Maintenance outage for upgrade on Sunday, September 22

This site, docs.bmc.com, will be inaccessible for two hours starting at 8 AM CDT, Sunday, September 22, for a platform upgrade.

    Page tree
    Skip to end of metadata
    Go to start of metadata

    The Authentication tab enables you to configure the Atrium Single Sign-On authentication mode for users. This authentication mode enables the external users to access TrueSight Capacity Optimization and TrueSight console. You can configure the Atrium Single Sign-On authentication mode for users after you install Atrium Single Sign-On and TrueSight Presentation Server.

    Alternately, you can use the any one of the following options to configure the user authentication:

    Important

     If you configure the Local authentication only or LDAP authentication mode, users cannot access the capacity views that are available in the TrueSight console.

    • Local authentication only: Allows only local users to access TrueSight Capacity Optimization. In this mode, authentication of users is managed locally by TrueSight Capacity Optimization.
    • LDAP: Allows the external users (users defined on LDAP servers) to access TrueSight Capacity Optimization. You can configure one or multiple LDAP domains, to authenticate users using different contexts on the same LDAP server or on different servers.

    Access to the views and other options are managed according to the roles defined in TrueSight Capacity Optimization. For more details, see Adding and managing roles.

    To configure Atrium Single Sign-On user authentication

    The supported Atrium Single Sign-On version is 9.0.00.

    Before you begin

     Use the following resources to prepare for and install the authentication product:

    • Atrium Single Sign-On system requirements
    • BMC Atrium Single Sign-On 9.0 installation

    Info

    Applicable for all install or upgrade scenarios

    To configure Atrium Single Sign-On user authentication, complete the following steps:

    1. Select Administration > System > Global configuration > Authentication, click Edit.
    2. Select BMC Atrium Single-Sign-On.

    3. (Optional): Click Advanced to configure and manage the advanced properties.

      By default, the basic properties are displayed.

    4. Enter the following details:

      Atrium Single-Sign-On

      FieldDescription
      Local authentication allowed (Advanced only)

      Select Yes to enable local authentication of users. If you allow local authentication, users can define their local password that is different from the password used for external authentication.

      Note

      By default, local authentication of external users is not allowed. If a user has defined local password, that user cannot access the Presentation Server.

      Consider this scenario:

      BMC TrueSight Capacity Optimization is configured with the Presentation Server and BMC Atrium Single Sign-On. Two users, Olivia and Paul, have accounts in BMC Atrium Single Sign-On and both can access the Presentation Server. If local authentication in BMC TrueSight Capacity Optimization is allowed and Olivia defines a local password for her account, she will no longer have access to the Presentation Server. Her account is converted to a local account. As Paul did not define a local password, he still has access to the Presentation Server.

      Allow external user to log in (Advanced only)

      Select any one of the following option:

      • Only if at least one External Name matches for a Role or Access Group: Allows access of BMC TrueSight Capacity Optimization to external users that have matching external names and assigns them role or access group that are defined for the external name. Roles or access groups are assigned to the external users on login to TrueSight Capacity Optimization. When you select this option, ensure that a role or access group that is mapped to the external name is created. For more details, see Adding and managing roles and Access Group.

      • Always allow authenticated users to log in: Allows access of BMC TrueSight Capacity Optimization to all externally authenticated users and assigns them default roles and groups on login. When you select this option, ensure that a role or access group is created with option to assign it by default to all users. For more details, see Adding and managing roles and Access Group.
      Atrium SSO server hostType the address of Atrium Single Sign-On server host.
      Atrium SSO server portType the Atrium Single Sign-On Server port number. The default value for the port number is 8443.
      Atrium SSO context pathType the context path for Atrium Single Sign-On server.
      Default Realm (Advanced only)
      Type the default realm for the Atrium Single Sign-On server.
      Administrative usernameType the Atrium username of the required user.
      Administrative passwordType the Atrium password of the required user.
      Test ConnectionClick to test whether the configuration defined for the authentication allows you to connect to Atrium Single Sign-On server or not.

    5. Click Save.

    To configure Local or LDAP user authentication

     Click here to view the steps to configure Local authentication only or LDAP user authentication...
    1. Select Administration > System > Global configuration > Authentication, click Edit.
    2. Select any one of the following option:

      • Local authentication only
      • LDAP
    3. (Optional): Click Advanced to configure and manage the advanced properties.

