Configuring user authentication

The Authentication tab enables you to configure the Atrium Single Sign-On authentication mode for users. This authentication mode enables the external users to access TrueSight Capacity Optimization and TrueSight console. You can configure the Atrium Single Sign-On authentication mode for users after you install Atrium Single Sign-On and TrueSight Presentation Server.

Alternately, you can use the any one of the following options to configure the user authentication:

Important

If you configure the Local authentication only or LDAP authentication mode, users cannot access the capacity views that are available in the TrueSight console.

Local authentication only: Allows only local users to access TrueSight Capacity Optimization. In this mode, authentication of users is managed locally by TrueSight Capacity Optimization.
LDAP: Allows the external users (users defined on LDAP servers) to access TrueSight Capacity Optimization. You can configure one or multiple LDAP domains, to authenticate users using different contexts on the same LDAP server or on different servers.

Related topics

Managing users and access control

Adding and managing roles

Security considerations for TrueSight Capacity Optimization

Installation process overview

Access to the views and other options are managed according to the roles defined in TrueSight Capacity Optimization. For more details, see Adding and managing roles.

To configure Atrium Single Sign-On user authentication

The supported Atrium Single Sign-On version is 9.0.00.

Before you begin

Use the following resources to prepare for and install the authentication product:

Info

Applicable for all install or upgrade scenarios

To configure Atrium Single Sign-On user authentication, complete the following steps:

Select Administration > System > Global configuration > Authentication, click Edit.
Select BMC Atrium Single-Sign-On.
(Optional): Click Advanced to configure and manage the advanced properties.
By default, the basic properties are displayed.

Enter the following details:

Atrium Single-Sign-On

Field	Description
Local authentication allowed (Advanced only)	Select Yes to enable local authentication of users. If you allow local authentication, users can define their local password that is different from the password used for external authentication. Note By default, local authentication of external users is not allowed. If a user has defined local password, that user cannot access the Presentation Server. Consider this scenario: BMC TrueSight Capacity Optimization is configured with the Presentation Server and BMC Atrium Single Sign-On. Two users, Olivia and Paul, have accounts in BMC Atrium Single Sign-On and both can access the Presentation Server. If local authentication in BMC TrueSight Capacity Optimization is allowed and Olivia defines a local password for her account, she will no longer have access to the Presentation Server. Her account is converted to a local account. As Paul did not define a local password, he still has access to the Presentation Server.
Allow external user to log in (Advanced only)	Select any one of the following option: Only if at least one External Name matches for a Role or Access Group: Allows access of BMC TrueSight Capacity Optimization to external users that have matching external names and assigns them role or access group that are defined for the external name. Roles or access groups are assigned to the external users on login to TrueSight Capacity Optimization. When you select this option, ensure that a role or access group that is mapped to the external name is created. For more details, see Adding and managing roles and Access Group. Always allow authenticated users to log in: Allows access of BMC TrueSight Capacity Optimization to all externally authenticated users and assigns them default roles and groups on login. When you select this option, ensure that a role or access group is created with option to assign it by default to all users. For more details, see Adding and managing roles and Access Group.
Atrium SSO server host	Type the address of Atrium Single Sign-On server host.
Atrium SSO server port	Type the Atrium Single Sign-On Server port number. The default value for the port number is 8443.
Atrium SSO context path	Type the context path for Atrium Single Sign-On server.
Default Realm (Advanced only)	Type the default realm for the Atrium Single Sign-On server.
Administrative username	Type the Atrium username of the required user.
Administrative password	Type the Atrium password of the required user.
Test Connection	Click to test whether the configuration defined for the authentication allows you to connect to Atrium Single Sign-On server or not.

Click Save.

To configure Local or LDAP user authentication

Click here to view the steps to configure Local authentication only or LDAP user authentication...

Select Administration > System > Global configuration > Authentication, click Edit.
Select any one of the following option:
- Local authentication only
- LDAP
(Optional): Click Advanced to configure and manage the advanced properties.
By default, the basic properties are displayed.

