Implementing single sign-on

To implement the BMC Server Automation single sign-on system, you need the following services:

• Authentication Service — Used for authenticating user identities and issuing session credentials to authenticated users. The Authentication Service processes all user authentication requests — that is, all requests from the BMC Server Automation Console or the blcred utility. All communication with the Authentication Service occurs over TLS. A standard installation of the Application Server includes an Authentication Service. A standard installation of BMC BladeLogic Decision Support for Server Automation sets up a stand-alone Authentication Server for reports users. SRP authentication is supported by default for all BMC Server Automation applications.
• Application Service — Used for accessing the functionality of the BMC Server Automation Application Server. After a client user authenticates, the client application is issued a session credential. A client application (the BMC Server Automation Console or the BLCLI) presents the session credential to the Application Service to establish a secure session with one of the targeted services listed within the session credential. All communication with the Application Service occurs over TLS. A standard installation of the Application Server sets up the Application Service.
• Network Shell Proxy Service — Used for accessing the functionality of a Network Shell proxy server. After a client user authenticates, the client application is issued a session credential. A Network Shell client presents the session credential to the Network Shell Proxy Service to establish a secure session with the Network Shell proxy server. All communication with the Network Shell Proxy Service occurs over TLS. Some configuration is necessary to set up a Network Shell Proxy Service.

To implement single sign-on

Use the following master procedure to implement the single sign-on system. Each of the steps in this procedure references a topic that describes another procedure.

1. To modify the default behavior of an Authentication Service, see Configuring the Authentication Service.
   A default installation of a BMC Server Automation Application Server sets up an Authentication Service to support single sign-on for BMC Server Automation client applications.
   
2. To modify the default behavior of the Application Service, see Configuring the Application Service.
   A default installation of a BMC Server Automation Application Server sets up an Application Service to support single sign-on.
   
3. To use a Network Shell proxy server, see Setting up a Network Shell proxy server.
4. To modify the location of any SSO files used by any BMC Server Automation client application, see Setting override locations for client SSO files.
   The files used by the SSO system reside at default locations. If necessary, you can instruct a client application to use different files.
   
5. To set up OCSP verification of certificates, see Setting up certificate verification using OCSP.
   Currently, OCSP verification is only enabled by default for PKI authentication. You can optionally use OCSP verification for Application Servers provisioned with custom certificates.
   
6. To set up the SSO system to support any authentication protocol other than SRP, see any of the following:
   • Implementing LDAP authentication
   • Implementing RSA SecurID authentication
   • Implementing PKI authentication
   • Implementing Domain Authentication
   • Implementing Active Directory/Kerberos authentication