Configuring the SSO provider settings

(SPE2310)

(This topic applies to BMC Defender Server administrators only)

Before you begin

Make sure to perform the following steps:

  • Create a BMC Defender Server user on the SystemLoginsUsers tab. For more information, see System-logins-Users-screen.
  • Either obtain the discovery endpoint URL, or the following information from your SSO provider:
    • SSO provider URL
    • SSO provider logon endpoint
    • SSO provider token endpoint
    • SSO provider logout endpoint
  • Obtain your client ID and client secret from your SSO provider.

Related topics

Customizing-after-installation

System-screens

To configure the SSO provider settings

  1. Navigate to the System > Logins > SSO tab.
    The SSO tab displays your current SSO configuration.
  2. Click Wizard.

  3. In the Discovery Endpoint URL field, enter the discovery endpoint URL that you receive from your SSO provider. Examples of discovery endpoint URLs follow:

    Example
    • https://userName.okta.com/oauth2/default/.well-known/openid-configuration
    • https://serverName:portNumber/realms/master/.well-known/openid-configuration
  4. Click Next.
    • If you enter a valid discovery endpoint URL, BMC Defender Server generates the endpoint values in the following fields:
      • SSO Provider URL
      • SSO Provider Logon Endpoint
      • SSO Provider Token Endpoint
      • SSO Provider Logout Endpoint
      • BMC Client Server URL
    • If you enter an invalid discovery endpoint URL, the following error message is displayed:
      ERROR: Invalid Discovery Document URL Specified.
      Expected ‘https://’ prefix.
             If you enter an incorrect discovery endpoint URL, the following error message is displayed:
      Unexpected WGET1-18 Text Output.
      Check URL to Discovery Endpoint.
      Click Back, enter the correct discovery endpoint URL, and click Next again.

  5. Verify the values and click Finish.

    Important

    If the values are correct, do not modify the fields. If any value is incorrect, enter the correct value.

  6. Click Edit.
  7. Modify the following fields and lists. For more information, see the table in step 3 of the To update the SSO provider settings section.
    • Enable SSO Functions
    • Client ID
    • Client Secret
    • Logon Screen Type
    • Require Valid SSO Provider Certificate
  8. Click Commit.

To update the SSO provider settings

  1. Navigate to the System > Logins > SSO tab.
  2. Click Edit.

  3. Modify the following fields and lists:

     Field/List name

    Description

    Enable SSO Functions

    To allow users use your SSO provider to authenticate their logon to BMC Defender Server, select Enabled.

    The default is Disabled.

    Client ID

    Alphanumeric code that your SSO provider uses to identify your BMC Defender Server instance

    Enter the client ID that you received from your SSO provider

    Client Secret

    Alphanumeric password for your client ID that your SSO provider uses to authenticate BMC Defender Server users

    To enter your client secret, click Clear Text. In the Client Secret field, enter the password that you received from your SSO provider.

    If you enter your client secret without entering your client ID, the following error message is displayed:

    ERROR: No Client ID Specified.
    Specify the client ID, obtained from SSO Provider.

    Important

    Because your client secret is your password for SSO authentication, every character entered in the Client Secret field is displayed as *. You cannot view or recover your client secret in BMC Defender Server.

    SSO Provider URL

    Server URL of your SSO provider to which BMC Defender Server sends authorization requests

    Enter the URL received from your SSO provider. An example for an SSO provider URL follows:

    Example

    https://userName.okta.com

    SSO Provider Logon Endpoint

    Enter the endpoint that BMC Defender Server must use to send the authorization request to your SSO provider, to receive the access code

    An example for a logon endpoint follows:

    Example

    /oauth2/default/v1/authorize

    SSO Provider Token Endpoint

    Enter the endpoint that BMC Defender Server must use to send the access code to your SSO provider, to receive an access token

    An example for a token endpoint follows:

    Example

    /oauth2/default/v1/token

    SSO Provider Logout Endpoint

    Enter the endpoint that BMC Defender Server must use to end the session for an access token

    An example for a logout endpoint follows:

    Example

    /oauth2/default/v1/logout

    BMC Server URL

    Enter the URL to access the BMC Defender Server web user interface

    Valid value is https://bmcServer:portNumber .

    Logon Screen Type

    When users attempt to log on to BMC Defender Server, to automatically redirect them to the SSO provider's logon page, select Auto-Redirect to SSO Provider.

    The default is Normal / Link to SSO Provider, which displays the Sign In Via SSO link on the BMC Defender Server logon window. Users must click the Sign In Via SSO link to authenticate by using the SSO.

    Require Valid SSO Provider Certificate

    To make the SSO provider certificate mandatory, select Yes.

    The default is No.

  4. Click Commit.

Where to go from here

To log in to the BMC Defender Server user interface, see Logging-in-to-the-web-interface.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*