Configuring Double Authentication
The process of double authentication is as follows:
- After the first level of authentication, the user's browser sends a re-authentication request to BMC Remedy Mid Tier URL.
BMC Remedy Single Sign-On (BMC Remedy SSO) agent redirects the user to BMC Remedy SSO server URL for reauthentication. For SAML authentication, BMC Remedy SSO redirects the user to the SAML IdP for reauthentication. If the SAML IdP supports the ForceAuthn feature on an authentication request, the IdP requests the user for reauthentication.
- BMC Remedy SSO agent identifies a reauthentication request by the query parameter reauth, which is set to true by default.
- For a reauthentication request, the agent identifies the BMC Remedy SSO server and the application realm the same way that the agent identifies these for any other authentication request.
- For BMC Remedy AR System authentication, the BMC Remedy SSO server prompts the user to confirm the password. For SAML authentication, the IdP prompts the user for both username and password. If the authentication is successful, the IdP redirects the user back to the BMC Remedy SSO server with a SAML response. The BMC Remedy SSO server checks if the user in the SAML response is the same user who is currently logged in to BMC Remedy SSO. If they are not the same users, the reauthentication fails.
- If the reauthentication process is successful, the BMC Remedy SSO server generates a reauthentication token and redirects the user to the BMC Remedy Mid Tier URL. Note that the reauthentication token is valid only for a short period and is specific only to the reauthentication process. It cannot be used for the usual authentication process.
- The BMC Remedy SSO agent retrieves the reauthentication token and passes it on to BMC Remedy Mid Tier servlet.
- BMC Remedy Mid Tier servlet retrieves the reauthentication token and passes it on to the BMC Remedy AR System as an authentication string.
- BMC Remedy AR System verifies the user's credential, user name and reauthentication token, through BMC Remedy SSO AREA plugin.
- The BMC Remedy SSO AREA plugin verifies the reauthentication token through an API call to the BMC Remedy SSO server.