Implementing SAML SSO for SAP BI 4.3 / BI 2025 with Microsoft Entra ID – A Real Customer Story

What You’ll Achieve

• Seamless SSO into BI Launchpad, CMC, and OpenDocument via Entra ID (Azure AD).
• Standards-based SAML 2.0 integration using Spring SAML on Tomcat.
• Trusted session creation in BI—no username/password prompts for web entry points.

Note: This approach is for web flows. Client tools and dswsbobje do not SSO via this method.

High-Level Architecture

Browser → Entra ID login → SAML Response posted to /BOE/saml/SSO on Tomcat → Spring SAML validates → BOE creates a trusted session → User lands authenticated in BI Launchpad.

Part A — Microsoft Entra ID (Azure AD) Configuration

1. Create Enterprise Application: Entra ID → Enterprise applications → New application → Create your own (Non‑gallery).
2. Enable SAML SSO: Open the app → Single sign‑on → choose SAML.
3. Upload SP Metadata (from BOE): After BOE steps below, upload the file from https://<FQDN>:<PORT>/BOE/saml/metadata. It should populate:
   • Identifier (Entity ID): https://<FQDN>:<PORT>/BOE
   • Reply URL (ACS): https://<FQDN>:<PORT>/BOE/saml/SSO
4. Configure NameID: User Attributes & Claims → set NameID to match BI usernames:
   • AD sAMAccountName → user.onpremisesamaccountname
   • UPN/email → user.userprincipalname
   NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (or emailAddress if matching on email).
5. Download IdP Metadata: Save the Federation Metadata XML; we’ll place it in BOE.
6. Assign Users/Groups: Enterprise application → Users and groups → Assign target users/groups.
7. Align Session Lifetimes (Optional): If sessions expire too soon, increase BI’s maxAuthenticationAge and ensure Entra session policies align.

Part B — SAP BOE / Tomcat (Service Provider) Configuration

1) Enable Trusted Auth + SAML in BOE Properties

Edit files under <BOE_INSTALL>/tomcat/webapps/BOE/WEB-INF/config/custom/.

FioriBI.properties

# FioriBI.properties
saml.enabled=true
sso.types.and.order=trustedSession
logon.webssoauthentication.framework=SAML
# Optional if matching on email:
# saml.isUseEmailAddress=true
# saml.authType=secEnterprise | secLDAP | secWinAD | secSAPR3

CmcApp.properties

# CmcApp.properties
saml.enabled=true
sso.types.and.order=trustedSession
sso.supported.types=trustedSession
logon.webssoauthentication.framework=SAML

OpenDocument.properties

# OpenDocument.properties
saml.enabled=true
sso.types.and.order=trustedSession
logon.webssoauthentication.framework=SAML

global.properties

# global.properties
sso.enabled=true
trusted.auth.user.retrieval=WEB_SESSION
trusted.auth.user.param=MyUser

2) Keystore & IdP Metadata Placement

1. Create a keystore via SAPJVM keytool (SHA256withRSA recommended) and copy the .jks to:
   <BOE>/tomcat/webapps/BOE/WEB-INF/
2. Copy the Entra Federation Metadata XML to the same folder and name it:
   idp-meta-downloaded.xml
3. If needed, import IdP signing/decryption certs into the keystore using keytool -importcert.

3) Update securitycontext.xml (XML shown as Ubuntu‑styled code)

Keystore configuration

<constructor-arg value="/WEB-INF/<keystore-filename.jks>"/>
<constructor-arg type="java.lang.String" value="<Password>"/>
<constructor-arg>
  <map>
    <entry key="<aliasname>" value="<Password>"/>
  </map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="<aliasname>"/>

Extend authentication age (optional)

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
  <property name="maxAuthenticationAge" value="7200"/>
</bean>

Behind Load Balancer / Reverse Proxy (force external host in metadata)

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
  <property name="scheme" value="https"/>
  <property name="serverName" value="reports.example.com"/>
  <property name="serverPort" value="443"/>
  <property name="includeServerPortInRequestURL" value="false"/>
  <property name="contextPath" value="/BOE"/>
</bean>

Ensure SP metadata uses your public URL

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
  <constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
      <property name="extendedMetadata">
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
          <property name="idpDiscoveryEnabled" value="false"/>
        </bean>
      </property>
      <property name="entityBaseURL" value="https://reports.example.com/BOE" />
    </bean>
  </constructor-arg>
</bean>

4) Restart Tomcat & Generate SP Metadata

Restart Tomcat, then open:
https://<FQDN>:<PORT>/BOE/saml/metadata
Save the XML and upload it in Entra SAML settings (Part A, step 3).

5) Validate Trusted Authentication Prerequisite

Ensure Trusted Authentication via Query_String works (shared secret configured). This is the hand‑off used after Spring SAML validates the assertion.

6) Enable Spring SAML Logging (Optional)

Turn on SAML tracing to quickly identify configuration issues during setup.

Testing the End‑to‑End Flow

1. Navigate to https://<FQDN>/BOE/BI.
2. You should be redirected to Entra ID to authenticate.
3. After authentication, Entra posts the SAML response to /BOE/saml/SSO.
4. BI Launchpad opens already logged in as the matched BI user.

Troubleshooting (Quick)

• Session Expired / HTTP 500 / 404 on SAML URLs: Increase maxAuthenticationAge and align Entra session lifetimes; review Spring SAML logs.
• Wrong host/port in metadata: Use SAMLContextProviderLB and set entityBaseURL to your public URL.
• User not found: Ensure NameID mapping matches BI usernames or enable saml.isUseEmailAddress=true with correct saml.authType; ensure the email attribute exists for that alias type.

Limitations

This method enables SSO for web applications (BI Launchpad, CMC, OpenDocument). Client tools and dswsbobje do not support SSO via this Spring SAML Trusted Session approach.