Complete SSO overview
The following document is intended to summarize the various SSO options available to users, from authenticating to the BI platform all the way down to the database. The document does not cover the 'how to' as various white papers exist.
The first table summarizes the various ways the system can perform single sign-on to the web based appplications.
|Front End SSO||Web Access Point||AD Kerberos SSO||SAPSSO2 tickets||Trusted Authentication||SiteMinder (4.x agent) |
|CMC (4.1 SP6+)||Yes||Yes||Yes||Yes|
-OpenDocument refers to the direct link to report functionality.
-BI Portal is the main portal used to access & view reports
-CMC = Central Management Console
-dswsbobje = web services.
Note that to support Kerberos SSO, your CMS (Central Management Server) must be installed on a windows machine.
Trusted Authentication can generally be used for any authentication method which is not natively supported by BI4, such as SAML, x509 etc.
Thick Clients, such as Crystal Reports Designer, Web Intelligence and others can also be configured for SSO to logon to BI4.
The following table summarizes this:
|Crystal Reports 2011||Yes|
|Crystal Reports for Enterprise||Yes|
|Webi Rich Client||Yes|
|Information Design Tool||Yes|
|Dashboard Designer (Xcelsius)||Yes|
Note that for the Java based clients, you will need to perform some additional steps to support AD SSO, such and configuring a krb5.ini file. This applies to clients such as Crystal Reports for Enterprise, Information Design Tool, and Visual Intelligence. Please refer to the Authentication chapter of the respective client tool for more information.
The clients can also be further configured further to perform single sign-on to the database, which is elaborated further in tables below.
Once a user has been authenticated to the BI platform, their SSO ticket can in some cases be passed further down to the database for a seamless end to end SSO story.
SSO to database based on Kerberos can be configured for the following databases, note that the user must logon to the BI platform using Active Directory for the kerberos ticket to be passed down to the database. Note however that this cannot be used for scheduling, as the kerberos ticket will not be available to the system when the user is not online. For scheduled tasks, the database credentials must be stored.
|HANA (not for Olap Analysis)|
|SQL Server (incl. Analysis Server)|
|Teradata via ODBC through UNX (4.1 only)|
Yes, there are plans to expand this list in the future.
For SAP data access, the following methods can be configured. You will need to configure the correct method depending on the client tool being used. "SNC" is configured on the "SNC Settings" tab of the SAP authentication configuration area of the Central Management Console. "STS (Security Token Service)" is configured on the "Options" tab of the SAP authentication configuration area, in the "SAP SSO Service" section.
SAP Data SSO
|Webi .unv connections||Webi .unx connections|
|Universe Design Tool||Webi BICS connections|
|Crystal Reports 2011||Crystal Reports for Enterprise|
|Analysis for Office also supports client side SNC for direct access to BW.||Information Design Tool|
|Analysis for Office|
In order to gain SSO access to SAP data, a user does NOT have to logon with their SAP credentials. For an example of how users can authenticate using Active Directory and then single sign-on to SAP systems, please refer to this how to: How to map SAP users and LDAP users in SBO BI4.0 CMC - Business Intelligence (BusinessObjects) - SCN Wiki
The SAP authentication can also be leveraged from thick clients. A user logging onto Webi Rich Client can leverage STS for example to access BW data.
HANA SSO summary:
|Tool||User/Password||Kerberos||SAML (BI 4.1)|
Crystal Reports 2011
Crystal Reports for Enterprise
Analysis, Edition for Office
Analysis, Edition for OLAP
|Lumira in BI Launchapd||N||N||Y|
(1) * BI must be running on windows or linux.
SAML to HANA is based on a trust directly between BI4 and HANA. This does not mean that you can use SAML to signon to BI4 and that same SAML assertion ticket gets passed down to HANA. BI4 must be configured as a trusted identity provider in HANA. The same users must exist in HANA and BI4.
The Lumira integration into BI Launchpad relies on SAML. See the Lumira Authentication Options for more details.
What other SSO options do I have?
The BI platform also supports storing database credentials to be used for accessing the database. In some cases, as with kerberos & offline scheduling, this cannot be avoided. Also, for database sources which are not currently listed, stored credentials are the best options available at this time.
Can I setup multiple SSO options on a single system?
Yes, with 4.1 SP6 and on, the sso.types.and.order option in your properties allows for setting up fallback SSO options in order. If some users are configured for AD SSO and others for SAP SSO, you can try AD first and try SAP SSO as fallback. See note http://service.sap.com/sap/support/notes/2041379 for details.
Configuring Active Directory Authentication: Be sure the follow the excellent whitepaper attached to the note.
Configuring Active Directory SSO on unix:
Configuring SAP Authentication and SSO:
Configuring OLAP SSO for MSAAS:
Setting up HANA and BI for SAML
Setting up Trusted Authentication:
Using QUERY_STRING: http://service.sap.com/sap/support/notes/1593628
Using HTTP_HEADER: http://service.sap.com/sap/support/notes/1603002
Lumira Authentication Options Lumira Authentication Options
Lumira Connectivity Matrix SAP Lumira Connectivity Matrix - Business Intelligence (BusinessObjects) - SCN Wiki
Mobile Server SSO SAP BI Mobile Server Single Sign On Support