Setting up SAMLv2 authentication in Remedy SSO

You can configure the Remedy Single Sign-On server to authenticate TrueSight Operations Management users through a SAML authentication.

Related topics

Configuring the general settings in Remedy SSO

Configuring tenants in Remedy SSO

To enable multi-tenancy in Presentation Server

Managing authorization profiles

Role-based access

Before you begin

  • You must have installed and configured the Remedy SSO to work with the TrueSight Presentation Server and its component products. For details, see Planning to deploy Remedy SSO  and  Installing Remedy Single Sign-On.
  • You must have created an equivalent local user(and its associated local usergroup) for every SAML user that needs to log into the TrueSight Presentation Server. This is required because the Remedy SSO server cannot obtain usergroup information from the SAML IdP for the successfully logged in SAML user. Therefore, you need to create an equivalent local user with the exact name as the SAML user and associate that local user with the desired local usergroup. For details on creating local users and usergroups in Remedy SSO using the import utility, perform the  Migrating internal user data from Atrium SSO to Remedy SSO  procedure.
  • You must have added a non-default tenant (realm) in addition to the default * tenant (realm). Configuring tenants for the Presentation Server in Remedy SSO
  • You must have configured a multi-tenant environment by enabling the msp parameter. For enabling multi-tenancy, see To enable multi-tenancy in Presentation Server.

    Notes

    - SAML cannot be configured using the * (default realm) tenant. This is because the Presentation Server default users and user groups are present in the LOCAL IdP in the * realm, and SAML IdP cannot be added in an authentication chain below the LOCAL IdP in the * or any other realm.

    - The Infrastructure Management administrator console and TrueOps mobile app does not support the SAMLv2 authentication type.

Configuring SAMLv2 authentication in Remedy SSO

Before you begin  

  • Ensure that you have performed the Remedy SSO server configuration. For more information on server configuration, see Remedy SSO server general configuration.
  • Configure a realm for the authentication. For more information on realm configuration, see Configuring Realms.
  • Obtain the following information from the IdP admin:
    • IdP entity ID 
    • Login URL of the IdP

To configure the SAMLv2 authentication in Remedy SSO for the TrueSight Presentation Server

  1. Enter the SAML details. For more information on parameters, see SAMLv2 authentication parameters.

    Important

    When you configure the SAML authentication parameters for the Presentation Server, you must set the User ID Transformation field to RemoveEmailDomain and enable the Force Authentication check box.

  2. Click Add Authentication.
  3. In the Authentication Type field, click LOCAL.
  4. Enter the LOCAL details. For more information on parameters, see LOCAL authentication parameters.
  5. Create users and user groups for the LOCAL authentication. 
    The users in LOCAL should be exactly same as the users in SAML.
    Alternatively, the users can also be created using import script under the migration utility.
  6. Associate users to the user groups.
  7. Click Save.

Important

 Add the LOCAL authentication entry below the SAML authentication entry, and do not promote or move the LOCAL entry above the SAML entry.

Notes

SAMLv2 authentication parameters

 Field

Description

Applicable versions
Identity Provider 
ImportOpens a dialog box to import the IdP metadata. You can provide a URL or specify a local file to import the data. 
IdPEntity IDIdP entity ID that is obtained from an external IdP provider such as AD FS or Okta.
Examples: http://adfs.local/adfs/services/trust ,
http://www.okta.com/exk4mi22tbfhiAnIn0h7
 
Login URLLogin URL of the IdP that is obtained from an external IdP provider such as AD FS or Okta.
Examples: https://adfs.local/adfs/ls ,
https://dev-726770.oktapreview.com/app/bmcdev726770_
oktaidp_1/exk4mi22tbfhiAnIn0h7/sso/saml
 
Logout URL

URL provided by IdP to which the user is redirected for SP initiated logout.

If you do not provide any value in this parameter, then the value in the Login URL field is used for both login and logout endpoints.

9.1.02 and later
Logout Response URLURL provided by IdP to which the user is redirected for IdP initiated logout.9.1.02 and later
HTTP Binding Type

HTTP binding for SP initiated logout URL.

9.1.02 and later
IdPSigning CertificateSigning certificate that is used by Remedy SSO to sign requests that are sent to IdP. 
User ID AttributeUser ID attribute that is used to retrieve the user id from the specified attribute in the SAML response. If it is not specified, the NameID will be used as the user id. 
NameID Format

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user.

The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store.

Note: For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in,the persistent nameID format must be on the top of the list.

