BusinessObjects Enterprise Administrator's Guide

About single sign-on

The term single sign-on is used to describe different scenarios. At its most basic level, it refers to a situation where a user can access two or more applications or systems while providing their log-on credentials only once, thus making it easier for users to interact with the system.

Single sign-on to BusinessObjects Enterprise can be provided by BusinessObjects Enterprise, or by different authentication tools such as Windows NT, Windows AD, or LDAP with SiteMinder.

Within the context of BusinessObjects Enterprise, we distinguish the following levels of single sign-on:

• Single sign-on to BusinessObjects Enterprise
• Single sign-on to database
• End-to-end single sign-on

Single sign-on to BusinessObjects Enterprise

Single sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When they log on to the operating system, a logon token is created. The system uses this token to authenticate the users and grant them access to BusinessObjects Enterprise and its components.

The term "anonymous single sign-on" also refers to single sign-on to BusinessObjects Enterprise, but it specifically refers to the single sign-on functionality for the Guest user account. When the Guest user account is enabled, which it is by default, anyone can log on to BusinessObjects Enterprise as Guest and will have single sign-on access to BusinessObjects Enterprise. For more information, see "Disabling a user account" on page 37.

Single sign-on to BusinessObjects Enterprise was already supported in previous versions of Crystal Enterprise and continues to exist in BusinessObjects Enterprise XI. For information on configuring single sign-on to BusinessObjects Enterprise, see:

• "Managing Enterprise and general accounts" on page 242
• "Setting up NT single sign-on" on page 283
• "Configuring LDAP authentication" on page 253
• "Setting up AD single sign-on" on page 273

Single sign-on to database

Once users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access, in particular, viewing reports and Web Intelligence documents, without having to provide their logon credentials again. Single sign-on to the database can be combined with single sign-on to BusinessObjects Enterprise, to provide users with even easier access to the resources they need. See End-to-end single sign-on.

In BusinessObjects Enterprise XI single sign-on to the database is supported through Windows AD using Kerberos. You may want to use single sign-on to the database rather than end-to-end single sign-on, if you don't want the LocalSystem account for the IIS to be trusted for delegation.

For more information see "Configuring Kerberos single sign-on" on page 290, in particular "Configuring IIS for single sign-on to databases only" on page 302, and "Configuring web applications for single sign-on to the databases" on page 306.

End-to-end single sign-on

End-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the front-end, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once, when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports.

In BusinessObjects Enterprise XI end-to-end single sign-on is supported through Windows AD and Kerberos. For more information, see "Configuring Kerberos single sign-on" on page 290.