Contenu connexe Similaire à SAP #BOBJ #BI 4.1 Upgrade Webcast Series 6: User Authentication and SSO (20) Plus de SAP Analytics (20) SAP #BOBJ #BI 4.1 Upgrade Webcast Series 6: User Authentication and SSO1. ©2012 SAP AG. All rights reserved.
1
SAP BusinessObjects BI 4.1 Upgrade Webinar Series BI 4.1 User Authentication and Single Sign-On Presenter: Tim Ziemba SAP Global Support Group
Brought to you by the Customer Experience Group 2. ©2012 SAP AG. All rights reserved.
2
We bring to you all that you need to successfully upgrade to the SAP BusinessObjects BI Platform 4.1.
You can find a BI 4.1 Upgrade Overview page on SCN at: http://scn.sap.com/docs/DOC- 56525
Webinars also complement these published resources: http://scn.sap.com/docs/DOC- 56308
SAP BusinessObjects BI Platform 4.1 Upgrade Enablement 4. ©2012 SAP AG. All rights reserved.
4
Log on to the Web Tier
•The following major logon methods are supported, with various methods of SSO:
•Windows AD
SSO achieved through Kerberos, using the Dell Java SSO plug-in
Web application server can run on any platform; however, the Central Management Server MUST be on a Windows for full AD integration (as of SP05 CMS on unix/Linux will support using the plugin combined with trusted authentication to achieve SSO
•LDAP
SSO is supported via trusted authentication to virtually any 3rd party products
•SAP
SSO achieved by configuring SAP mySAPSSO2 tickets
•Enterprise
Native BI authentication SSO can also be achieved through “Trusted Authentication.” 5. ©2012 SAP AG. All rights reserved.
5
More About Kerberos SSO
•Active Directory (AD) SSO into the BI portal or manually logging in with AD username and password allows for SSO to the database; however, there are a few limitations to keep in mind:
Scheduling a report will not carry forward the Kerberos ticket (no SSO), even if you choose to “schedule now”
It is not possible to set up Kerberos SSO for offline scheduling
The CMS and processing servers must be on Windows
•View time refresh will perform AD SSO to some supported DB’s
•http://service.sap.com/sap/support/notes/1631734
•http://service.sap.com/sap/support/notes/1869952 6. ©2012 SAP AG. All rights reserved.
6
LDAP Front-End SSO
•LDAP SSO can be attained using Trusted Authentication
•Incoming trusted auth users cannot be used for any further SSO to database; front door entry only
Secondary credentials or mix with SAP SSO methods for data access 7. ©2012 SAP AG. All rights reserved.
7
Web Services
•Setting up Web services SSO for Windows Active Directory is required to enable SSO for the following clients:
LiveOffice
Query as a Web Services
BI Widgets
Crystal Reports for Enterprise
Dashboard Designer
Analysis for Office
Design Studio
•Setup is similar to configuring BI Launchpad, see SAP Note 1646920 8. ©2012 SAP AG. All rights reserved.
8
Trusted Authentication
With BI’s native Enterprise authentication, it is possible to enable trusted authentication
With “Trusted” authentication, BI is TRUSTING underlying application server to perform the authentication
The application server passes a shared secret, and a user ID to BI. If the user ID exists in the BI system, a logon session for that user is created
This allows most other external authentication methods to be used to logon to BI, such as X.509, SAML, SecureID, SAP Netweaver SSO etc.
Important Note: none of the desktop client tools support Trusted Authentication 9. ©2012 SAP AG. All rights reserved.
9
Configuring Trusted Authentication
•There are a number of ways to pass user information in trusted authentication
Web Session
HTTP Header
URL Query
User Principal (new method using JAAS authentication)
Remote User (new method using JAAS authentication)
Cookies not recommended, supported for legacy
•It is possible to bind a different incoming user ID to an existing user in the BI system using trusted.auth.user.namespace.enabled
•Will require the user to manually log on first, which will bind their incoming assertion user ID with whatever BI account they log on as
•Remember, you are TRUSTING the application server, so you must secure the Web application on your app server 10. ©2012 SAP AG. All rights reserved.
10
New Semantic Layer Connectivity (.unx)
•Kerberos SSO
MS SQL Server
Oracle DB
SAP HANA
•Security Token Service (STS, SNC)
SAP NetWeaver BW
•Applicable to the following clients:
Crystal Reports for Enterprise
Web Intelligence
Dashboards
Explorer
OLAP Analysis 11. ©2012 SAP AG. All rights reserved.
11
Legacy Semantic Layer (.unv)
•Kerberos SSO
MS SQL Server
Oracle DB
•Server STS, SNC
SAP NetWeaver BW
•Stored user credentials
All other databases
•Applicable to the following clients:
Crystal Reports 2011
Web Intelligence 12. ©2012 SAP AG. All rights reserved.
12
Propagating Additional Security
Leverage additional information from your IDP like region, department and apply in universe security.
Full overview on SCN http://scn.sap.com/community/bi- platform/blog/2012/07/05/user-attribute-mapping-in-bi4
13. ©2012 SAP AG. All rights reserved.
13
Mobile
•Mobile currently uses username and password only
•The username and password can be saved locally on the device 14. ©2012 SAP AG. All rights reserved.
14
SAP HANA: What Are My Options?