Based on the authentication mode selected, enter the following details:

Note

Click the required tab to view the options available for the selected authentication mode.

Local authentication only

This option allows only local users to access BMC TrueSight Capacity Optimization. By default, this option is selected.

LDAP

Property	Description
Local authentication allowed (Advanced only)	Select Yes to enable local authentication of users. If you allow local authentication, users can define their local password that is different from the password used for external authentication. Note By default, local authentication of external users is not allowed. If a user has defined local password, that user cannot access the Presentation Server. Consider a scenario where BMC TrueSight Capacity Optimization is configured with Presentation Server and BMC Atrium Single-Sign-On. There are two users Olivia and Paul with their accounts in BMC Atrium Single-Sign-On, they both can access the Presentation Server using their BMC Atrium Single-Sign-On credentials. If local authentication in BMC TrueSight Capacity Optimization is allowed and Olivia defines a local password for her account, account will be converted to a local account and she will not be able to access the Presentation Server. However, Paul's account will still not be treated as local account and he will be able to access the Presentation Server.
Allow external user to log in (Advanced only)	Select any one of the following option: Only if at least one External Name matches for a Role or Access Group: Allows access of BMC TrueSight Capacity Optimization to external users that have matching external names and assigns them role or access group that are defined for the external name. Roles or access groups are assigned to the external users on login to BMC TrueSight Capacity Optimization. When you select this option, ensure that a role or access group that is mapped to the external name is created. For more details, see Roles and Access Group. Always allow authenticated users to log in: Allows access of BMC TrueSight Capacity Optimization to all externally authenticated users and assigns them default roles and groups on login. When you select this option, ensure that a role or access group is created with option to assign it by default to all users. For more information, see Roles and Access Group.
LDAP Domain List	Lists all existing LDAP configurations. If there are zero previously set LDAP configurations, the domain list is empty. To manage your LDAP configurations from this section: Click Edit to begin adding new, or to modify existing LDAP configurations. Click Add to add a new, or another LDAP configuration. Click Apply to apply the new LDAP Domain names immediately to the properties below. Click to delete an LDAP configuration.
Default	Select the required domain from the list to set as the default domain. Note For users accessing default domain to log on to TrueSight Capacity Optimization do not need to enter the domain name in prefix of their username. If the users are accessing any domain other than the default, have to specify their username as `<domain>\<username>`.
default
Accounts and Roles Managing	Select any one of the following option: Native: BMC TrueSight Capacity Optimization manages the user's password and authenticates the user on login. LDAP managed: BMC TrueSight Capacity Optimization forwards the user's login request to an LDAP server for authentication. For more details, see User profile management using LDAP domain setting.
LDAP Provider URL	Default LDAP server URL. For example, ldap://127.0.0.1:389.
Bind method	(Default) Bind directly with BCO user account: Select this option if the LDAP implementation allows all users to bind and search against the LDAP server. Search LDAP user through separate account: Select this option if the LDAP implementation allows only certain users to bind and search against the LDAP server. Selecting this option opens up the following sub-properties: Search account DN: Domain name of the account to use in the search. Search account password: Password of the account used in the search. Search to retrieve user account: Enter a search string of type `uid=%USERNAME%.` For more details, see Bind method and LDAP authentication.
LDAP Authentication Using userPrincipalName	Select any one: Disabled: Do not authenticate using User Principal Name (UPN). Enabled, using the following domain: Users can log in using an email address-style name like `jdoe@marketing.example.com.` Click Apply when done entering the email ID. For more details, see Searching users in LDAP.
LDAP Context	Start searching at this node. Example value, `dc=bmc,dc=com.`
LDAP User Attribute	The attribute whose value should match the login name. Example value, `cn.`
LDAP User Query	Syntax to guide the search. Example value, OU=Domain Users, OU=Security.
Pattern to compose username	Type the required pattern between % symbol for composing the username. For example, %username%.