      By default, the basic properties are displayed.

    4. Based on the authentication mode selected, enter the following details:

       

      Note

      Click the required tab to view the options available for the selected authentication mode.

      Local authentication only

      This option allows only local users to access BMC TrueSight Capacity Optimization. By default, this option is selected.

      LDAP

      Property Description
      Local authentication allowed (Advanced only)

      Select Yes to enable local authentication of users. If you allow local authentication, users can define their local password that is different from the password used for external authentication.

      Note

      By default, local authentication of external users is not allowed. If a user has defined local password, that user cannot access the Presentation Server.

      Consider a scenario where BMC TrueSight Capacity Optimization is configured with Presentation Server and BMC Atrium Single-Sign-On. There are two users Olivia and Paul with their accounts in BMC Atrium Single-Sign-On, they both can access the Presentation Server using their BMC Atrium Single-Sign-On credentials. If local authentication in BMC TrueSight Capacity Optimization is allowed and Olivia defines a local password for her account, account will be converted to a local account and she will not be able to access the Presentation Server. However, Paul's account will still not be treated as local account and he will be able to access the Presentation Server.

      Allow external user to log in (Advanced only)

      Select any one of the following option:

      • Only if at least one External Name matches for a Role or Access Group: Allows access of BMC TrueSight Capacity Optimization to external users that have matching external names and assigns them role or access group that are defined for the external name. Roles or access groups are assigned to the external users on login to BMC TrueSight Capacity Optimization. When you select this option, ensure that a role or access group that is mapped to the external name is created. For more details, see Roles and Access Group.

      • Always allow authenticated users to log in: Allows access of BMC TrueSight Capacity Optimization to all externally authenticated users and assigns them default roles and groups on login. When you select this option, ensure that a role or access group is created with option to assign it by default to all users. For more information, see Roles and Access Group.
      LDAP Domain List

      Lists all existing LDAP configurations. If there are zero previously set LDAP configurations, the domain list is empty.

      To manage your LDAP configurations from this section:

      • Click Edit to begin adding new, or to modify existing LDAP configurations.
      • Click Add to add a new, or another LDAP configuration.
      • Click Apply to apply the new LDAP Domain names immediately to the properties below.
      • Click  to delete an LDAP configuration.
      Default

      Select the required domain from the list to set as the default domain.

      Note

      For users accessing default domain to log on to TrueSight Capacity Optimization do not need to enter the domain name in prefix of their username. If the users are accessing any domain other than the default, have to specify their username as <domain>\<username>.

      default
      Accounts and Roles Managing

      Select any one of the following option:

      • Native: BMC TrueSight Capacity Optimization manages the user's password and authenticates the user on login.
      • LDAP managed: BMC TrueSight Capacity Optimization forwards the user's login request to an LDAP server for authentication.

      For more details, see User profile management using LDAP domain setting.

      LDAP Provider URL Default LDAP server URL. For example, ldap://127.0.0.1:389.
      Bind method
      • (Default) Bind directly with BCO user account: Select this option if the LDAP implementation allows all users to bind and search against the LDAP server.
      • Search LDAP user through separate accountSelect this option if the LDAP implementation allows only certain users to bind and search against the LDAP server. Selecting this option opens up the following sub-properties:
        • Search account DN: Domain name of the account to use in the search.
        • Search account password: Password of the account used in the search.
        • Search to retrieve user account: Enter a search string of type uid=%USERNAME%.

      For more details, see Bind method and LDAP authentication.

      LDAP Authentication Using userPrincipalName

      Select any one:

      • Disabled: Do not authenticate using User Principal Name (UPN).
      • Enabled, using the following domain: Users can log in using an email address-style name like jdoe@marketing.example.comClick Apply when done entering the email ID.

      For more details, see Searching users in LDAP.

      LDAP Context Start searching at this node. Example value, dc=bmc,dc=com.
      LDAP User Attribute The attribute whose value should match the login name. Example value, cn.
      LDAP User Query  Syntax to guide the search. Example value, OU=Domain Users, OU=Security.
      Pattern to compose username Type the required pattern between % symbol for composing the username. For example, %username%.

