Federated Search Between SAP Netweaver® Enterprise Search 7.2 and Microsoft® Sharepoint® 2010 Using Open Search

Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Applies to: SAP NetWeaver® Enterprise Search 7.2, Microsoft® SharePoint® 2010

Summary SAP NetWeaver Enterprise Search 7.2 provides an OpenSearch interface that lets you use results from SAP NetWeaver Enterprise Search within any OpenSearch Client. As a result SAP NetWeaver Enterprise Search can be configured as a federated search location within Microsoft SharePoint 2010 based on the Open Search standard. This is possible since SAP NetWeaver Enterprise Search can be configured to support Integrated Windows Authentication for its OpenSearch interface that has been described by us in a recent whitepaper.

Authors: André Fischer, Holger Bruchelt, Amir Naor Companies: SAP AG, SAP Labs Israel Created on: 31 May 2010

Author Bio André Fischer works at SAP AG in the Technology Solution Management. In addition Andre has lent his talents as an SAP technology consultant for eight years before joining SAP 2004.

Holger Bruchelt works at SAP AG in the Duet Regional Implementation Group in Germany. Before that he has been working as a technical NetWeaver consultant since 2002.

Amir Naor works at SAP Labs Israel in the development of the Information Worker Group.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 1 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Table of Contents Applies to: ...... 1 Summary ...... 1 Author Bio ...... 1 Table of Contents ...... 2 Introduction ...... 3 Configuration Steps in Microsoft SharePoint ...... 5 Configure SharePoint to use Kerberos ...... 5 Configure delegation for AppPool User ...... 6 Federated Locations in SharePoint Server 2010 ...... 6 How to create a federated location in SharePoint Server 2010...... 6 Add an Federated Results WebPart in the SearchCenter Site...... 8 Configure Proxy Settings ...... 9 Customize the Branding Icon for Federated Search Results ...... 10 Configuration Steps in Microsoft Active Directory...... 12 Configuration Steps in SAP NetWeaver Enterprise Search ...... 14 Configuring SAP NetWeaver Enterprise Search for Single Sign-On ...... 14 Retrieve the OpenSearch URL ...... 14 Outlook …………………………………………………………………………………………………………………17 Related Content ...... 18 Copyright ...... 19

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 2 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Introduction In this whitepaper we would like to describe how search results from SAP NetWeaver Enterprise Search 7.2 can be consumed by Microsoft SharePoint 2010 using the OpenSearch interface of SAP NetWeaver Enterprise Search. As the OpenSearch standard (http://www.opensearch.org/) has evolved and became popular, SAP NetWeaver Enterprise Search provides an interface for its search functionality in accordance with the OpenSearch standard. Since the OpenSearch format is based on RSS 2.0 or ATOM 1.0 the search results can be displayed by any feed reader. This works fine with sources that are public available on the web and that do not require authentication. Access to SAP NetWeaver Enterprise Search however is only possible for users that are providing credentials. If an OpenSearch source requires authentication it can only be integrated into Microsoft SharePoint 2010 out of the box if it supports Kerberos based authentication. Fortunately Windows Integrated Authentication can be leveraged by SAP NetWeaver Enterprise Search as well. In a recent whitepaper we described how SAP NetWeaver Enterprise Search can be configured to support Integrated Windows Authentication especially for its OpenSearch interface. Using an SAP NetWeaver Enterprise Search installation that is configured as described in the whitepaper mentioned above allows for an out-of-the-box integration into Microsoft SharePoint 2010.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 3 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Results If the configuration steps described in this whitepaper are performed you will see a search result screen in Microsoft SharePoint 2010 that looks similar like the screen shot below. On the right hand side of the search results window the search results from two federated search locations are included. One is SAP NetWeaver Enterprise Search , the other is a search in the internet performed using BING®. Please note that the federated search results from SAP NetWeaver Enterprise Search are retrieved based on an authentication using Single Sign On since the OpenSearch Interface accepts the Kerberos tokens that are sent from Microsoft SharePoint 2010 on behalf of the currently logged on user. This however only works if 1. Microsoft SharePoint 2010 is configured to support Kerberos 2. The Application Pool user of Microsoft SharePoint 2010 is configured for delegation 3. Kerberos has been used as the initial authentication method when logging on to Microsoft SharePoint 2010

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 4 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Configuration Steps in Microsoft SharePoint 2010

Configure Microsoft SharePoint 2010 to use Kerberos The Microsoft SharePoint 2010 has to be configured to use Kerberos as described in the Microsoft TechNet article Configure Kerberos authentication (SharePoint Server 2010).

SharePoint Web Site Settings in IIS:

In our demo landscape we used a simplified setup where all Application Pools were running using the same domain user sp3137.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 5 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Configure delegation for the Application Pool User The domain user that is used to run the SharePoint Application Pools must be configured for delegation in Active Directory as described later in this whitepaper (see section

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 6 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Configuration Steps in Microsoft Active Directory).

