×
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
 
 

 

This documentation supports the 20.02 version of BMC Digital Workplace Basic.

To view an earlier version, select the version from the Product Version menu.

BMC Digital Workplace Advanced 20.02 ... Installing Installing BMC Digital Workplace Configuring after installation of BMC Digital Workplace

Configuring BMC Digital Workplace for Remedy Single Sign-On

This topic was edited by a BMC Contributor and has not been approved.  More information.

Remedy Single Sign-On (Remedy SSO) is an authentication system for a multi-software environment that enables users to present credentials for authentication only once. After Remedy Single Sign-On authenticates the users, they can gain access to any other application with automatic authentication without providing the credentials again.

Remedy Single Sign-On supports the following authentication methods:

  • AR
  • SAML 2.0
  • LDAP
  • Kerberos
  • Certificate-based
  • Remedy Single Sign-On authentication or Local authentication
  • OAuth 2.0
  • OpenID Connect

Related topics

Remedy Single Sign-On 20.02

Setting up end user authentication for information about authenticating with SAML, Kerberos, or LDAP

Installing BMC Digital Workplace


Troubleshooting

DOC-117139 Troubleshooting configuration for Remedy Single Sign-On integration

This topic describes how to configure the integration of Remedy Single Sign-On with BMC Digital Workplace .

Based on your organization’s requirement, you can configure any of the authentication methods to authenticate the users for various BMC applications.

As an administrator, you can integrate Remedy Single Sign-On with BMC Digital Workplace. After the integration, you can configure the required protocol for authentication. BMC does not support the Kerberos authentication for mobile apps, but you can configure the Kerberos authentication for web apps.

Remedy Single Sign-On authentication applies to browsers and mobile applications. When a user logs in on a mobile device, the user is prompted to enter the host name and port. If the server has SSO enabled, the mobile device opens a browser to the SSO login page. The SSO server sets the SSO cookies after authentication on the device browser. When the user relaunches the application, if the cookies are not expired, the mobile device displays the application. If the cookies are expired, the user is shown the login page again for authentication.

Before you begin

  • Install Remedy Single Sign-On and configure realms. For more information, see the Remedy Single Sign-On 20.02 documentation.
  • Install BMC Digital Workplace.
  • Verify that access to the Remedy Single Sign-On servers and the BMC Digital Workplace server requires the same domain. Otherwise, deploying the Remedy Single Sign-On agent will not work.

Creating the rsso-agent.properties file

Tip

If you are upgrading from a previous version of BMC Digital Workplace and you added custom configuration properties to the rsso-agent.properties file. you must copy the custom configuration properties to the new rsso-agent.properties file.

To integrate the BMC Digital Workplace with Remedy Single Sign-On , you need create the   rsso-agent.properties  file on the BMC Digital Workplace server.

Note

If the rsso-agent.properties file is missing, see KA 000372013 .


Mappings required between the BMC Digital Workplace domain and Remedy Single Sign-On server

Before you create the rsso-agent.properties  file, you should understand the mapping between the BMC Digital Workplace domain and Remedy Single Sign-On server ( <domain>:<url> ). Using this information, you will update the following properties in the rsso-agent.properties file.

PropertyDescription

sso-external-url

Remedy Single Sign-On agent redirects the browser (user’s request) to this URL when the Remedy Single Sign-On agent detects that one of the following happens:

  • The request needs to be authenticated.
  • The application logout is completed (that is, if the request refers to "logout-urls").
sso-service-url

Remedy Single Sign-On agent uses this the URL to call the Remedy Single Sign-On web app APIs to perform the following tasks:

  • Retrieve configuration details, such as cookie name, cookie domain, and realm-domain mappings.
  • Check whether the token cookie from the browser (user's request) is valid and if it is valid, retrieve .
  • Register the Remedy Single Sign-On server to track other application agents. The tracking helps the agent to know the login status of other application agents prior to logging out.


To support multiple Remedy Single Sign-On servers on an agent, set the different values of the domain-to-server mapping as comma-separated strings. For example, assume that the Remedy Single Sign-On server for the domain “firstcompany” is firstcompany-rsso.bmc.com and the Remedy Single Sign-On server for the domain “secondcompany” is secondcompany-rsso.bmc.com. Then, the properties definition will be the following:

sso-external-url=firstcompany:https://firstcompany-rsso.bmc.com:8443/rsso,secondcompany:https://secondcompany-rsso.bmc.com:8443/rsso
sso-service-url=firstcompany:http://firstcompany-rsso.bmc.com:8080/rsso,secondcompany:http://secondcompany-rsso.bmc.com:8080/rsso

To create the rsso-agent.properties file

  1. On the BMC Digital Workplace server, navigate to  /opt/apache/tomcat8.5/external-conf.
  2. Create the rsso-agent.properties file.

