custom session timeout page for SSO ?

Hi all,

We have SSO working using token passing, but as a number of people have said this technique has some issues. The one I am particularly interested in is the CMS and Web Intelligence Timout redirects.

At the moment if a user is editing a report using the Web Intelligence applet under Tomcat and is ‘inactive’ for a period of time (i.e. does not save) they experience a Webi timeout and the right hand frame redirects to the standard login.do page. Has anyone found a way to redirect all session timeouts to a totally separate page outside the BO distribution - e.g. redirecting the parent window to something like http://server1/timeout.html

Thanks

Rod

(using XIr2 SP1 with PM and the Tomcat WCA.)

rodallen (BOB member since 2006-02-10)

Hello rodallen,

First thanks for all your prior posts regarding the SSO issues with Webi.

I have been struggling with getting our AD/SSO/Java environment to work correctly. I have been able to achieve integration of AD/SSO/Java using the token passing approach but as you mentioned in your earlier posts it has several draws back the biggest in my mind is the issue with
the logon token appearing in the users address bar. I also got AD/Java approach working using Kerberos, but with this approach you don’t get SSO.

Just wondering if you had been able to find a solution that allowed AD/SSO/Java without doing the token passing.

Thanks for your time.

bbenishe (BOB member since 2002-09-03)

rodallen;

I am experiencing the same problem with the left frame timeing out and redirecting to logon.do (after interaction from the user). I have opened a support case with BO but dont think there is going to be afix for this anytime soon.

Gabo

gorthous (BOB member since 2004-11-10)

Hi,

If your concern is security then you could reduce the token timeout down to 1 minute in your initial ASP connection page. The session timeout on the CMS itself would still be 20 minutes (or whatever you have in web.xml). However if it is more of a look and feel issue then you could look at opening a new window (without an address bar) using some Javascript code in your ASP page. That is what I did on our system, and it also has the benefit of allowing you to use more of the screen (no IE toolbar, buttons etc)

Unfortunately I still have not come across a better way to get Single Sign On working with Tomcat and XI other than this token passing technique. I think that the ability to ‘Single Sign On’ to a Windows AD is really a feature of IIS which the .NET/COM code from Business Objects utilises.

Perhaps the question we should be asking is when is Business Objects going to port Performance Manager to .NET then we could all shift over to IIS and not have to worry about all this SSO hassle. As most people have come to realise - the SSO with IIS and the .NET Infoview works great with only a few edits to XML files.

Regards

Rod

rodallen (BOB member since 2006-02-10)

Hi Gabo,

Thanks for replying to this thread . I would be very interested to hear what feedback you get on your case. I did try modifying a few promising looking parameters in the Infoview web.xml, but nothing seemed to work.

Regards

Rod

rodallen (BOB member since 2006-02-10)

I did get SSO with AD to work on JAVA inforview without the token showing up in the address bar of the browser. I belive my approach was pretty much the same as what you outlined. I used an ASP page to create the token then I used an JSP page to capture the token and pass it along to the regular Java login process. The ASP script I used is as follows:

<%@LANGUAGE=VBScript%>

<%

Dim CMS, UserID, Password, Report, Authorization, Viewer, oInfoObjects
CMS = “CMSName”
UserID = “”
Password = “”
Authorization = “secWinAD”

Dim SessionManager
Set SessionManager = Server.CreateObject(“CrystalEnterprise.SessionMgr”)

Dim Sess
Set Sess = SessionManager.Logon(UserID, Password, CMS, Authorization)

Dim LogonTokenMgr
Set LogonTokenMgr = Sess.LogonTokenMgr

logonToken = LogonTokenMgr.CreateLogonTokenEx("", 120, 10)

%>

The JSP Script that uses the token created in the above script is:

<%@ page language=“java” contentType=“text/html;charset=utf-8” %>
<%@ page import=“com.crystaldecisions.sdk.framework.,
com.crystaldecisions.sdk.exception.” %>

<%
String token = request.getParameter(“token”);
%>
<jsp:forward page=“logon.object”>
<jsp:param name=“token” value="<%=token%>"/>
</jsp:forward>
<%
return;
%>

I totally agree that the ultimate solution is to get Business Objects to bring the same functionality to their ASP version as they have in the JSP version that way we would not have to jump through these hoops.

At the International users conference in San Francisco they had a question and answer period in which the customers could ask the BO executives questions. I asked them if they were planning on putting the same features into the ASP version of Business Objects as the JSP version and they did say that was a goal that they are working toward. Of course he did not provide any time table for that goal so I probably should not hold my breath.

Thanks again for your help.

bbenishe (BOB member since 2002-09-03)

if the asp code is already passing the token to the java URL, why do you have additional JSP code to retrieve the token?? I just used the asp code and it logged me on to the Java version with the token appended. Seems like the JSP code is redundant and not necessary. Please advise. Thanks.

AJ

phidelt689 (BOB member since 2007-07-11)

Where do you exactly place the token script? Do you need to modify anything to make Business Objects to be aware it?

doctortt (BOB member since 2007-08-03)

i put the following asp page in the ‘Infoview’ folder and made it the default page in IIS. then it successfully redirected me to the java infoview and logged me in with the token. im trying to find out why there is a need for the JSP code.

<%@ Language=VBScript %>
<%
Dim CMS, UserID, Password, Report, Authorization, Viewer, oInfoObjects
CMS = “EDRDEV”
UserID = “”
Password = “”
Authorization = “secWinAD”

Dim SessionManager
Set SessionManager = Server.CreateObject(“CrystalEnterprise.SessionMgr”)

Dim Sess
Set Sess = SessionManager.Logon(UserID, Password, CMS, Authorization)

Dim LogonTokenMgr
Set LogonTokenMgr = Sess.LogonTokenMgr

logonToken = LogonTokenMgr.CreateLogonTokenEx("", 10, 100)

Set LogonTokenMgr = Nothing
Set Sess = Nothing
Set SessionManager = Nothing

response.redirect “http://EDRDEV:8085/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.do?token=” & logonToken
%>

phidelt689 (BOB member since 2007-07-11)

Does your single page re-direct script also hide the SSO user TOKEN?

dehuang83 (BOB member since 2006-01-18)

Hi All,

I have a different issue and I was not able to find any topics in this forum that addesses it.

I added the custom ssoLogin.asp to the Web Content/InfoView folder. I then rebooted the IIS Server as well as the web pages. When I try to run that ssoLogin.asp page, it gives a default ‘The Page Cannot be Found’ error. It seems that Internet Explorer cannot even find that page in the Web Content folder.

Are there any additional settings in the IIS setup that can be causing this situation? I have the standard setting of allowing ‘Integrated Windows Authentication’ and diabled ‘annonymous login’

Please let me know thanks!

dehuang83 (BOB member since 2006-01-18)

Hi all,

My question get back to the original subject of this post.

Session Timeout. Having read through out this post i see that on those example files there’s different values at

logonToken = LogonTokenMgr.CreateLogonTokenEx("", 120, 10)

logonToken = LogonTokenMgr.CreateLogonTokenEx("", 10, 100)

My users get logout after 10 min. of idle time when create/edit webi reports.

My asp file shows as follow:

logonToken = LogonTokenMgr.CreateLogonTokenEx("",1, 100)

What does those number means? How to amend those numbers to allow more than 10 min. session?

Thank you in advance

lmaestro (BOB member since 2008-01-21)

I’ve found half of the answer on another post.

However I will like also to know, what does this second number do?.

thanks,

lmaestro (BOB member since 2008-01-21)

The second parameter is for the maximum number of logons allowed using the token.

fermisoft (BOB member since 2007-08-22)