7.2.

5 Configuring Trusted Authentication for the web application

To configure Trusted Authentication for the client you must access and modify global properties for the
BOE war file, and specific properties the BI launch pad and OpenDocument applications.
You can use one of two methods to pass the shared secret to the client:
Web session
TrustedPrincipal.conf file
In addition to the shared secret, you need to pick one of the following methods for passing the user
name to the client:
Web Session
Cookies
212 2011-03-28
Authentication
HTTP Header:
URL Query
Whatever method you pick it must be customized in the Trusted.auth.user.retrieval global
properties for the BOE war file.
7.2.5.1 Using Trusted Authentication for SAML single sign-on
Security Assertion Markup Language (SAML) is an XML-based standard for communicating identity
information. SAML provides a secure connection where identity and trust is communicated thereby
enabling a single sign-on mechanism that eliminates additional logins for trusted users seeking to
access BI platform.
Enabling SAML authentication
If your application server can work as a SAML service provider, you can use Trusted Authentication to
provide SAML SSO to BI platform.
To do this, you must first configure the web application server for SAML authentication.
The example below contains a sample web.xml configured for SAML authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>InfoView</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>j2ee-admin</role-name>
<role-name>j2ee-guest</role-name>
<role-name>j2ee-special</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>InfoView</realm-name>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/logon.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Assigned to the SAP J2EE Engine System Administrators</description>
<role-name>j2ee-admin</role-name>
</security-role>
<security-role>
<description>Assigned to all users</description>
<role-name>j2ee-guest</role-name>
</security-role>
<security-role>
<description>Assigned to a special group of users</description>
<role-name>j2ee-special</role-name>
</security-role>

Please refer to your application server documentation for further instructions on how to accomplish this,
as they will vary by application server.
213 2011-03-28
Authentication
Using Trusted Authentication
Once your web application server is configured to work as a SAML service provider, you can use Trusted
Authentication to provide SAML SSO.
Note:
Users must either be imported into BI platform or have Enterprise accounts.
Dynamic aliasing is used to enable the SSO. When a user first accesses the logon page through SAML,
they will be asked to manually log in using their existing BI platform account credentials. Once the user's
credentials are verified, the system will alias the user's SAML identity to their BI platform account.
Subsequent logon attempts for the user will be performed using SSO, as the system will have the user's
identity alias dynamically matched to an existing account.
Note:
A specific property for the BOE war file - trusted.auth.user.namespace.enabled - must be
enabled for this mechanism to work.