We are trying to implement SSO on Sun Solaris 8 with E6.1b but that can be achived with basic authentication mode.
However, we don’t know how to implement SSO for full client BO ? May be with NT authentication mode?
Since now BO e6.1b stores authentication mode in repository, we can’t have basic authentication for webi and NT authentication for Full client.
Can anyone guide us about our approcah on SSO ?
Thanks,
Mayank
Mayank123 (BOB member since 2004-06-21)
Please, take a look at this post.
Aso, remember that a simple search on BOB, restrict search to forum WebI v6, keyword: Authentication
might yield more results.
Steve Krandel 
(BOB member since 2002-06-25)
Thanks for your response. I have seen E6.1b authentication topics.
But they not of much help with respect to SSO.
We are planning to use Basic Authentication for webi with SSO
and NT Authentication for full client. This can be done if in BusinessObjects stores authentication sperately for webi and full client. In both the cases, BusinessObjects does not store password in repository.
This is just an idea, if any user has used this approache for full client SSO ?
Thanks,
Mayank123 (BOB member since 2004-06-21)
Mayank,
Here’s how we tricked a webi cluster into using a different security setting in Oracle 8.1 by adding 1 user, 1 table, 1 row, 1 view, 1 trigger and a bunch of synonyms:
We created a new oracle user in the repository schema. If your current userID is bosys, let’s call this one bosys2.
We created synonyms for every table in the security domain so that bosys2 does not need to specify the table owner in its SQL, EXCEPT for the OBJ_M_GENPAR table. The OBJ_M_GENPAR table in the repository contains a row that determines the security setting: ID = 123. The VALUE column has either 0 (BO Standard), 256 (NT Authentication), or 512 (Basic Authentication).
We created a new table under bosys2 called SSO_CLUSTER with the same structure as OBJ_M_GENPAR.
We inserted 1 row, ID 123 with the alternate security number, 512 for us.
Next we created a VIEW under bosys2 called OBJ_M_GENPAR which is a UNION of: Select * from bosys.OBJ_M_GENPAR where ID <> 123 AND Select * from bosys2.SSO_CLUSTER where ID = 123.
All that’s left is to handle INSERT, UPDATE, and DELETE SQL sent to the view by creating a special TRIGGER on the view called an INSTEAD OF trigger. This trigger needs to be programmed to send SQL to the correct base table depending on whether the ID = 123.
Run a safe recovery on the cluster using the bosys2 UserID and keep that bomain.key separate from the original.
We have this only in development so far, but everything looks very stable. It feels elegantly simple compared to everything else we tried. I’d love to hear opinions from all the experts out there before we push this into testing and production. . . other than ‘business objects doesn’t support modifying the repository tables directly.’ 
rogue (BOB member since 2004-06-21)
Actually Steve was right on the money. You use the dll switch, such that as you were planning, you can use Basic Authentication (or LDAP) for Webi and NT for Full Client.
Without the hotfix, you cannot run two different authentication schemes (the hotfix brings back functionality we had with version 5)
Lots of people do this, which is why there was such an outcry when the functionality was left out.
Another way around it is just to modify the login.asp/jsp page to use which ever method you choose.
Hayden_Gill 
(BOB member since 2002-08-15)