 
Auth Context CompareSelect an option (exact, minimum, maximum, better) from the list. 
Auth ContextAuthentication context that maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider. 
Auth Issuer

Issuer details that are used by SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.

If the value is not specified, by default SP entity ID of the current realm will be used as Issuer in SAML authentication request.

 
Assertion Time SkewTime offset between Remedy SSO and IdP. The value is specified in minutes.9.1.02 and later
Assertion Time FormatTime format used by assertions.9.1.02 and later

Sign Request

Specifies whether the IdP requires authentication request to be signed.

 
Force AuthenticationThe option to select enforce authentication. 
Enable Single LogoutEnables SP initiated single logout, that is, if the user logs out from one application, the user gets logged out from all applications that share the same session.9.1.02 and later
Sign Response

Specifies whether Remedy SSO requires a signed response from the IdP.

Remedy SSO validates the signature from the authentication response.

 
Compress RequestSpecifies whether to compress the SAML message to save space in the URL. 
Service Provider 
View MetadataDisplays Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is not entered, the system shows an error message for that parameter. 
Template 
Authentication Request TemplateTemplate used for SAML authentication request. You can select Default or Custom and also edit the template if required. 
SP Metadata Template

Service provider metadata template. You can select Default or Custom and also edit the template if required.

If you are enabling the IdP initiated single logout feature, include the following information in the SP metadata template after the <AssertionConsumerService> tag and then update the settings of the IdP with the new metadata.

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST" Location="%%LOGOUT_REQUEST%%"
ResponseLocation="%%LOGOUT_RESPONSE%%"/>

where,

  • Location: Endpoint for the IdP to send the logout request. For example https://access.bmc.com:8443/rsso/receiver/Saml.
  • ResponseLocation: Endpoint for the IdP to send logout response after getting the logout request from Remedy SSO. For example, https://access.xyz.com:8443/rsso/receiver/Saml.
 

Configuring AD FS as a SAML IdP provider

After you configure Remedy SSO as an SP and AD FS as the remote identity provider in the Remedy SSO Admin Console, perform the following steps to configure AD FS to handle the SAML protocol:

  1. Import certificates
  2. Configure Relying Party Trust
  3. Modify the secure hash algorithm

  4. Configure claim rule

  5. Export AD FS certificates

Importing certificates 

Perform the following steps to import certificates: 

  1. Export the SSL certificate of the Tomcat on which the Remedy SSO is deployed.

     Click here to expand to read the steps to export the certificate.
    1. When you open the Remedy SSO URL, click on the padlock symbol in the address line of the browser.
    2. In the Certificate window, click on the Details tab.
    3. Click Copy to File.
    4. In the Certificate Export Wizard, click Next.
    5. In the displayed page, select "DER encoded binary X.509 (.CER)".
    6. Click Next.
    7. Provide a name for the file and include the path in the file name.

    Note

    The Common Name (CN) attribute of this certificate must be the same as the FQDN of the Remedy SSO server.

  2. Go to the AD FS server.
  3. Import the following certificates through the mmc console to the Trusted Root Certificate Authorities folder.

    • Import the SSL certificate of the Tomcat on which the Remedy SSO. You must establish an https connection between Remedy SSO and AD FS.

       Click here to read the steps to import the certificates.
      1. From the Run dialog box, type mmc to open Microsoft Management Console (MMC).
      2. Open the File menu and click Add/Remove Snap-in…
      3. Select Certificates from the list of available snap-ins and click Add.
        The Certificates snap-in dialog box is displayed.
      4. Select My User Account, and click Finish and OK.
      5. Open Personal>Certificates from the explorer panel.
      6. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
      7. Import the SSL certificate of the Tomcat on which the Remedy SSO is deployed and the Signing certificate.
      8. Open Trusted Root Certification Authorities>Certificates from the explorer panel.
      9. Import the SSL certificate of the Tomcat on which the Remedy SSO is deployed.
    • Signing certificate (optional) - Remedy SSO may sign SAML messages. In such a case, the certificate for verifying such signature must be provided. This certificate must be stored in a *.jks file and path to it should be specified in the Remedy SSO Admin UI (General>Advanced>SAML Service Provider>Keystore File).

Configuring Relying Party Trust 

  1. On the AD FS server, open the AD FS 2.0 Management application.
  2. On Trust Relationships tab, click Relying Party Trusts.

  3. Click Add Relying Party Trust. A wizard appears.

  4. Configure the following parameters:
    1. Select Import data about the relying party published online or on a local network.

    2. Copy the metadata web link that you received from the Remedy SSO. For example, https://rssoexample.bmc.com:8443/rsso/getmetadata.jsp?tenantName= <name of the corresponding tenant>.

