Integrating with Remedy Single Sign-On
Remedy Single Sign-On (Remedy SSO) is an authentication system that supports various authentication protocols such as LDAP and provides single sign-on for users of BMC products. Remedy SSO is used in BMC Helix solutions (BMC Helix SSO) to support seamless authentication for users. For more information about Remedy SSO including installation and configuration, and BMC Helix SSO, see Remedy SSO overview.
Integration with BMC Atrium Single Sign-On was deprecated in BMC Discovery 11.0 and was removed in BMC Discovery 11.3. If you previously used BMC Atrium Single Sign-On, you can change to Remedy Single Sign-On by following the procedures in Migrating from BMC Atrium Single Sign-On to Remedy Single Sign-On and then following the procedures in this topic.
To integrate with Remedy SSO
To integrate BMC Discovery with Remedy SSO, you must first configure the Remedy SSO server and then enable the integration.
See this video (04:38) for an overview of how the integration between Remedy SSO and BMC Discovery takes place.
OpenID Connect support
BMC Discovery supports connections to BMC Helix SSO, and Remedy SSO version 20.02 with OpenID Connect.
Remedy Single Sign-On relies on cookies to enable your users to seamlessly access all integrated applications. As browsers implement changes to their default
SameSite attributes, cross-site cookies will not be sent by default. As a result, your users will be prevented from accessing your applications.
To continue to use Remedy SSO with newer browser versions, you must do the following:
- Use the secure HTTPS protocol for all of your applications.
- Upgrade to Remedy SSO 20.02.
- Set the following configuration options in Remedy SSO:
- Enable Secured Cookie
- Use Cross Site Cookie
For instructions, see Configuring settings for Remedy SSO server .
Note: If you subscribe to Remedy SSO 20.08 and later releases (SaaS), no action is required. BMC will update your configuration.
To obtain the OpenID Connect Client ID and Secret
To obtain the OpenID Connect Client ID and Secret from BMC Helix SSO or Remedy SSO version 20.02 with OpenID Connect:
- From the menu, select OAuth2.
- On the Clients tab, enter the client name into the Client Name field.
- Click Add Redirect URI.
- Enter the redirect URI into the edit field. The URI is of the following form, where
is the resolvable (from your browser, not from SSO) hostname or IP address of your appliance:
- Click Add.
- A registration successful banner is displayed. Ensure that you save the Client ID and Client Secret. You can find the Client ID from the BMC Helix SSO or Remedy SSO system again, but there is no way to access the Client Secret. If you lose this, you must perform the procedure again.
Before you begin
Before you begin integrating BMC Discovery with Remedy SSO, ensure that following considerations are in place:
Ensure that following settings are in place:
The minimum supported version of Remedy SSO is 9.1.01 and later, fully tested up to 20.02.00.
- The users to authenticate must be defined in an LDAP server. This is required to assign permissions to the user, based on the LDAP group that is mapped into a BMC Discovery group. This implies that the non-LDAP authentication methods that may use Remedy SSO are not supported by BMC Discovery. For example, a user locally defined in Remedy SSO cannot login into Discovery.
- BMC Discovery and the Remedy SSO server must use the same LDAP server.
- (Not applicable if you use OpenID Connect) The BMC Discovery appliance and the Remedy SSO server must be in the same domain; for example, if your BMC Discovery domain name is discovery.calbro.com, your Remedy SSO domain name must be rsso.calbro.com, (not rsso.calbro-internal.com).
- The BMC Discovery appliance must have a reservation in DNS and must be accessed using that DNS name; otherwise, the integration fails and the following message is displayed:
Forbidden request! Goto url is wrong.
- Contact your Remedy SSO administrator for the parameters required in the following procedure: RSSO Server URL, RSSO Realm ID, RSSO Agent ID, and RSSO Token revalidation period.
Considerations for configuring certificates
Communication between BMC Discovery and Remedy SSO can take place only over secured protocol (HTTPS). To enable communication by using HTTPS, you must obtain the HTTPS certificate from the Remedy SSO server. For more information, see Pinning an HTTPS certificate.
You can supply a CA bundle that is trusted by your organization, pin the certificate downloaded from Remedy SSO, or use both.
A pinned certificate is more secure than a CA bundle; however, pinned certificates require more frequent renewal.
We recommend that you use both a pinned certificate and a trusted CA bundle to verify the identity of the Remedy SSO server.
