Integrating IBM Security Access Manager with SAP BusinessObjects for Single Sign On

This page has not been liked. Updated 10/24/14, 2:24 AM by sandrewsTags: None

Integrating IBM Security Access Manager with SAP BusinessObjects for Single Sign On


Summary: This article will provide details for integrating IBM Security Access Manager with SAP BusinessObjects Enterprise XI for the purpose of Single Sign On.



This article provides details on how to configure an IBM Security Access Manager installation to integrate with SAP BusinessObjects Enterprise XI.

In this integration a WebSEAL junction is created and connected to the web server where BusinessObjects is installed. Client requests for BusinessObjects consoles are intercepted, prompting the client to provide sign-on credentials for authentication to WebSEAL. Once authenticated, WebSEAL forwards the request.

This article assumes that both IBM Security Access Manager or an IBM Security Web Gateway appliance and BusinessObjects are installed, configured and running on your network. It does not provide details on the installation and administration of these products, except where necessary to achieve integration. For installation, configuration and administration of IBM Security Access Manager see the IBM Security Access Manager for Web Version 7.0 Information Center.


Business Objects Enterprise XI Configuration

To configure Business Objects Enterprise XI, you must:

  1. Configure the BusinessObjects to use Trusted Authentication.
  2. Create a file.

See the following sections for the detailed configuration steps.


Configuring BusinessObjects to use Trusted Authentication

BusinessObjects Trusted Authentication provides a transparent, single sign-on solution to integrating your BusinessObjects Enterprise installation with third-party authentication solutions. Steps for configuring the BusinessObjects server to use Trusted Authentication are as follows:

  1. Log on to the Central Management Console with administrative rights via the Administration Launchpad.
  2. Navigate to Management > Authentication
  3. Click the Enterprise tab.
  4. Select Trusted Authentication.
  5. Click New Shared Secret. The shared secret is used by the client and the CMS to create a trusted authentication password. This password is used to establish trust.
  6. Click Download Shared Secret.
  7. Click Save.
  8. Accept the default location and filename to save the TrustedPrincipal.conf file. Default directories are:


  1. Windows:

  • <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\

  • <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86\


  1. Unix

  • <INSTALLDIR>/sap_bobj/enterprise_xi40/<PLATFORM64>/

  • <INSTALLDIR>/sap_bobj/enterprise_xi40/<PLATFORM32>/


  1. Verify that the TrustedPrincipal.conf file is in the directory specified in step 8.
  2. Ensure that anonymous access is granted to the BusinessObjects Web site and its directories through the webserver. Alternatively, you can deploy and configure the appropriate authentication plugin or adapter for single sign-on with WebSEAL.



Creating a file

  1. Create a file called and populate it with the following information:






  1. Save the file and copy it into the appropriate directory:

For Windows:

<INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\warfiles\webapps\BOE\WEB-INF\config\custom\

For Tomcat installed on Windows:

<INSTALLDIR>\SAP BusinessObjects\Tomcat6\webapps\BOE\WEBINF\config\custom

For Unix:



Configuring IBM Security Access Manager

To configure IBM Security Access Manager for single sign on to BusinessObjects, you must create a WebSEAL junction, create user accounts, and test the junction.

Creating a WebSEAL Junction

Create a WebSEAL junction to connect WebSEAL with BusinessObjects.

For this integration, you must specify the -c iv_user option in the junction creation command. This option configures WebSEAL to send the authenticated username in the iv-user HTTP header.

There are three types of WebSEAL junction that can be created to achieve this integration:

  • Virtual host junction
  • Transparent path junction
  • Standard junction


The suggested way to achieve this integration is to use a virtual host junction. See Creating a virtual host junction for the procedure. For information on transparent path junction and standard junction, see Configuring Web Reverse Proxy.


Creating a virtual host junction

Virtual host junctions eliminate the limitations of URL filtering. With virtual host junctions, WebSEAL can communicate with local or remote virtual hosts. WebSEAL uses the HTTP Host header in client requests to direct those requests to the appropriate document spaces located on junctioned servers or on the local machine.

To create the virtual host junction by using the pdadmin command line:

pdadmin> server task instance-webseald-server_name virtualhost create -t tcp –h business_objects_fqdn –p port_no -c iv_user junction_name


To create the virtual host junction on an IBM Security Web Gateway Appliance:

  1. Select Secure Reverse Proxy Settings > Reverse Proxy.
  2. Select the reverse proxy instance option.
  3. Select Manage > Junction Management.
  4. Select New > Virtual Junction.
  5. Click the Junction tab
  6. Enter the junction name in the Junction Label.
  7. Select the required Junction Type.
  8. Click the Servers tab.
  9. Click New to create a new target server.
  10. Specify the details of the target server as shown in Figure 1.

Figure 1:


  1. Click Save to save the backend server configuration for this reverse proxy.
  2. After saving the backend server configuration click the Identity tab.
  3. Select IV-USER from HTTP Header Identity Information to configure the IBM web Gateway Appliance for sending the authenticated username in the iv-user HTTP header.

Note: Virtual Host Junctions require that WebSEAL be configured to listen for HTTP or HTTPS requests on the same ports as the Business Object Web server. If the appropriate listening ports were not selected upon creation of the reverse proxy instance, see the following [server] stanza in the WebSEAL configuration file (webseald-instance.conf) to configure WebSEAL to listen on the same port(s) as Business Object.







# Allow HTTPS access

https = yes


# Port to user for HTTPS requests

# This matches the BusinessObjects HTTPS port


https-port = 443






# Allow (unsecure) TCP HTTP access

http = yes


# Port to use for unsecure HTTP requests

# This matches the BusinessObjects HTTP port (if in use)

http-port = 8080



You must restart WebSEAL after making any changes to the webseald-instance.conf file for changes to take effect.

See Configuring Web Reverse Proxy for more information on configuring WebSEAL junctions


User Accounts

For this configuration, you must create IBM Security Access Manager WebSEAL user accounts for each user who requires access to the BusinessObjects Enterprise system through WebSEAL. User names must be synchronized in the WebSEAL and BusinessObjects Enterprise user registries. This integration applies ONLY to users of Enterprise Authentication.

Testing the integration

To test the virtual host junction integration described in this article:

1. Open the BusinessObjects URL (which represents the location of the WebSEAL reverse proxy) from your browser. For example:

2. Tivoli Access Manager requires authentication. Log on using the Tivoli Access Manager user ID and password.

3. Upon successful authentication the BusinessObjects homepage is loaded.



IBM Security Access Manager for Web Version 7.0 Information Center

Configuring Web Reverse Proxy

SAP BusinessObjects Enterprise Administrator's Guide

BusinessObjects Servers monitoring and their executables path