      Note

      If you see a warning, you can ignore it. However, if you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the Remedy SSO administrator for more information.

      In case of specific network settings when AD FS and Remedy SSO servers are not able to connect using SSL protocol, this error message may be normal and can be ignored. In this case, you can import the SP metadata into AD FS offline using an XML file.

    3. Click Next.

    4. Type rsso-sp for the display name, and click Next.

    5. Select AD FS 2.0 profile, and click Next.

    6. Select Permit all users to access this relying party, and click Next.

    7. Clear the Open the Claims when this finishes check box.

    8. Click Close.

After closing the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list.

Modifying the secure hash algorithm 

  1. Right-click rsso-sp, and select properties
    The rsso-sp Properties dialog box appears.
  2. Click the Advanced tab, and select the secure hash algorithm, SHA-1.
  3. Click OK.

Configuring claim rule 

Configure the claim rules for the relying party.

  1. On AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.
  2. To add the claim rule, click Add Rule.
    1. Select the claim-rule template Send Claims Using Custom Rule.
    2. Enter the claim-rule name Send Claims Using UPN. In this case, use the following script:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
     => issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer, 
Value = c.Value, 
ValueType = c.ValueType,
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "<idp-entity-id>",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<sp-entity-id>/<realm-id>"
     );

Note

  • sp name qualifier is required only when you want to implement SP initiated Single log out.
  • The properties "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format " must be the same as the NameID format value in the Authentication tab of Remedy SSO. For example, a Transient Identifier such as urn:oasis:tc:SAM:2.0:nameid-format:transient.
  • The FQDN specified for the properties " http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier " must be the FQDN of the AD FS server.
  • The properties "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier " must be the same as the SP Entity Id value specified in Remedy SSO (General > Advanced > SAML Service Provider > SP Entity ID).

Exporting AD FS certificates 

  1. Export AD FS certificates as files.

  2. Perform the following steps:
    1. Open the AD FS 2.0 Management console.
    2. From the explorer panel, go to Service > Certificates.
    3. Double click the certificate name.
    4. Select the Details tab.
    5. Click Copy to File and then click Next.
    6. Select Do not export the private key and then click Next.
    7. Select DER and then select the file to save it.
    8. Click Finish.
  3. Perform the following steps to import the AD FS certificates into the Remedy SSO *.jks file with KeyStore Explorer tool:
    1. Open the truststore file using the KeyStore Explorer.
    2. Select Tools and click Import Trusted Certificate.
    3. Select the file and import it.
  4. Restart the Remedy SSO server.

To add SAMLv2 referrer host to the Presentation Server

Run the following commands from the Presentation Sever command prompt to configure the SAMLv2 referrer host name:

  1. tssh properties set tspsProxyHosts <SAMLv2_referrer_FQDN_host_name>,<remedy_sso_FQDN_host_name>
  2. tssh properties reload

To add SAMLv2 referrer host to the Infrastructure Management Server

Log in to the Infrastructure Management server as an Administrator and perform the following steps:

  1. Open the pronet.conf file located at the installationDirectory\pw\custom\conf directory.
  2. Add the SAML referrer host name (FQDN format) to the pronet.conf pronet.tsim.proxy.hosts= <SAMLv2 referrer FQDN host name>,<Remedy_SSO_FQDN_host_name>  property.
  3. Save the file changes.
  4. Run the following command to reload the properties:
    pw jproperties reload

To create or edit an authorization profile with SAML users in the Presentation Server

  1. Log in to the TrueSight console as a Super Admin.
  2. Navigate to Administration>Authorization Profiles.
  3. Create a new authorization profile or edit an existing authorization profile to associate the user groups.
  4. Select a tenant other than the * (asterisk) tenant that you configured in Remedy Single Sign-On for SAML users and select Edit under User Groups

    Note

    Do not select the * (asterisk) tenant for the SAML users.

  5. Click Add and select the SAML user group from the list of user groups.
  6. Select the required roles from the list roles.
  7. (Optional) Select the required objects from the list of object.
  8. Select OK and then Save.
  9. Select Yes to confirm changes to the authorization profile.
  10. Log out of the TrueSight console.
  11. Log in to the TrueSight console as a SAML user.
    A two-step authentication screen is displayed.

  12. Type the SAML realm Application Domain name and click Submit.
    The SAML login screen is displayed.

  13. Type the SAML login credentials and click Login.
    The TrueSight console is displayed.

Was this page helpful? Yes No Submitting... Thank you

Comments