This documentation supports the 19.02 version of BMC Digital Workplace Advanced.

To view an earlier version, select the version from the Product Version menu.

Configuring BMC Digital Workplace for Remedy Single Sign-On

Remedy Single Sign-On (Remedy SSO) is an authentication system for a multi-software environment that enables users to present credentials for authentication only once. After Remedy SSO authenticates the users, they can gain access to any other application with automatic authentication without providing the credentials again.

Remedy SSO supports the following authentication methods:

  • BMC Remedy AR System Server
  • SAMLv2
  • LDAP
  • Kerberos (Starting from version 9.1.01)
  • Certificate-based (Starting from version 9.1.01)
  • Remedy SSO authentication or Local authentication (Starting from version 9.1.02)
  • OAuth 2.0 (Starting from version 9.1.04)
  • OpenID Connect (Starting from version 9.1.04)

 This topic describes how to configure the integration of Remedy Single Sign-On with BMC Digital Workplace.

Related topics

Remedy Single Sign-On

Configuring Remedy SSO for authentication for information about authenticating with SAML, Kerberos, or LDAP

Based on your organization’s requirement, you can configure any of the authentication methods to authenticate the users for various BMC applications.

As an administrator, you can integrate Remedy SSO with BMC Digital Workplace. After the integration, you can configure the required protocol for authentication. BMC does not support the Kerberos authentication for mobile apps, but you can configure the Kerberos authentication for web apps.

Remedy Single Sign-On authentication applies to browsers and mobile applications. When a user logs in on a mobile device, the user is prompted to enter the host name and port. If the server has SSO enabled, the mobile client opens a browser to the SSO login page. The SSO server sets the SSO cookies after authentication on the device browser. When the user relaunches the application, if the cookies are not expired, the mobile client displays the application. If the cookies are expired, the user is shown the login page again for authentication.

Before you begin

  • Install Remedy Single Sign-On and configure realms. For more information, see the Remedy Single Sign-On documentation.

  • Install BMC Digital Workplace.
  • Verify that access to the Remedy SSO servers and the BMC Digital Workplace server requires the same domain. Otherwise, deploying the Remedy Single Sign-On agent will not work.
  • Create the rsso-agent.properties file.

To integrate Remedy SSO with BMC Digital Workplace

For clusters, complete the following procedure for each BMC Digital Workplace server.

  1. Start the DWPTomcat service.
  2. Make sure single sign-on integration is enabled on BMC Digital Workplace database table.
  3. To enable the integration, complete one of the following steps:

    • Edit the set_env.bat (Windows) or set_env.sh (Linux) and set SAML_authentication to True.

    • Run this SQL query to update the value:

      UPDATE DWP_System.TENANT SET SAML_AUTHENTICATION = 1 where SAML_AUTHENTICATION = 0

  4. Stop the DWPTomcat service.
  5. Copy the following JARs from the installer/Disk1/files/rsso-agent/ into tomcat/external-conf/lib folder:
    • rsso-agent-all.jar

    • rsso-sdk-atsso.jar

    • rsso-client-impl.jar

  6. Copy the following properties files from installer/Disk1/files/rsso-agent/ into tomcat/external-conf folder:
    • rsso-agent.properties—Modify this file manually to point to the correct and new RSSO server that is compatible with the SSO SDK.

      Note

      The configuration in rsso-agent.properties is similar to Mid Tier integration, except logout-urls=/atssologout.html in rsso-agent.properties. 
      The value of the agent-id property in the rsso-agent.properties file should be a unique identifier, but should be the same on all nodes in a BMC Digital Workplace cluster. You should set its value to a simple identifier instead of an HTTP URL (for example, agent-id=dwp_agent).

      For more information, see  Configuring Remedy SSO for authentication  in the Remedy SSO online documentation.

    • sso-sdk.properties

  7. Restart the Tomcat service.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Martin Penev

    Hello,

    Since the Remedy SSO installer no longer has an option for integrating with DWP, we need to set-up the agent manually. This is generally fine but I do not like the part where we should make a manual modification in the database in order to set the value in the SAML_AUTHENTICATION column to True.

    In some cases people that administer and configure DWP do not have access to the database and they need to submit a request to the DBAs in order for this modification to be done. I think it will be easier if an option for enabling/disabling SSO is present in the DWP Admin panel or if there is some kind of .bat/.sh script placed on the DWP machine that can change this option without users having to go to the database and perform any actions in it.

    Best Regards,

    Martin

    Nov 05, 2018 06:39
    1. Daniel Soto

      I think you can do as follows:


      java -jar <DigitalWorkplace_path>/tenant-config/tenant-config-3.1.00.000-jar-with-dependencies.jar updateTenant -server http://<DigitalWorkplaceServer>:<PortNumber>/dwp -username <DigitalWorkplace_Super_Admin_username> -password <DigitalWorkplace_Super_Admin_password> -tenantName 000000000000001 -hostname localhost -samlAuthentication true

      Nov 06, 2018 11:28
      1. Martin Penev

        Hi Daniel,

        Thanks for sharing this command. It is definitely a better option than performing the modification in the database.

        Unfortunately, when I run the command I get the following error: You are not authorized to perform this operation.

        I tried executing the command on two different 18.08 environments and I got the same result on both of them. I am sure that the users I provided in both cases have the MyIT Super Admin permission.

        Best Regards,

        Martin

        Nov 09, 2018 05:35
        1. Daniel Soto

          Hello Martin,

          Not a problem. Please,check you have both: MyIT Admin and MyIT Super Admin under User Form. I noticed that you raised a case for this, too. Let me check further.


          Thanks,

          Daniel

          Nov 09, 2018 08:24
          1. Achim Hilker

            Hi Martin,

            i think it´s too late for you now, but maybe someone could use this. As always BMC is able to deliver world class Documentation and error handling :-) ... anyway, you have to change ./tenant-config/scripts/linux/set_env.sh according to your environment. Then you should be able to execute the scripts in that folder, because the API key is used there. edit_tenant.sh sets the samlAuthentication true param.

            Best Regards, Achim

            Dec 11, 2018 05:32
            1. Ravee Panjwani

              Thanks for your comment, Achim. I am adding the information to the procedure above, and it is currently available here → Configuring multitenancy.

              Thanks,
              Ravee

              Mar 13, 2019 04:04