User profile management using LDAP domain setting

Each LDAP domain can be set up either as an "LDAP managed" domain or as a "native" domain. This setting determines how the user's BMC TrueSight Capacity Optimization profile is maintained and authorized:

LDAP domain setting	User profile	User authorization
Native	The BMC TrueSight Capacity Optimization administrator must have created a user profile (account) in BMC TrueSight Capacity Optimization, which will be maintained just as for a locally authenticated user. The LDAP server is used to authenticate the user, but the user's full name and email address are configured manually by the BMC TrueSight Capacity Optimization administrator.	The BMC TrueSight Capacity Optimization account will already have been authorized by the administrator by assigning it roles and access groups; additional authorization may be performed using LDAP groups (see below).
LDAP managed	The BMC TrueSight Capacity Optimization administrator does not need to create a user profile in BMC TrueSight Capacity Optimization. On the first successful login authenticated with the LDAP server, BMC TrueSight Capacity Optimization will query the LDAP server for the user's attributes including full name and email address, and BMC TrueSight Capacity Optimization will automatically create a BMC TrueSight Capacity Optimization account with the login user name and these attributes.	Authorization will be performed using LDAP groups (see below).

Bind method and LDAP authentication

Some LDAP implementations (for example, Microsoft Active Directory) can be set up to use User Principal Names (UPNs), where users can log in using an email address-style name like jdoe@marketing.example.com. For integrating with this type of LDAP implementation, there is no need to set the above options to control search. Instead, use the following options:

Option	value or example	Meaning
Bind method	bind directly with BMC TrueSight Capacity Optimization user account	The LDAP implementation allows all users to bind and search against the LDAP server.
LDAP Authentication Using userPrincipalName (UPN)	enabled	Use UPN to log in.
domain name to use	(example) marketing.example.com	User does not need to type the portion after the `@` sign.

Searching users in LDAP

LDAP directories have schemas that can be set up in a variety of ways. In order to find the user in the LDAP directory, BMC TrueSight Capacity Optimization needs to be told how to search the particular LDAP schema. The LDAP domain configuration in BMC TrueSight Capacity Optimization has three options that control how to search for the user:

Option	Example value	Meaning
LDAP context	DC=adprod,DC=bmc,DC=com	Start searching at this node
LDAP user attribute	cn	The attribute whose value should match the login name
LDAP user query	OU=Domain Users,OU=Security	Syntax to guide the search

Click Save.

Workflow for updating user authentication after upgrade

Upgrading user authentication

To update the user authentication according to the authentication scenario for your deployment, refer to the following sections:

Updating user authentication of deployments with LDAP authentication
Updating user authentication of deployments with local authentication
Updating user authentication of deployments with Atrium Single Sign-On authentication

To update user authentication of deployments with LDAP authentication

To change the user authentication from LDAP to Atrium Single Sign-On after upgrade:

For deployment with single LDAP domain, move the configuration from LDAP to Atrium Single Sign-On. For more details, see LDAP (Active Directory) Editor and LDAPv3 (Active Directory) User Store Editor .
Configure TrueSight Capacity Optimization to use Atrium Single Sign-On as authentication mode instead of LDAP authentication. For more details, see To configure user authentication.
Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single Sign-On. For more details, see Managing user groups in Atrium Single Sign-On .

To update user authentication of deployments with local authentication

To change the user authentication from local authentication to Atrium Single Sign-On after upgrade:

Manually create users in Atrium Single Sign-On (internal LDAP) or migrate users in an external LDAP and then configure it to Atrium Single Sign-On.
Tip

If you are manually creating users, you can create IDs only for those users that require access to Capacity Pools view (without migrating the entire user catalog).
Configure TrueSight Capacity Optimization to use Atrium Single Sign-On as authentication mode instead of local authentication. For more details, see To configure user authentication.
Tip

In case you have migrated only some users, ensure that Local Authentication Allowed option is enabled to allow local users to login to TrueSight Capacity Optimization.
Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single-Sign-On.

To update user authentication of deployments with Atrium Single Sign-On

Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single Sign-On.