Configuring the connection to the BMC Helix SSO or Remedy SSO server
The connection parameter types required are the same for BMC Helix SSO, and Remedy SSO. You should obtain the values required from your SSO administrator. For:
- BMC Helix SSO—contact BMC Customer Support.
- Remedy SSO—contact your Remedy SSO administrator.
Before you configure the connection to the SSO server, ensure that the LDAP settings are configured and you are able to log in to the BMC Discovery appliance as an LDAP user with administrative privileges. After you activate the SSO integration, as an administrator, you can log in again and change the configuration, if required.
To apply the SSO settings, perform the following steps:
- On the main menu, click the Administration icon.
In the Security section, click Single Sign On.
By default, the Remedy SSO tab opens.
On the Remedy SSO tab, enter the following parameters:
Parameter name Description RSSO Server URL
When connecting to the Remedy SSO server (or BMC Helix SSO server) using OpenID Connect, the "same domain" restriction is removed.
For Remedy SSO:
Enter the URL for the Remedy SSO server. The Remedy SSO server URL must begin with https and have the same domain as the BMC Discovery appliance. For example, use discovery.calbro.com and rsso.calbro.com (not discovery.calbro.com and rsso.calbro-internal.com).
For BMC Helix SSO:
Enter the URL for the BMC Helix SSO server.
OpenID Connect Client ID To use OpenID Connect, enter the OpenID Connect Client ID. See To obtain the OpenID Connect Client ID and Secret for information on obtaining the OpenID Connect Client ID and Secret. OpenID Connect Client Secret To use OpenID Connect, enter the OpenID Connect Client Secret. RSSO Realm IDRealms are used to support multitenancy for integrated applications and split application availability. Each realm is identified by a unique identifier and contains one or more application domains.
Enter the Realm ID.
RSSO Agent ID
The RSSO Agent ID identifies the application integrated with Remedy SSO.
Enter the RSSO Agent ID.
RSSO Token revalidation period
Enter the revalidation period in minutes. Contact your Remedy SSO administrator for more information.
RSSO server timeout Enter the server timeout in seconds. You need to monitor this parameter and accordingly increase or decrease the number of seconds required for the RSSO server to respond.
Uploading a CA bundle
We recommend that you upload a trusted CA bundle. Trusted CA bundles enable you to validate the Remedy SSO server certificate.
To upload a CA bundle, perform the following steps:
- In the Trusted CA section, click Choose File and select the CA bundle file from your local file system.
- Click Upload CA Bundle.
The new certificate bundle is uploaded.
Pinning an HTTPS certificate
The following section explains how to pin an HTTPS certificate:
- Download the HTTPS certificate by clicking Get certificate from server.
After the certificate is downloaded, details such as Fingerprint, Validity dates, and certificate content are displayed.
- After the certificate is retrieved from the server and you have verified that it exactly matches the certificate on the Remedy SSO server, click the Pin certificate button.
Certificate pinning involves additional security measures of certificate checks. BMC Discovery administrator must check the channels through which the certificate is received. If the server certificate and the uploaded certificate are not identical, click Unpin Certificate and upload a valid certificate.
After the configuration completes successfully, the Enable button becomes available. The HTTPS certificate validity is subject to a baseline check. A baseline alert is raised five days before the certificate expires.
For information about troubleshooting Remedy SSO configuration in BMC Discovery, see troubleshooting.
Enabling Remedy SSO Integration
To enable the Remedy SSO integration, click Enable.
If you are unable to log in to BMC Discovery using Remedy SSO, use the local login URL to access the BMC Discovery UI and log in as a local user.
How do I fix this error: RSSO support will not work because the appliance is not in domain "abc.123"
From the Mandatory settings section:
So, the BMC Discovery appliance and the Remedy SSO server must be in the same domain. You cannot make the integration work if they are in different domains.
After completing all the steps, the status is ok, I've enabled rsso support. login redirects to rsso but authentication faild. but I'm using the correct credentials. is there any other things what is need to do?
If the status is reported as OK, then everything should work. Are all of the statuses OK, for example, are you connected to LDAP?
Are you successfully logging into other systems using SSO with the credentials that are failing for BMC Discovery?
I'm not sure what else I can suggest at the moment.
I hope this helps,
I hope it is all sorted now. I'm closing the comment.
Log in or register to comment.