Configuring Remedy Single Sign-On for BMC Cloud Lifecycle Management
After the installation of Remedy Single Sign-On (Remedy SSO), you must set the general configurations and add realms for BMC Cloud Lifecycle Management.
Before you begin
- You must have installed Remedy SSO.
To validate Remedy SSO authentication token against Remedy SSO server after each trust period, configure the trust period in the Platform Manager cloudservices.json file.
- For LDAP authentication, ensure the following prerequisites:
- Ensure that a LDAP server is configured.
- Import the certificates for the LDAP server to the truststore of Apache Tomcat used by Remedy SSO if you want to use TLS/SSL connection to the LDAP server. For example, JavaHome \jre\lib\security\cacerts, where cacerts is the truststore file. You can use third-party utilities such as KeyStore Explorer to import the certificates.
- Obtain the following information from the LDAP administrator:
- Host name of the LDAP server
- Port number of the LDAP server
- Distinguished name of the bind LDAP user
- Password of the bind LDAP user
- Starting location within the LDAP directory for performing user searches
- User attribute on which search is performed
- Note that Remedy SSO does not follow referrals.
- For SAMLv2 authentication, do the following:
- Ensure that the Remedy user name and the SAML user name are not using mixed cases.
- Obtain the following information from the identity provider administrator:
- Identity provider entity ID
- Login URL of the identity provider
- Add attributes mapping in SAML. Do the following:
- Open the ADFS console.
- Click Trust Relationships > Relying Party Trusts.
- Select rsso-sp, and click Edit Claim Rules from the Actions menu.
- To add a claim rule, click Add Rule.
- In the Claim Rule Template list, select Send LDAP Attribute as Claims.
- In the Claim rule name, enter a valid claim rule name. For example, SamAccountName.In the Attribute Store list, select Active Directory.Add the following attribute mappings:
- LDAP Attribute
- SAM Account Name
- Given Name
- Name
- Click Save.
- Restart ADFS service.
Verify that additional attributes are present in the SAML response body.
To set the general configurations
- Log in to the Remedy SSO console as an Admin user.
- Click General.
- On the Basic tab, enter the basic server details.
- Cookie Domain - The value that controls the cookie visibility between servers within the domain. The default cookie domain value is the network domain of the computer on which you are installing the Remedy SSO server. The default cookie domain specifies the most restrictive access. Set the value as bmc.com.
Max Session Time - The time after which the user session expires. When this value is selected, time constraints are automatically enforced. The default and recommended value is 24 hours.
- Server Log Level - The level or severity of logging messages. Set the value as INFO.
- Cookie Domain - The value that controls the cookie visibility between servers within the domain. The default cookie domain value is the network domain of the computer on which you are installing the Remedy SSO server. The default cookie domain specifies the most restrictive access. Set the value as bmc.com.
- On the left navigation panel, click the Advanced tab and enter the advanced details. Enter the SAML service provider details only if you are configuring Remedy SSO for SAML authentication.
- Cookie Name - The cookie name is automatically created at installation and is based on the timestamp. The timestamp is the time of creation of the database during Remedy SSO installation. For example, sso-1552988303725.
- Enable Secured Cookie - Do not select this option. If this option is selected then all applications must also run on HTTPS and the application servers must be accessed through https only.
- Service URL - Remedy SSO generates a token and inserts this URL into the token to provide information about the location of the Remedy SSO server.
- SP Entity ID - The entity ID of the service provider (SP). You can specify any value for SP Entity ID, for example rsso_sp_hostname. Remedy SSO server name is used as SP identifier in Relying Party Trust configured on IdP side.
- External URL - The external URL of the service provider, that is, the URL for Remedy SSO server. The URL must be HTTPS only. For example, https://clmxxxx-x-bmc.com:8443/rsso.
- Keystore File - The keystore file path on the Remedy SSO server file system that includes the keystore file name. The keystore file contains all the required certificates. If you are using PKCS12 keystores file, the file extension must be .p12. If the keystore file is available in the tomcat/rsso/webapp/WEB-INF/classes folder, the value of this field can be the name of the keystore file, where tomcat is the Tomcat path. Otherwise, use the absolute file path. For example, C:\keys\keystore.jks.
- Keystore Password - The keystore file password. The keypair and keystore passwords must be the same.
- Signing Key Alias - The alias name of the signing key in the keystore file.
Encryption Key Alias - The alias name of the encryption key used to decrypt the SAML assertions from the identity provider. The metadata of this encryption key is imported into the IdP.
- Cookie Name - The cookie name is automatically created at installation and is based on the timestamp. The timestamp is the time of creation of the database during Remedy SSO installation. For example, sso-1552988303725.
- Click Save.
To add a Realm
- Log in to the Remedy SSO console as an Admin user.
- Click the Realm tab.
- Click Add Realm.
- On the General tab, enter the realm details.
- Realm ID - Unique realm identifier. Realm ID must not be more than 80 characters and can only include alphanumeric characters and the following special symbols: *, ., _, and -.
- Application Domain(s) - Comma-separated domain names of applications that are integrated with Remedy SSO. Domain names must start from the left side of the server name on which the applications are hosted. Ensure that you do not add a domain in more than one realm. Examples: myit or myit.yourcompany. Note that Application Domain field does not accept uppercase input. So any entered value is automatically transformed to lowercase. If this value is not specified, BMC Cloud Lifecycle Management login URI is not redirected to RSSO or IDP login page for authentication.
After Logout URL - URL to which a user is redirected to after the user logs out from Remedy SSO.
- Realm ID - Unique realm identifier. Realm ID must not be more than 80 characters and can only include alphanumeric characters and the following special symbols: *, ., _, and -.
- (For SAMLv2 authentication) On the Authentication tab, enter the details:
- In the Authentication Type field, click SAML.
- Do not select the Enable AR authentication for bypass option. This option is to enable a bypass URL to authenticate against AR System.
Enter the SAML details. Once you import the identity provider metadata and federation metadata URL, the rest of the fields are auto-populated based on the imported field value.
The [confluence_table-plus] macro is a standalone macro and it cannot be used inline.
- Click Save.
- In the Authentication Type field, click SAML.
- (For LDAP authentication) On the Authentication tab, enter the details:
- In the Authentication Type field, click LDAP.
- Do not select the Enable AR authentication for bypass option. This option is to enable bypass URL to authenticate against AR.
Enter the LDAP details.
The [confluence_table-plus] macro is a standalone macro and it cannot be used inline.
- Select None in the User ID Transformation option.
- Click Save.
- In the Authentication Type field, click LDAP.
Related topic
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*