•If you are running BI on any OS (Windows, Linux, Unix)
Logon to BI Lauchpad in any way (SSO or manual)
—SSO at view time or scheduling using SAML SSO to HANA
•If you are running BI on Windows:
Set up Windows SSO to BI Portal, or manually log on using AD credentials
—SSO at view time using Exploration view, Semantic Layer (Web Intelligence, Crystal Reports), OLAP Analysis
—Still no scheduling SSO using Kerberos
•If you are running BI on SUSE 11 Linux:
Configure LDAP connectivity for MS AD
Enable Kerberos authentication from your LDAP authentication plug-in
Manually log on, then SSO to database possible
•Any platform, all clients:
Set up user database credentials for Direct DB authentication, exposed through CMC
Can be scripted 15. ©2012 SAP AG. All rights reserved.
15
Reporting on HANA Client and Connectivity Options Using Kerberos SSO
JDBC
JDBC
ODBC
SAP HANA Database
JDBC
ODBC
Web Intelligence
Dashboards
Crystal Reports for Enterprise
Semantic Layer
(relational universe UNX)
Explorer
CR 2011 16. ©2012 SAP AG. All rights reserved.
16
HANA SSO Summarized
Authentication
Internal (Direct)
External (Kerberos Delegated)
SAML Trust (with BI 4.1)
Explorer
Y
Y (1)
Y
Dashboards
Y
Y (1)
Y
Web Intelligence
Y
Y (1)
Y
Crystal Reports 2011
Y
Y (1)
Y
Crystal Reports for Enterprise
Y
Y (1)
Y
Analysis, Edition for Office
Y
Y (1)
Y
Analysis, Edition for OLAP
Y
N
Y
(1) Support on Linux and Windows platforms only 17. ©2012 SAP AG. All rights reserved.
17
New option to configure HANA SSO
•Accessible under Applications, “HANA Authentication”
•Based on trust configured between BI and HANA
•Less work to setup than kerberos
•User ID’s must match between HANA & BI system
•Works with any type of authentication to BOE: Enterprise, AD, LDAP, SAP, and supports all platforms.
•Based on system trust. HANA trusts BI to do the authentication. Once a user is authenticated to BI, BI creates SAML assertions on behalf of users to pass to HANA for SSO
•Supported with all BI Clients except ZEN and A- Office. ETA SP1 (requires Web service SDK support). 18. ©2012 SAP AG. All rights reserved.
18
Configuration in the CMC
Enter HANA server details
Generate a certificate on the BI side to import into the HANA server. (copy & paste)
Once both systems are setup, user can test connection from CMC directly to validate setup. 19. ©2012 SAP AG. All rights reserved.
19
HANA certificate import
Import Certificate into HANA (SPS5) 20. ©2012 SAP AG. All rights reserved.
20
User authenticates against BOE server with one of the mechanisms supported by BOE
1.BOE securely forwards the user identity to SAP HANA with one of the following methods
–User name/password
oSAP HANA database user name/password stored in BOE server
oManual synchronization
–Kerberos (As of SP4) SAP Note 1837331 & 1813724 HANA.
oUsers must log on to BOE server using Active Directory authentication
oBOE server must run on Linux or Microsoft Windows
–SAML (NEW with 4.1)
oBOE server acts as identity provider
oBOE server generates SAML ticket for the user, sends it to the SAP HANA database to validate -> if valid session will be established for this user
•Protocol (SAML) is irrelevant here. Just think of trust between systems.
oUsing SSL transport security between BOE and HANA is highly recommended
SAP HANA Database
BOE Server
Individual end users
Summary of HANA authentication 21. ©2012 SAP AG. All rights reserved.
21
Database Credentials
•It is possible to save database credentials to use for SSO using the database’s native authentication
•These can be automatically captured if the user manually logs on through a configuration option in the authentication plug-in
22. ©2012 SAP AG. All rights reserved.
22
Web Intelligence: Review Your Options
•Reporting from SQL Server, Oracle DB
Kerberos SSO (Windows only)
Saved credentials (all platforms)
Predefined credentials (shared user) – (all platforms)
•Reporting from SAP HANA
Kerberos SSO (Windows/Linux only)
SAML SSO (all platforms)
Saved credentials (all platforms)
Predefined credentials (shared user) – (all platforms)
•Reporting from SAP NetWeaver BW
STS (all platforms –.unx, CR4E, analysis, dashboards)
SNC (all platforms – .unv, CR 2011)
Saved credentials
—If logging on to BI with SAP credentials, these can be used for view time refresh (SSO) 23. ©2012 SAP AG. All rights reserved.
23
OLAP ANALYSIS: Review Your Options
•Reporting from Microsoft Analysis Services
Kerberos SSO (Windows only) – Requires user to log on manually using AD or to have SSO setup
Saved credentials (all platforms)
Predefined credentials (shared user) – (all platforms)
•https://websmp230.sap-ag.de/sap/support/notes/1688079 *
•Reporting from SAP NetWeaver BW
STS (all platforms)
* Requires login credentials to the SAP Service Marketplace 24. ©2012 SAP AG. All rights reserved.
24
Java Desktop Client Tools – Kerberos SSO
The new Information design tool is written in Java
This means we need some java magic to get AD SSO working
•Krb5.ini, bscLogin.conf on the client side
Referenced in “C:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win32_x86InformationDesignTool.ini
-Djava.security.auth.login.config=C:WINNTbscLogin.conf
-Djava.security.krb5.conf=C:WINNTkrb5.ini
•See SAP Note 1621106
25. ©2012 SAP AG. All rights reserved.
25
SAP BusinessObjects BI 4.1 Upgrade Webinar Series
BI 4.1 User Authentication and Single Sign-On
Q & A
Brought to you by the Customer Experience Group