SAML integration between Microsoft Azure portal and SAP Business Intelligence Platform

What is Azure Portal?

Microsoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. Users can manage Azure services using the Web-based Azure portal (sometimes referred to as the Azure Resource Manager (ARM) portal). The portal allows users to browse active resources, modify settings, launch new resources, and view basic monitoring data from active virtual machines and services.

Prerequisites

Before accessing the portal, you must first have a valid email address and Microsoft Azure password.

Business Objects Intelligence Platform 4.2 SP05 and above

What is Azure AD connect

The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync, and Forefront Identity Manager with the Azure Active Directory Connector configured.

Microsoft Azure Portal Configuration

https://portal.azure.com/#

Provide application name and click on Add.

Click on Single sign-on for enabling SAML for this application.

Select SAML-based Sign-on from the Single Sign-0n Mode as shown below.

Provide the parameters required ex – identifier, Reply URL as shown above and save.

Click on Show advanced URL settings and in Sign on URL provide the URL where users can login and access the application

Download IDP metadata (Azure portal) from SAML Signing Certificate.

Save this file we need it when configuring SAP BI.

These are the steps required from Azure portal for SAML configuration with SAP BI.

SAP BI Configuration

Unlike other Web Application servers WebSphere, NetWeaver, Tomcat does not come with inbuilt Service Provider, we have to implement our own Service Provider for Tomcat.

We will be using Spring SAML Security Assertion Service Provider for Tomcat.

Adding Tomcat Service Provider Jars

Configure Tomcat for HTTPS SSL

keytool -genkey -alias  -keyalg RSA -keystore  -keysize 2048

Before Tomcat can accept secure connections, you need to configure an SSL Connector.

a. In a text editor, open the Tomcat server.xml file.

The server.xml file is usually located in the conf folder of your Tomcat’s home directory.

b.Locate the connector that you want to use the new keystore to secure.

Usually, a connector with port 443 or 8443 is used, as shown in step 4.

c.If necessary, uncomment the connector.

To uncomment a connector, remove the comment tags ().

d.Specify the correct keystore filename and password in your connector configuration.

4.When you are done, your connector should look something like this:

Enabling SAML for required Web Applications Properties

SAML authentication has to be enabled for the different web applications. This can be done by uncommenting the respective endpoint in securityContext.xml and also edit saml.enabled in customproperties files of the respective applications.

In this we will be enabling SAML for Old BI Launchpad BOE/BI

In the securityContext.xml under\tomcat\webapps\BOE\WEB-INF , there is a section for the SAML entry endpoints.

By default, only the SAML entry endpoint for Classic BI Launchpad is enabled.

2. SAML Authentication can also be enabled for other applications Opendocument, Fiori                          Launchpad by uncommenting

A new filter has been introduced for SAML, the relevant section in the web.xml will be kept commented by default.

Enabling filters in web.xml of BOE webapps by uncommenting the SAML sections.

Web.xml file path –  \tomcat\webapps\BOE\WEB-INF\web.xml

Note: SAML authentication enablement is done the web application level, I.E., BOE itself and not in individual webpath bundles.

Update IDP metadata in SP

The IDP metadata has to be downloaded from the respective IDP (in our case Azure Portal).

Rename the file to idp-meta-downloaded.xml

Copy the Azure Portal IDP idp-meta-downloaded.xml file which we downloaded in step 7 above to \tomcat\webapps\BOE\WEB-INF

In Case if BOE is deployed on a Linux machine (non -windows)  the path separators in file path to the idp metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under \tomcat\webapps\BOE\WEB-INF.

i.e  /WEB-INF/idp-meta-downloaded.xml has to be changed to \WEB-INF\idp-meta-downloaded.xml for Linux

For windows, it looks like

SAML keystore generation SAML exchanges involve usage of cryptography for signing and encryption of data.

You can generate your own self-signed key using the Java utility keytool by following steps

Navigate to \SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin and run the following command to generate certificate.

keytool -genkey -alias -keypass -keystore -keyalg RSA      -validity