Federated Locations in SharePoint Server 2010 Microsoft SharePoint 2010 supports a lightweight integration for repositories that support the OpenSearch standard. Repositories that support the OpenSearch standard can be connected through an OpenSearch 1.0/1.1 location type. To leverage the role based access offered by SAP NetWeaver Enterprise Search User- level Authentication has to be chosen when configuring the federated location. This way federated search results in the associated location are displayed based on the authentication using individual user credentials. If an OpenSearch source requires authentication it can only be integrated out of the box into Microsoft SharePoint 2010 if it supports Kerberos based authentication. This authentication option is supported by SAP NetWeaver Enterprise Search as described by us in a recent whitepaper

How to create a federated location in SharePoint Server 2010 Please replace the following place holders with the appropriate technical information of your infrastructure: Hostname of the SAP NetWeaver Enterprise Search Server Portnumber that has to be used to access the SAP Enterprise Search Host

Access the SharePoint 2010 Central Administration page, for example by logging on locally to the Microsoft SharePoint 2010 and click Start  Programs  Microsoft SharePoint 2010 Products  SharePoint 2010 Central Administration. There select General Application Settings  General Application Settings  Farm Search Administration  Search Service Application. Here it is possible to create a new Federated Search Location

To create the federated location the following steps have to be performed: 1. On the Manage Federated Locations page, click New Location. 2. In the Location Name field type SAPNWES.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 7 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

3. In the Display Name field, type SAP NetWeaver Enterprise Search. 4. In the Description field, type text to describe the location, such as OpenSearch interface of SAP NetWeaver Enterprise Search. 5. In the Version field, type 1.0. 6. For the Location type field, click OpenSearch 1.0/1.1. 7. In the Query Template field, type

http://:/ /zes/opensearch/search?sap- client=001&q={searchTerms}

Hint: The search can be limited to a certain scope. This can be done if the OpenSearch URL from a fine grained search is used as the query template as described at the end of this whitepaper. 8. In the "More Results" Link Template field, type

http://:/zes/search?sap-client=001&query={searchTerms}

This will open the HTML interface of SAP NetWeaver Enterprise Search that will offer the user the option to leverage related actions and the option to drill down into the search results of SAP NetWeaver Enterprise Search 7.2. Since the SAP NetWeaver Enterprise Search UI can also be configured for Single Sign-On using Integrated Windows Authentication the end user will get a seamless integration of both search platforms 9. In Specify Credentials, select the authentication type User and the authentication protocol Kerberos - User credentials passed automatically. In this case the credentials of the user who submitted the search query are used to connect to the federated location.

10. Click OK.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 8 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Add an Federated Results WebPart in the SearchCenter Site The Federated Results Web Part displays the results from a specified federated location. You can specify only one location in a Federated Results Web Part. We will now describe how to create a Federated Results Web Part that will display the results found by SAP NetWeaver Enterprise Search 7.2. Open the SearchCenter site on and enter an arbitrary query to enter the search results page. On the search results page, on the Site Actions menu, click Edit Page. In the right zone select the Add a Web Part and select a Federated Results Web Part.

Select the Edit Web Part dialogue from the context menu.

1. In Location Properties, click SAP NetWeaver Enterprise Search fron the Location list. 2. In Appearance, click enter SAP NetWeaver Enterprise Search for the title. 3. Expand the More Results Link Options node. 4. Check the option Show More Results Link. 5. Then click OK. 6. Click Save & Close to close the Edit page.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 9 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Configure Proxy Settings Since the federated searches are performed in internal as well as external federated locations one usually has to configure Proxy Server Settings. On the Search Administration page maintain the Search Proxy Settings.

In the Proxy Server Settings section, click Use the proxy server specified, and then do the following steps: In the Address box, type the URL of the proxy server, for example http://proxy.mycompany.corp. In the Port box, type the port number that is used by the proxy server. Select the Bypass proxy server for local (intranet) addresses check box. In the Do not use proxy server for addresses beginning with text box enter the same strings that you find in your browser settings, for example: *.mycompany.corp Select the Use these proxy settings for access to federated sites check box.

Result: The federated location that points to BING will use the proxy while the federated location that points to SAP NetWeaver Enterprise Search will not use the proxy.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 10 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Customize the Branding Icon for Federated Search Results Results from BING are highlighted with an Icon. We want to achieve the same for the results that are retrieved from SAP NetWeaver Enterprise Search. The result set shown in the Federated Search Results Web Part should contain an SAP Icon to show the source of the data. Access the Search Administration page. To add the SAP Logo to the title of a federated search results set proceed as follows: 1. On the Search Administration page, click Federated Locations. 2. Under Location Display Name, click the name of your location SAP NetWeaver Enterprise Search. 3. Expand the Display Information node. 4. Under Federated Search Results Display Metadata, clear the Use Default Formatting check box. 5. Click the ellipsis (…) button to open the Text Entry window for the location's XSL property. 6. Locate the following tag in the XSLT:

