This documentation supports the 9.0 version of Remedy Action Request System.

To view the latest version, select the version from the Product version menu.

BMC Remedy Single Sign-On Authentication

This topic was edited by a BMC Contributor and has not been approved.  More information.

Authentication settings allow BMC Remedy Single Sign-On administrators to configure BMC Remedy Single Sign-On integration with authentication providers. BMC Remedy Single Sign-On supports the SAML V2.0 and BMC Remedy AR System authentication processes. To configure SAML V2.0 authentication properties, you need a Service Provider (SP) and Identity Provider (IdP), which allow you to set connectivity between SPs and the IdP, certificates, attributes, and so on. To configure BMC Remedy AR System authentication, you must integrate BMC Remedy Single Sign-On by providing AR System hostname and port number. The BMC Remedy Single Sign-On AREA plug-in then handles the authentication requests.

BMC Remedy Single Sign-On common authentication workflow

The common authentication logon workflow for BMC Remedy Single Sign-On is as follows:

  1. A user tries to access a protected application by using the application-specific client (usually from a mobile device) or a web browser.
  2. The BMC Remedy Single Sign-On component (web filter or application-specific agent) intercepts the request and, based on information about the user domain, identifies the realm to which the user belongs.
    If the configuration contains no specific domain-to-realm mappings (or mapping does not correspond to the user domain), the default realm is used for further processing.
  3. The web filter or agent forms an authentication request and sends it to the BMC Remedy Single Sign-On server. 
  4. The BMC Remedy Single Sign-On server parses the request attributes and identifies the IdP to use to authenticate the user, based on the user realm information and authentication configuration.

    Note

    The authentication subprocess depends on the IdP type (SAML or BMC Remedy AR System). The workflows for these authentication processes are described in SAML authentication workflow and  BMC Remedy AR System authentication workflow .

  5. After the user is successfully authenticated, a corresponding record of user sessions is created in the underlying database.
    This record includes information about user ID, the token that was issued to the user, the session index, and the time frame for token validity. 
  6. The BMC Remedy Single Sign-On server redirects the request back to the web filter or agent for further processing. 
  7. Based on the settings of the specific target application, the token issued for the user might be additionally validated.
    For example, the BMC Remedy Mid Tier might be integrated with the BMC Remedy Single Sign-On Authenticator, and the AR System server might be integrated with the BMC Remedy Single Sign-On AREA plug-in to perform this activity. During this validation, two conditions are checked: the token is not outdated, and it is issued for the current user.

The common authentication logoff workflow for BMC Remedy Single Sign-On is as follows:

  1. The user logs off from the application.
  2. BMC Remedy Single Sign On removes the application agent from the agent list associated with the user session.
  3. One of the following steps occurs:
    • If any other application agent is associated with the user session, BMC Remedy Single Sign-On displays a message indicating that the user is logged off from the application.
    • If no other application agent is associated with the user session, BMC Remedy Single Sign-On invalidates the user session and display a message indicating that the user is logged off from BMC Remedy Single Sign-On. If the Final Logout URL specific to the user’s realm is configured, the user is automatically redirected to the specified URL.

SAML authentication workflow

Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and security attribute information. SAML uses security tokens containing assertions to pass information about a principal (usually an end user) between an IdP and a requester. SAML V2.0 is implemented by grouping a collection of entities to form a Circle of Trust. The Circle of Trust is composed of an SP and an IdP. The IdP authenticates users and provides the authenticated information to the SP which hosts services that the user accesses. BMC Atrium Single Sign-On provides support for SP-initiated single sign-on.

The SAML authentication logon workflow is as follows:

  1. User accesses the protected application from a mobile device or through a web browser.
  2. Web Agent redirects the user to BMC Remedy Single Sign-On console.
  3. BMC Remedy Single Sign-On sends a request to IdP to authenticate user.
  4. IdP presents a login form to user for authentication.
  5. User enters valid credentials.

    Note

    The IdP does authentication depending on its specific configuration - Kerberos, RSA, LDAP or any other authentication. In case of form-based authentication, the IdP presents a logon page to the user, and the user enters valid credentials.

  6. IdP performs user authentication.
  7. IdP forms authentication response and sends it back to the Remedy Single Sign On server.
  8. Remedy Single Sign On server processes authentication response, validates it, and extracts authentication token.
  9. IdP then confirms user authentication.
  10. BMC Remedy Single Sign-On creates a session for the user.
  11. The user is allowed to access the application.

BMC Remedy AR System authentication workflow

The Action Request (AR) authentication module allows BMC Remedy Single Sign-On to use the user accounts within a BMC Remedy AR System server for authentication. You are required to provide only the host name and the port name to get BMC Remedy AR System authentication running. 

The BMC Remedy AR System authentication logon workflow is as follows:

  1. The BMC Remedy Single Sign-On server determines that AR-based authentication should be used. 
  2. The BMC Remedy Single Sign-On web application redirects the user to the BMC Remedy Single Sign-On console logon page. 
  3. The user enters valid credentials.
  4. BMC Remedy Single Sign-On communicates with AR System to authenticate the user through the BMC Remedy Single Sign-On AREA plug-in.
  5. AR System confirms the user authentication.

Kerberos authentication workflow

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

The Kerberos architecture is designed around messages exchanged between clients that use kerberos services, servers that provide services, and servers that manage the Kerberos protocol itself. The servers that manage the Keberos protocol are often called KDCs (Key Distribution Centers), and comprise several modular services.

The Kerberos authentication logon workflow is as follows:

  1. User accesses the protected application from a mobile device or through a web browser.
  2. Web Agent redirects the user to the BMC Atrium Single Sign-On console.
  3. BMC Atrium Single Sign-On sends to web browser/mobile device a 401 un-authorized request setting the header to “www-authenticate:Negotiate”.
  4. Web browser/mobile device requests a session ticket from the Key Distribution Center (KDC).
  5. KDC provides the web browser/mobile device with the necessary Kerberos Ticket (assuming the web browser/mobile device is authorized) wrapped in a SPNEGO (Simple and Protected GSS API Negotiation Mechanism) Token.
  6. Web browser / mobile device sends to BMC Atrium Single Sign-On the user’s access request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header.
  7. BMC Atrium Single Sign-On validates the token with KDC.
  8. KDC validates the token.
  9. BMC Atrium Single Sign-On creates a session for the user’s access request.
  10. The user accesses the protected application.

Related topics

Was this page helpful? Yes No Submitting... Thank you

Comments