      User profile management using LDAP domain setting

      Each LDAP domain can be set up either as an "LDAP managed" domain or as a "native" domain. This setting determines how the user's BMC TrueSight Capacity Optimization profile is maintained and authorized:

      LDAP domain setting

      User profile

      User authorization

      Native

      The BMC TrueSight Capacity Optimization administrator must have created a user profile (account) in BMC TrueSight Capacity Optimization, which will be maintained just as for a locally authenticated user. The LDAP server is used to authenticate the user, but the user's full name and email address are configured manually by the BMC TrueSight Capacity Optimization administrator.

      The BMC TrueSight Capacity Optimization account will already have been authorized by the administrator by assigning it roles and access groups; additional authorization may be performed using LDAP groups (see below).

      LDAP managed

      The BMC TrueSight Capacity Optimization administrator does not need to create a user profile in BMC TrueSight Capacity Optimization. On the first successful login authenticated with the LDAP server, BMC TrueSight Capacity Optimization will query the LDAP server for the user's attributes including full name and email address, and BMC TrueSight Capacity Optimization will automatically create a BMC TrueSight Capacity Optimization account with the login user name and these attributes.

      Authorization will be performed using LDAP groups (see below).

      Bind method and LDAP authentication

      Some LDAP implementations (for example, Microsoft Active Directory) can be set up to use User Principal Names (UPNs), where users can log in using an email address-style name like jdoe@marketing.example.com. For integrating with this type of LDAP implementation, there is no need to set the above options to control search. Instead, use the following options:

      Option

      value or example

      Meaning

      Bind method

      bind directly with BMC TrueSight Capacity Optimization user account

      The LDAP implementation allows all users to bind and search against the LDAP server.

      LDAP Authentication Using userPrincipalName (UPN)

      enabled

      Use UPN to log in.

      domain name to use

      (example) marketing.example.com

      User does not need to type the portion after the @ sign.

       

      Searching users in LDAP

      LDAP directories have schemas that can be set up in a variety of ways. In order to find the user in the LDAP directory, BMC TrueSight Capacity Optimization needs to be told how to search the particular LDAP schema. The LDAP domain configuration in BMC TrueSight Capacity Optimization has three options that control how to search for the user:

      Option

      Example value

      Meaning

      LDAP context

      DC=adprod,DC=bmc,DC=com

      Start searching at this node

      LDAP user attribute

      cn

      The attribute whose value should match the login name

      LDAP user query

      OU=Domain Users,OU=Security

      Syntax to guide the search

       

    5. Click Save.

    Workflow for updating user authentication after upgrade

    Upgrading user authentication

     

    To update the user authentication according to the authentication scenario for your deployment, refer to the following sections:

    To update user authentication of deployments with LDAP authentication

    To change the user authentication from LDAP to Atrium Single Sign-On after upgrade:

    1. For deployment with single LDAP domain, move the configuration from LDAP to Atrium Single Sign-On. For more details, see  LDAP (Active Directory) Editor  and  LDAPv3 (Active Directory) User Store Editor .

    2. Configure TrueSight Capacity Optimization to use Atrium Single Sign-On as authentication mode instead of LDAP authentication. For more details, see To configure user authentication.

    3. Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single Sign-On. For more details, see  Managing user groups in Atrium Single Sign-On .

     

    To update user authentication of deployments with local authentication

    To change the user authentication from local authentication to Atrium Single Sign-On after upgrade:

    1. Manually create users in Atrium Single Sign-On (internal LDAP) or migrate users in an external LDAP and then configure it to Atrium Single Sign-On.

      Tip

      If you are manually creating users, you can create IDs only for those users that require access to Capacity Pools view (without migrating the entire user catalog).

    2. Configure TrueSight Capacity Optimization to use Atrium Single Sign-On as authentication mode instead of local authentication. For more details, see To configure user authentication.

      Tip

      In case you have migrated only some users, ensure that Local Authentication Allowed option is enabled to allow local users to login to TrueSight Capacity Optimization.

    3. Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single-Sign-On.

    To update user authentication of deployments with Atrium Single Sign-On

    Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single Sign-On.

     

    Note

    Ensure that TrueSight Capacity Optimization is configured to use Atrium Single Sign-On as authentication mode. For more details, see To configure user authentication.


    Where to go from here

    Complete one of the following tasks: