This document describes the steps needed to integrate Shibboleth (a SAML2 federated authentication/identity provider) with BI Platform using Trusted Authentication to achieve SSO (within the web browser, does not tie into Active Directory).
This document assumes you have already:
- Installed BIP 4.1 (used SP2 P2) with Tomcat. We used Windows 2008 R2, but nothing here is very OS-specific.
- Installed Apache 2.4.12+ (must use VC10 version) with SSL as a reverse proxy for Tomcat using the AJP connector (see below)
- Apache HTTPS/443 connects to Tomcat AJP/8009 (see below)
- Apache HTTPS/4443 (or other port number) connects to Tomcat HTTP/8080 (see below)
- Installed/configured Shibboleth 2.5.3+ (see below)
- Configured Apache with Shibboleth to protect a static folder, such as /secure, that does not exist in the BIP install
- The Apache-Shibboleth securing process is working properly (without Tomcat)
- Your Enterprise user IDs match some attribute that will be returned from Shibboleth (uid, eppn, etc.), or you plan to rename your Enterprise users to match one of the Shibboleth attributes
- We only use Webi and Crystal, you may need to tweak your setup if you use other tools
Example Tomcat server.xml (relevant pieces only)
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" compression="off" URIEncoding="UTF-8" /> . . . <Connector port="8009" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="443" URIEncoding="UTF-8" enableLookups="false" tomcatAuthentication="false" address="127.0.0.1" scheme="https" connectionTimeout="20000" maxThreads="400"/> |
Example Shibboleth2.xml (relevant pieces only)
<ApplicationDefaults . . . REMOTE_USER="uid" #### <-- This is whatever attribute your IdP returns that will match your Enterprise accounts . . . > |
Example httpd.conf (relevant sections only)
. . . Listen 80 TimeOut 300 AcceptFilter http none AcceptFilter https none EnableSendfile off EnableMMAP off
<VirtualHost _default_:80> RewriteEngine on ReWriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L] </VirtualHost>
ServerName yourserver.yourdomain.com UseCanonicalName On Include D:/opt/shibboleth-sp/etc/shibboleth/apache24.config ExtendedStatus On
#====================Configure mod_deflate============== AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript text/json ##### Should be on one line with previous DeflateCompressionLevel 9 SetEnvIfNoCase Request_URI \ \.(?:gif|jpe?g|png)$ no-gzip dont-vary |
Example ssl.conf (relevant sections only)
. . . Listen 443 <VirtualHost _default_:443> RewriteEngine on ProxyPass /Shibboleth.sso ! ProxyPassReverse /Shibboleth.sso ! ProxyPass / ajp://127.0.0.1:8009/ ProxyPassReverse / ajp://127.0.0.1:8009/ . . . <Location /BOE> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location>
<Location /shib> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location>
# The next 3 are required to use the Webi Java applet since it connects separately and Shibboleth gets confused <Location ~ "/BOE/portal/.*/AnalyticalReporting/webiApplet/.*"> Satisfy Any Allow from all AuthType None Require all granted </Location>
<Location ~ "/BOE/portal/.*/rebean3ws/services/.*"> Satisfy Any Allow from all AuthType None Require all granted </Location>
<Location ~ "/BOE/portal/.*/InfoViewAppActions/ajaxUre/.*"> Satisfy Any Allow from all AuthType None Require all granted </Location> </VirtualHost>
Listen 4443 <VirtualHost _default_:4443> . . . ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ </VirtualHost> |
BIP Config
- For reference, see the BI Admin Doc, starting on page 229 about Trusted Authentication. The essential steps are below.
- Set the Authentication parameters similar to this, generate and download a new Shared Secret, then click Update
3. Put the shared secret file, TrustedPrincipal.conf on the WEB SERVER, in this directory
D:\BI4\SAP BusinessObjects Enterprise XI 4.0\win32_x86\
4. Followed the SAP doc 1593628 to test the SSO using QUERY_STRING
- Create file global.properties in D:\BI4\tomcat\webapps\BOE\WEB-INF\config\custom with the following contents
sso.enabled=true
trusted.auth.user.param=user
trusted.auth.user.retrieval=QUERY_STRING
b. Save, then restart Tomcat
c. Should be able to get into Launch Pad now using the URL (e.g.)
https://myserver.mydomain.com:4443/BOE/BI?user=myuser
d. This demonstrates all the Trusted Authentication pieces are working, without Shibboleth
5. To put it all together, update the global.properties file so it looks like this
sso.enabled=true
trusted.auth.user.retrieval=REMOTE_USER
- Save, then restart Tomcat
- Close and reopen your browser
- Go to the URL, https://myserver.mydomain.com/BOE/BI
- You should be prompted to log in via Shibboleth
6. If you’re having trouble, you can use a /shib directory (create under Tomcat\webapps\) to see the values being passed from Apache/Shibboleth using a JSP, e.g.
<%@ page import="java.util.*" %> <html> <head> <title>Http Request Headers Example</title> </head> <body> <h2>HTTP Request Headers Received</h2> <table> <% Enumeration enumeration = request.getHeaderNames(); while (enumeration.hasMoreElements()) { String name = (String) enumeration.nextElement(); String value = request.getHeader(name); %> <tr><td><%= name %></td><td><%= value %></td></tr> <% } %> </table>
<% out.print("request.getRemoteUser: "+request.getRemoteUser()+"<br/>"); out.print("request.getUserPrincipal.getName(): "+request.getUserPrincipal().getName()+"<br/>"); %>
</body> </html> |
Login page setup
- We created a custom login page that presented links for both Shibboleth and Enterprise logins, under /auth, which then directs users to login via one of those methods
- Set up a redirect from /index.jsp (tomcat ROOT) to /auth/index.jsp, then present links to log on either via Shibboleth, or via Enterprise (port 4443)
- In \BI4\tomcat\webapps\BOE\WEB-INF\config\custom\BILaunchpad.properties, set url.exit to e.g.
https://yourserver.yourdomain.com/Shibboleth.sso/Logout?return=yourIDPlogoutURL
4. Stop/Restart Tomcat
5. Either way you log in, you will be redirected to the Shibboleth logout. This is done to handle weird address issues when logging in/out via different methods.