BMC Remedy Single Sign-On Realms
Multitenancy in Remedy Single Sign On is provided through Realms. A realm is a virtual Identity Provider (IdP) used to authenticate a domain. Each realm is mapped to a domain or list of domains. Multitenancy is a default functionality of Remedy Single Sign On, you do not need any specific steps to configure it, you simply need to add additional realms for different domains.
You can add multiple realms by using the Realms tab in the Administrator console. These realms can have different authentications, for example realm 1 can have the AR System authentication and realm 2 can have a SAML authentication. Usually a realm has one authentication provider (SAML or AR- based) configured, except one specific case of the Bypassing SAML Authentication. By enabling this flag you always allow the SAML authentication except when the SAML based IDP is not available or if you are accessing the AR-based applications using the local administrative accounts. For more information to use this type of authentication see, Enabling bypass SAML authentication.
When multiple realms exist, the Realm tab displays a list of realm names along with domains and realm IDs. Each realm has the same capability and helps you manage realm authentication, users, and user groups.
Authentication process in realms
Remedy SIngle Sign On does not manage user or user groups in the application. To authenticate BMC Remedy Mid Tier users in a realm, the BMC Remedy Single Sign-On web application identifies and processes logon requests from various domains. The BMC Remedy Single Sign-On web agent deployed on the protected web applications intercepts a request and, based on configuration data stored in the database, through the necessary Remedy Single Sign On server it redirects the user to the logon page for the realm to which the user belongs.
The web application creates a record in the session data storage and checks the Identity Provider (IdP) configuration to define the exact IdP instance. For example, if the IdP used is an Active Directory Federation Services (ADFS) IdP, the ADFS logon page is displayed. If you are using BMC Remedy Single Sign-on authentication, the BMC Remedy Single Sign-On logon page is displayed.
The web agent maps the server host name (used by the user to access a protected application) to the full logon and logoff URLs. The logon URLs contain the information (for example, domain name and IdP ID) required to separate different domains from one another.
BMC Remedy Single Sign-On realm architecture