7. Add the URL to the image you want to use to the xsl parameter tag for the BrandingIcon parameter.

/Shared%20Documents/SAPLogo.gif

8. Click OK to close the Text Entry window. 9. Click OK to save the changes to the federated location. 10. Execute a query that returns results from the location. Verify that the new title appears as you expect. The customized branding image appears in the title bar of the Federated Results Web Part. Tipp: Instead of loading the SAP logo from the SDN you would rather upload the image to the Microsoft Search Server to access it locally.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 11 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Troubleshooting: If you update the federated location's XSL property, you must ensure that the Federated Results Web Part is configured to use the location's display information.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 12 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Configuration Steps in Microsoft Active Directory Single-Sign On to SAP NetWeaver Enterprise Search configured as a federated location using Integrated Windows Authentication does not work out the box. It is necessary to configure delegation in Microsoft Active Directory so that Microsoft SharePoint 2010 can acquire Kerberos Tickets on behalf of the logged on user to access the OpenSearch interface of SAP NetWeaver Enterprise Search. In addition it is necessary to configure Microsoft SharePoint 2010 to support Kerberos based login. We have to distinguish two cases: 1. The SharePoint Servers application pool is using the Local System account 2. The SharePoint Servers application pool is running under a domain user account. The first configuration is frequently used for demo or test systems while the second one is the preferred configuration for productive environments. While for option 1 the computer account the server is running on has to be configured for delegation for option 2 we have to configure the domain user account that is used to run the application pool of the SharePoint server. In our demo environment the domain user sp3137 was used. a. Open Active directory Users and Computers. b. Locate the domain user account that is used to run the Application Pool of the SharePoint Server 2010 c. Right-click and choose Properties. d. Select Delegation and Trust this computer for delegation to any service (Kerberos only) e. Press OK

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 13 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 14 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Configuration Steps in SAP NetWeaver Enterprise Search

Configuring SAP NetWeaver Enterprise Search for Single Sign-On To have this integration scenario work seamlessly for your end-users it is necessary to configure the SAP Enterprise Search server such that is supports Integrated Windows Authentication as described in our recent whitepaper . If no Single Sign-On is configured a federated search would only work with fixed credentials used by the federated search location. In such a case all SharePoint users would search within SAP NetWeaver Enterprise Search using the same user which would be problematic from a governance point of view.

Retrieve the OpenSearch URL When configuring the federated search location in SharePoint Server 2010(see above) we have to specify the Query template. We would like to show how it is possible to retrieve a more fine grained Query template that could for example be used to limit the federated search results to purchase orders that contain a certain product as a line item. To do so we log on the HTML based UI of SAP NetWeaver Enterprise Search and perform a search for purchase orders that contain a certain product HT-1000 as a line item:

Figure 1 Searching in Enterprise Search for specific purchase orders On the bottom of the search result screen there is a link Subscribe that can be used to subscribe the search result as an RSS Feed as described in our whitepaper about the integration between Outlook 2007 and SAP NetWeaver Enterprise Search. This will open a new browser window with using the OpenSearch URL using the same query parameters that have been selected in the SAP NetWeaver Enterprise Search UI that point to the OpenSearch UI http://ivml2087.wdf.sap.corp:50000/zes/opensearch/search?sap- client=001&q=connector%3aES2001%7eEPM_PO_AUTO%7e%20ht-1000

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 15 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Figure 2 OpenSearch interface of SAP NetWeaver Enterprise Search If we now change the Query template in the federated search location in Microsoft SharePoint 2010 we will see that only purchase orders containing the product HT-1000 as a line item will be shown. In this example the query template would have to be changed to

http://ivml2087.wdf.sap.corp:50000/zes/opensearch/search?sap-client=001&q= connector%3aES2001%7eEPM_PO_AUTO%7e%20{searchTerms}

In this case the search result in Microsoft SharePoint 2010 would look like this

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 16 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 17 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Outlook Instead of using a Java stack to perform the authentication and using a custom code jsp-page to perform a redirect it is planned to support a standard based approach with the next major release of SAP NetWeaver Enterprise Search based on SAML. In such a scenario one would use SAP NetWeaver Identity Management or Microsoft Active Directory Federation Services 2.0 as a ticket issuing system (IdP) that is issuing SAML tokens on an authentication using a Kerberos ticket. The SAML tokens would in the end be used to perform SSO to the OpenSearch interface of SAP NetWeaver Enterprise Search.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 18 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Related Content 1. Single Sign On to SAP NetWeaver Enterprise SearchUsing Integrated Windows http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00007511-5c0e-2d10-26bd-f30b7f433b9a 2. Consuming Search Results from SAP NetWeaver Enterprise Searchin Microsoft Outlook 2007 http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/309034b0-1234-2d10-9ab0-996ac4cff292 3. SAP Developer NetWork – Search Technologies http://www.sdn.sap.com/irj/sdn/nw-search 4. Microsoft TechNet : Configure Kerberos authentication (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/ee806870.aspx

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 19 Federated Search between SAP NetWeaver® Enterprise Search 7.2 and Microsoft® SharePoint® 2010 using Open Search

Copyright © Copyright 2010 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Serv er, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituti ng an additional warranty.