papers exist.

The first table summarizes the various ways the system can perform single sign-on to the web based appplications.

Front End SSOWeb Access PointAD Kerberos SSOSAPSSO2 ticketsTrusted AuthenticationSiteMinder (4.x agent)
BI PortalYesYesYesYes
CMC (4.1 SP6+)
DSWSBOBJEYesNoYes*,web only

-OpenDocument refers to the direct link to report functionality.

-BI Portal is the main portal used to access & view reports

-CMC = Central Management Console

-dswsbobje = web services. 

Note that to support Kerberos SSO, your CMS (Central Management Server) must be installed on a windows machine. 

Trusted Authentication can generally be used for any authentication method which is not natively supported by BI4, such as SAML, x509 etc. 

Thick Clients, such as Crystal Reports Designer, Web Intelligence and others can also be configured for SSO to logon to BI4.  

The following table summarizes this:

ClientAD kerberos
Crystal Reports 2011Yes
Crystal Reports for EnterpriseYes
Webi Rich ClientYes
Information Design ToolYes
Universe DesignerYes
Live OfficeYes
BI WidgetsYes
Dashboard Designer (Xcelsius)Yes

Note that for the Java based clients, you will need to perform some additional steps to support AD SSO, such and configuring a krb5.ini file.  This applies to clients such as Crystal Reports for Enterprise,  Information Design Tool, and Visual Intelligence.  Please refer to the Authentication chapter of the respective client tool for more information. 

The clients can also be further configured further to perform single sign-on to the database, which is elaborated further in tables below.

Once a user has been authenticated to the BI platform, their SSO ticket can in some cases be passed further down to the database for a seamless end to end SSO story.

SSO to database based on Kerberos can be configured for the following databases, note that the user must logon to the BI platform using Active Directory for the kerberos ticket to be passed down to the database.   Note however that this cannot be used for scheduling, as the kerberos ticket will not be available to the system when the user is not online.  For scheduled tasks, the database credentials must be stored.

HANA (not for Olap Analysis)
SQL Server (incl. Analysis Server)
Teradata via ODBC through UNX (4.1 only)

Yes, there are plans to expand this list in the future.

For SAP data access, the following methods can be configured.  You will need to configure the correct method depending on the client tool being used.  "SNC" is configured on the "SNC Settings" tab of the SAP authentication configuration area of the Central Management Console.   "STS (Security Token Service)" is configured on the "Options" tab of the SAP authentication configuration area, in the "SAP SSO Service" section. 


Webi .unv connectionsWebi .unx connections
Universe Design ToolWebi BICS connections
Crystal Reports 2011Crystal Reports for Enterprise
Analysis for Office also supports client side SNC for direct access to BW.Information Design Tool


Analysis for Office
Analysis Olap

In order to gain SSO access to SAP data, a user does NOT have to logon with their SAP credentials.   For an example of how users can authenticate using Active Directory and then single sign-on to SAP systems, please refer to this how to: How to map SAP users and LDAP users in SBO BI4.0 CMC - Business Intelligence (BusinessObjects) - SCN Wiki

The SAP authentication can also be leveraged from thick clients.  A user logging onto Webi Rich Client can leverage STS for example to access BW data. 

HANA SSO summary:

ToolUser/PasswordKerberosSAML (BI 4.1)



Y (1)




Y (1)


Web Intelligence


Y (1)


Crystal Reports 2011


Y (1)


Crystal Reports for Enterprise


Y (1)


Analysis, Edition for Office


Y (1)


Analysis, Edition for OLAP




Lumira in BI LaunchapdNNY

(1) * BI must be running on windows or linux.

SAML to HANA is based on a trust directly between BI4 and HANA.  This does not mean that you can use SAML to signon to BI4 and that same SAML assertion ticket gets passed down to HANA.  BI4 must be configured as a trusted identity provider in HANA. The same users must exist in HANA and BI4.

The Lumira integration into BI Launchpad relies on SAML.  See the Lumira Authentication Options for more details.

What other SSO options do I have?

The BI platform also supports storing database credentials to be used for accessing the database.   In some cases, as with kerberos & offline scheduling, this cannot be avoided.  Also, for database sources which are not currently listed, stored credentials are the best options available at this time.

Can I setup multiple SSO options on a single system?

Yes, with 4.1 SP6 and on, the sso.types.and.order option in your properties allows for setting up fallback SSO options in order.   If some users are configured for AD SSO and others for SAP SSO, you can try AD first and try SAP SSO as fallback.  See note for details.

Useful Links:

Configuring Active Directory Authentication:   Be sure the follow the excellent whitepaper attached to the note.

Configuring Active Directory SSO on unix:

Configuring SAP Authentication and SSO:

How to setup SSO against SAP BW with SAP BO BI4.0 Common Semantic Layer (UNX) or BICS - Business Intelligence (BusinessO…

Configuring OLAP SSO for MSAAS:

Setting up OLAP Microsoft Analysis Service through an XMLA connection with SSO - Business Intelligence (BusinessObjects)…

Setting up HANA and BI for SAML

Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 - Part 1

Setting up Trusted Authentication:




Lumira Authentication Options Lumira Authentication Options

   Lumira Connectivity Matrix  SAP Lumira Connectivity Matrix - Business Intelligence (BusinessObjects) - SCN Wiki

Mobile Server SSO SAP BI Mobile Server Single Sign On Support