After we discussed the various Single Sign-on options that you can use for secure Integration of Business Objects with your Landscape in our previous blog, we dwell deep into each one of those options.
X.509 is a standard defining the format of public key certificates and is used in internet protocols. X.509 also offers an authentication mechanism where each user has his own X.509 cert signed by a certificate authority and that can be used as a basis to validate their identity. Business Objects supports X.509 Single Sign-on mechanism out of the box. X.509 authentication and single Sign-on in Business Objects is an extension of “Trusted” authentication offered as part of the “Enterprise” authentication plugin. This method is little generic and implementation might vary based on the certificate provider and web application server used. Business Objects has in-built options to read users information from the certificate and authenticate the user.
As the name implies, this authentication is purely based on trust. “Enterprise” authentication plugin available within Business Objects allows the generation of secret keys. This secret key will be shared with the trusted third party application (or) web application server. Authentication of the user will be delegated to the third party application and once authenticated, it will pass the user information to Business objects along with the shared secret. Business Objects will then provide a session for the specific user. Refer to this blog for more on Trusted Authentication.
X.509 authentication on Business objects is set up on top of “Trusted” authentication. The job of verifying the certificates can be delegated to the tomcat instance that comes with Business Objects or an external system. Since this is a generic method, this can be achieved in multiple ways. On a high level, the following are the requirements for X.509 certificate authentication and Single Sign-on:
- Certificate authority – Signing and revoking user certificates
- Trusted authentication enabled in Business Objects
- Tomcat (or) webapp server should be configured for HTTPS with the certificate authority root certificate in the trust store of the web app server
When an external authentication server is not used, tomcat will perform both the tasks of verifying the certificate and passing the user information to the Business Objects system. When a user tries to log in, tomcat will challenge for X.509 cert and users will have the certificate in their user store accessible for the browser. Once the certificate is shared, tomcat will verify if the certificate is from a trusted authority. Once verified, it will extract the username from certificates CN part and send it to Business Objects along with the secret. Once Business Objects verifies the information, the user will be granted with a session. This will be seamless for the user as he will not be challenged with a login page and browser will share the certificate with the server on his behalf.
Workflow with External Authentication Server
In this method, the task of verifying the certificate is delegated to an external system and once verified, the request will be sent to tomcat. This external system could be a reverse proxy (or) another web app server (or) homegrown custom authentication method and often this is done to maintain compatibility with other applications. Since the certificate verification methods natively available in tomcat are very limited and do not involve enhanced functions, it is advisable to delegate the verification part to the external system. Once the certificate is verified, the request will be updated with an HTTP header (or) a query string (or) a web session and will be sent to tomcat. Tomcat will now read the updated information like header (or) query string and fetch the user information from it. Once the user information is obtained, it will be sent to Business Objects along with shared secret and a session will be obtained.
Advantages of X509 authentication and SSO
- 509 certificates are generic and platform independent
- Re-use of existing infrastructure which is configured for other systems
- Easy to set up for users who are out of the network
- SSO can be configured for BOE systems in a different domain (hosted systems)
Stay tuned for more information about alternate Single Sign-on methods available for Business Objects.