Integrating with BMC Remedy Single Sign-On
If you use BMC Discovery 11.1 / 11.1 patch 1 / 11.1 patch 2, BMC Discovery integration with Remedy Single Sign-On does not support Remedy Single Sign-On 9.1.02. Upgrade BMC Discovery to 11.1 patch 3 where the integration problem has been fixed.
If you are using Remedy Single Sign-On 9.1.01 with BMC Discovery 11.1 / 11.1 patch 1 / 11.1 patch 2, you should not upgrade to Remedy Single Sign-On 9.1.02 until you upgrade BMC Discovery to 11.1 patch 3 where the integration problem has been fixed.
Remedy Single Sign-On (Remedy SSO) is an authentication system that supports various authentication protocols such as LDAP and provides single sign-on for users of BMC products. For more information about Remedy SSO, including installation and configuration, see Remedy SSO overview in the Remedy SSO online documentation.
Integration with BMC Atrium Single Sign-On was deprecated in the version 11 release of BMC Discovery and will be removed in a future release.
See this video (05:42) for an overview of how the integration between Remedy SSO and BMC Discovery takes place.
Before you begin
Before you begin integrating BMC Discovery with Remedy SSO, ensure that following considerations are in place:
Ensure that following settings are in place:
- The minimum supported version of Remedy SSO is 9.1.01 and later.
- BMC Discovery and the Remedy SSO server must use the same LDAP server. Otherwise, BMC Discovery is unable to check user permissions even if the user has successfully logged in through Remedy SSO.
- The BMC Discovery appliance and the Remedy SSO server must be in the same domain; for example, if your BMC Discovery domain name is discovery.calbro.com, your Remedy SSO domain name must be rsso.calbro.com, (not rsso.calbro-internal.com).
- The BMC Discovery appliance must have a reservation in DNS and must be accessed using that DNS name; otherwise, the integration fails and the following message is displayed: Forbidden request! Goto url is wrong.
- Contact your Remedy SSO administrator for the parameters required in the following procedure: RSSO Server URL, RSSO Realm ID, RSSO Agent ID, and RSSO Token revalidation period.
Considerations for configuring certificates
Communication between BMC Discovery and Remedy SSO can take place only over secured protocol (HTTPS). To enable communication by using HTTPS, you must obtain the HTTPS certificate from the Remedy SSO server.
You can supply a CA bundle that is trusted by your organization, pin the certificate downloaded from Remedy SSO, or use both.
A pinned certificate is more secure than a CA bundle; however, pinned certificates require more frequent renewal. BMC recommends that you use both a pinned certificate and a trusted CA bundle to verify the identity of the Remedy SSO server.
Configuring the connection to Remedy SSO server
Before you configure the connection to the Remedy SSO server, ensure that the LDAP settings are configured and you are able to log in to the BMC Discovery appliance as an LDAP user with administrative privileges. After you activate the Remedy SSO integration, as an administrator, you can log in again and change the configuration, if required.
To apply the Remedy SSO settings, you must perform following steps:
- On the main menu, click the Administration icon.
- In the Security section, click Single Sign On.
By default, the Remedy SSO tab opens.
On the Remedy SSO tab, enter the following parameters:
Parameter name Description RSSO Server URL Enter the URL for the Remedy SSO server. The Remedy SSO server URL must begin with https and have the same domain as the BMC Discovery appliance. For example, use discovery.calbro.com and rsso.calbro.com (not discovery.calbro.com and rsso.calbro-internal.com). RSSO Realm ID
A realm is a virtual identity provider used to authenticate a domain. Contact your Remedy SSO administrator for the Realm ID.
RSSO Agent ID Contact your Remedy SSO administrator for the Agent ID. RSSO Token revalidation period Enter the revalidation period in minutes. For more information, contact your Remedy SSO administrator. RSSO server timeout Enter the server timeout in seconds. BMC Discovery administrator needs to monitor this parameter and accordingly increase or decrease the number of seconds required for the RSSO server to respond.
Uploading a CA bundle
BMC recommends that you upload a trusted CA bundle. Trusted CA bundles enable you to validate the Remedy SSO server certificate.
- In the Trusted CA section, click Choose File and select the CA bundle file from your local file system.
- Click Upload CA Bundle.
The new certificate bundle is uploaded.
Pinning an HTTPS certificate
The following section explains how to pin an HTTPS certificate:
- Download the HTTPS certificate by clicking Get certificate from server.
After the certificate is downloaded, details such as Fingerprint, Validity dates, and certificate content are displayed.
- After the certificate is retrieved from the server and you have verified that it exactly matches the certificate on the Remedy SSO server, click the Pin certificate button.
Certificate pinning involves additional security measures of certificate checks. BMC Discovery administrator must check the channels through which the certificate is received.
If the server certificate and the uploaded certificate are not identical, click Unpin Certificate and upload a valid certificate.
After the configuration completes successfully, the Enable button becomes available. The HTTPS certificate validity is subject to a baseline check. A baseline alert is raised five days before the certificate expires.
For information about troubleshooting Remedy SSO configuration in BMC Discovery, see Troubleshooting.
Enabling Remedy SSO Integration
To enable the Remedy SSO integration, click Enable.
If you are unable to log in to BMC Discovery by using Remedy SSO, use the local login URL to access the BMC Discovery UI and log in as a local user.