After we discussed the various Single Sign-on options that you can use for secure Integration of Business Objects with your Landscape in our previous blog, we dwell deep into each one of those options. Trusted Authentication is native to Business Objects and it is part of the “Enterprise” authentication plugin in Business Objects. As the name implies, Trusted Authentication is purely based on trust and it involves the sharing of confidential information with third-party systems (or) the web application servers. SAML and X.509 Single sign-on methods in Business Objects are an extension of the “Trusted” authentication, and Trusted Authentication can be extended to be used with various other methods. It also provides the foundation for integration with custom single sign-on solutions, which are homegrown.
In Business Objects, some of the advanced single sign-on methods like X.509 and SAML are extensions of “Trusted” authentication. Trusted authentication supports multiple formats for the retrieval of user accounts and can be implemented in different ways.
In the case of Business Objects, the “Enterprise” authentication plugin available within Business Objects allows generation of secret keys. This secret key will be shared with the trusted third party application (or) web application server. Authentication of the user will be delegated to the third party application and once authenticated, it will pass the user information on to Business objects along with the shared secret. Business Objects will then provide a session for the specific user.
The third party application which performs the actual authentication of a user will update the request from the user and will add additional properties to the request which will have the user information. Business objects will provide only session management for that user if the shared secret is correct.
Business objects support the following methods for user retrieval from a trusted server:
- HTTP Header
- Query String
- Web Session
- Remote User
- User Principal
The external trusted source will update the user information and send it through one of these methods.
HTTP headers are components used in requests and responses in the header section of the HTTP protocol. External authentication server will update the user name to a custom HTTP header and will forward it to Business Objects. Business objects will read the username from the custom header field and the user will be granted a session.
As the name implies, a query parameter will be added to the query string and will be forwarded to Business Objects. Business Objects will get the username from the query parameter and will grant a session to the user. As an example, a request URL like https://biserver.bi.com/BOE/BI will be updated to https://biserver.bi.com/BOE/BI/?user=User01 and Business Objects will fetch the username from query parameter user
Caution: Both HTTP header and Query String methods should be used with extreme caution and users should not be allowed to access Business Objects directly, as the headers and query parameters can be directly manipulated by users. When these methods are in practice, requests should go through the authentication server and not directly to Business Objects.
The trusted authentication server can authenticate the user and provide a cookie for the user. Business objects will read the user information from the cookie.
An external authentication server will authenticate the request and provide a web session. SAML authentication is a typical example of Web Session trusted authentication.
Remote User & User Principal
Remote User and User Principal methods get the user information from servlet functions. These methods are often used with X509 certs, Vintela authentication, and similar methods.
Trusted authentication gives the flexibility to re-use existing technologies and make Business Objects inter-operable with other tools. Trusted authentication does not expect a user to have an Enterprise alias and authenticates any user in the system irrespective of their source.
Stay tuned for more blogs on Business objects SSO.