  3. Copy the following content to the rsso-agent.properties file, and adjust the configuration values as required.

    # For the Agent Identifier, representing an application integrated with BMC Helix Single Sign-On, set application URL as its value.
# The value should be the same on all nodes in same application cluster, but should be different for different applications.
# e.g. agent-id = http://midtier-hostname/arsys

agent-id=myit-agent

# Application URL to trigger BMC Helix SSO logout, usually is redirected after application logout is completed

logout-urls=/atssologout.html

# Application URL patterns NOT going through BMC Helix SSO web agent filter
excluded-url-pattern=.*\\.xml|.*\\.gif|.*\\.css|.*\\.ico|/shared/config/.*|/WSDL/.*|/shared/error.jsp|/shared/timer/.*|/shared/login_commn.jsp|/shared/view_form.jsp|
/shared/ar_url_encoder.jsp|/ThirdPartyJars/.*|/shared/logout.jsp|/shared/doc/.*|/shared/images/.*|/shared/login.jsp|/services/.*|/shared/file_not_found.jsp|/plugins/.*|
/shared/wait.jsp|/servlet/GoatConfigServlet|/servlet/ConfigServlet|/shared/HTTPPost.class|/shared/FileUpload.jar|/BackChannel.*|/servlet/LicenseReleaseServlet.*

# If this property is set to true, the application context name will not be excluded for checking excluded url pattern
# context-included=false
# RSSO webapp external url for redirection
# To support multiple RSSO webapps, set the value to a comma separated string: each represents a 'domain to server url' mapping, with the format of <domain>:<url>, 
# e.g. domain1:https://server1:8443/rsso,domain2:https://server2:8443/rsso

sso-external-url=http://testserver.bmc.com:8080/rsso

# RSSO webapp internal url for service call. Use HTTP instead of HTTPS protocol to avoid problems with handshake.
# To support multiple BMC Helix SSO webapps, set the value to a comma separated string, each represents a 'domain to server url' mapping, with the format of <domain>:<url>, 
# e.g. domain1:http://server1:8080/rsso,domain2:http://server2:8080/rsso

sso-service-url=http://testserver.bmc.com:8080/rsso

# Time during that cached token status will be used without verified at BMC Helix SSO server side. Default value is 3 min.
# token-status-cache-timeout=180

# MSP-related flags
# Flag to show realm-entry-page for the MSP deployments
# msp-deployment=true
# msp-always-show-domain-entry-page=true

# To disable BMC Helix SSO agent just set value to true. In this case all requests will not being processed by BMC Helix SSO.
# skip-filter=false

# That property is mandatory for preauthentication. Put one of the following possible values: GET or POST
# preauth-type=GET

# Action path mask. If agent detects /_rsso in servlet path. Default value is: /_rsso
# action-path-mask=/_rsso

use-in-memory-cache=true

  4. Save the changes.

  5. Restart the Tomcat server.

To integrate Remedy Single Sign-On with BMC Digital Workplace

For clusters, complete the following procedure for each BMC Digital Workplace server.

  1. Start the DWPTomcat service.
  2. Make sure single sign-on integration is enabled on BMC Digital Workplace database table.

  3. To enable the integration, complete the following steps:

a. For Windows, open the set_env.bat file by following the path: \DWP\tenant-config\scripts\win, and set SAML_authentication to True .

For Linux, open the set_env.sh file by following the path: /DWP/tenant-config/scripts/linux, and set SAML_authentication to True.

b. Run the following SQL query to update the value:

UPDATE DWP_System.TENANT SET SAML_AUTHENTICATION = 1 where SAML_AUTHENTICATION = 0

4. Stop the DWPTomcat service.

5. Restart the Tomcat service.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Ravee Panjwani on May 04, 2021
task saml configuration installation contributor_unapproved

Comments

  1. Richard Cooke

    The 2nd link in the troubleshooting section is broken.

    Apr 15, 2021 10:36
    1. Ravee Panjwani

      Thanks for your comment, Richard Cooke. We will update the URL.

      Here's the topic that we meant to point to → Troubleshooting configuration for Remedy Single Sign-On integration.

      Thanks,
      Ravee

      Apr 15, 2021 03:16
Configuring SSL for the Tomcat server
Configuring multitenancy
© Copyright 2013 - 2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.