Thursday, 23 May 2013

Complete SSO overview

The following document is intended to summarize the various SSO options available to users, from authenticating to the BI platform all the way down to the database.  The document does not cover the 'how to' as various white papers exist.

The first table summarizes the various ways the system can perform single sign-on to the web based appplications.

Front End SSOWeb Access PointAD Kerberos SSOSAPSSO2 ticketsTrusted AuthenticationSiteMinder (4.x agent) 

OpenDocumentYesYesYesYes

BI PortalYesYesYesYes

CMCNoNoNoNo

DSWSBOBJEYesNoYes*, not for thick clientsNo

-OpenDocument refers to the direct link to report functionality.
-BI Portal is the main portal used to access & view reports
-CMC = Central Management Console
-dswsbobje = web services. 

Note that to support Kerberos SSO, your CMS (Central Management Server) must be installed on a windows machine. 
Trusted Authentication can generally be used for any authentication method which is not natively supported by BI4, such as SAML, x509 etc. 


Thick Clients, such as Crystal Reports Designer, Web Intelligence and others can also be configured for SSO to logon to BI4.  

The following table summarizes this:
ClientAD kerberos
Crystal Reports 2011Yes
Crystal Reports for EnterpriseYes
Webi Rich ClientYes
Information Design ToolYes
Universe DesignerYes
Live OfficeYes
BI WidgetsYes
QUAAWSYes
Dashboard Designer (Xcelsius)Yes
Visual IntelligenceYes


Note that for the Java based clients, you will need to perform some additional steps to support AD SSO, such and configuring a krb5.ini file.  This applies to clients such as Crystal Reports for Enterprise,  Information Design Tool, and Visual Intelligence.  Please refer to the Authentication chapter of the respective client tool for more information. 

The clients can also be further configured further to perform single sign-on to the database, which is elaborated further in tables below.

Once a user has been authenticated to the BI platform, their SSO ticket can in some cases be passed further down to the database for a seamless end to end SSO story.

SSO to database based on Kerberos can be configured for the following databases, note that the user must logon to the BI platform using Active Directory for the kerberos ticket to be passed down to the database.   Note however that this cannot be used for scheduling, as the kerberos ticket will not be available to the system when the user is not online.  For scheduled tasks, the database credentials must be stored.
Kerberos
HANA (not for Olap Analysis)
SQL Server (incl. Analysis Server)
Oracle

Yes, there are plans to expand this list in the future.



For SAP data access, the following methods can be configured.  You will need to configure the correct method depending on the client tool being used.  "SNC" is configured on the "SNC Settings" tab of the SAP authentication configuration area of the Central Management Console.   "STS (Security Token Service)" is configured on the "Options" tab of the SAP authentication configuration area, in the "SAP SSO Service" section. 

SAP Data SSO
SNCSTS
Webi .unv connectionsWebi .unx connections
Universe Design ToolWebi BICS connections
Crystal Reports 2011Crystal Reports for Enterprise

Information Design Tool

Explorer

Analysis for Office

Analysis Olap

Dashboards


In order to gain SSO access to SAP data, a user does NOT have to logon with their SAP credentials.   For an example of how users can authenticate using Active Directory and then single sign-on to SAP systems, please refer to this how to:http://wiki.sdn.sap.com/wiki/display/BOBJ/How+to+map+SAP+users+and+AD+users+in+XI3.1+CMC  .   Although it refers to XIr3, this is still applicable to BI4.

The SAP authentication can also be leveraged from thick clients.  A user logging onto Webi Rich Client can leverage STS for example to access BW data. 

HANA SSO summary:

ToolUser/PasswordKerberosSAML (BI 4.1)
Explorer
Y
Y (1)
Y
Dashboards
Y
Y (1)
Y
Web Intelligence
Y
Y (1)
Y
Crystal Reports 2011
Y
Y (1)
Y
Crystal Reports for Enterprise
Y
Y (1)
Y
Analysis, Edition for Office
Y
Y (1)
Y
Analysis, Edition for OLAP
Y
N
Y

(1) * BI must be running on windows or linux.

SAML to HANA is based on a trust directly between BI4 and HANA.  This does not mean that you can use SAML to signon to BI4 and that same SAML assertion ticket gets passed down to HANA.  BI4 must be configured as a trusted identity provider in HANA. The same users must exist in HANA and BI4. 

What other SSO options do I have?
The BI platform also supports storing database credentials to be used for accessing the database.   In some cases, as with kerberos & offline scheduling, this cannot be avoided.  Also, for database sources which are not currently listed, stored credentials are the best options available at this time

No comments:

Post a Comment