Skip to end of metadata
Go to start of metadata
Access to the views and other options are managed according to the roles defined in TrueSight Capacity Optimization. For more details, see Adding and managing roles.
The supported Atrium Single Sign-On version is 9.0.00.
Before you begin
Use the following resources to prepare for and install the authentication product:
To configure Atrium Single Sign-On user authentication, complete the following steps:
- Select Administration > System > Global configuration > Authentication, click Edit.
Select BMC Atrium Single-Sign-On.
(Optional): Click Advanced to configure and manage the advanced properties.
By default, the basic properties are displayed.
Enter the following details:
Atrium Single-Sign-On
Field | Description |
---|
Local authentication allowed (Advanced only)
| Select Yes to enable local authentication of users. If you allow local authentication, users can define their local password that is different from the password used for external authentication. |
Allow external user to log in (Advanced only)
| Select any one of the following option: Only if at least one External Name matches for a Role or Access Group: Allows access of BMC TrueSight Capacity Optimization to external users that have matching external names and assigns them role or access group that are defined for the external name. Roles or access groups are assigned to the external users on login to TrueSight Capacity Optimization. When you select this option, ensure that a role or access group that is mapped to the external name is created. For more details, see Adding and managing roles and Access Group. - Always allow authenticated users to log in: Allows access of BMC TrueSight Capacity Optimization to all externally authenticated users and assigns them default roles and groups on login. When you select this option, ensure that a role or access group is created with option to assign it by default to all users. For more details, see Adding and managing roles and Access Group.
|
Atrium SSO server host | Type the address of Atrium Single Sign-On server host. |
Atrium SSO server port | Type the Atrium Single Sign-On Server port number. The default value for the port number is 8443. |
Atrium SSO context path | Type the context path for Atrium Single Sign-On server. |
Default Realm (Advanced only)
| Type the default realm for the Atrium Single Sign-On server. |
Administrative username | Type the Atrium username of the required user. |
Administrative password | Type the Atrium password of the required user. |
Test Connection | Click to test whether the configuration defined for the authentication allows you to connect to Atrium Single Sign-On server or not. |
- Click Save.
Click here to view the steps to configure Local authentication only or LDAP user authentication...
- Select Administration > System > Global configuration > Authentication, click Edit.
Select any one of the following option:
- Local authentication only
- LDAP
(Optional): Click Advanced to configure and manage the advanced properties.
By default, the basic properties are displayed.
Based on the authentication mode selected, enter the following details:
Local authentication only
This option allows only local users to access BMC TrueSight Capacity Optimization. By default, this option is selected.
LDAP
Property |
Description |
Local authentication allowed (Advanced only)
|
Select Yes to enable local authentication of users. If you allow local authentication, users can define their local password that is different from the password used for external authentication.
|
Allow external user to log in (Advanced only)
|
Select any one of the following option:
Only if at least one External Name matches for a Role or Access Group: Allows access of BMC TrueSight Capacity Optimization to external users that have matching external names and assigns them role or access group that are defined for the external name. Roles or access groups are assigned to the external users on login to BMC TrueSight Capacity Optimization. When you select this option, ensure that a role or access group that is mapped to the external name is created. For more details, see Roles and Access Group.
- Always allow authenticated users to log in: Allows access of BMC TrueSight Capacity Optimization to all externally authenticated users and assigns them default roles and groups on login. When you select this option, ensure that a role or access group is created with option to assign it by default to all users. For more information, see Roles and Access Group.
|
LDAP Domain List |
Lists all existing LDAP configurations. If there are zero previously set LDAP configurations, the domain list is empty. To manage your LDAP configurations from this section:
- Click Edit to begin adding new, or to modify existing LDAP configurations.
- Click Add to add a new, or another LDAP configuration.
- Click Apply to apply the new LDAP Domain names immediately to the properties below.
- Click
to delete an LDAP configuration.
|
Default |
Select the required domain from the list to set as the default domain.
|
default |
Accounts and Roles Managing |
Select any one of the following option:
- Native: BMC TrueSight Capacity Optimization manages the user's password and authenticates the user on login.
- LDAP managed: BMC TrueSight Capacity Optimization forwards the user's login request to an LDAP server for authentication.
For more details, see User profile management using LDAP domain setting. |
LDAP Provider URL |
Default LDAP server URL. For example, ldap://127.0.0.1:389. |
Bind method |
- (Default) Bind directly with BCO user account: Select this option if the LDAP implementation allows all users to bind and search against the LDAP server.
- Search LDAP user through separate account: Select this option if the LDAP implementation allows only certain users to bind and search against the LDAP server. Selecting this option opens up the following sub-properties:
- Search account DN: Domain name of the account to use in the search.
- Search account password: Password of the account used in the search.
- Search to retrieve user account: Enter a search string of type
uid=%USERNAME%.
For more details, see Bind method and LDAP authentication. |
LDAP Authentication Using userPrincipalName |
Select any one:
- Disabled: Do not authenticate using User Principal Name (UPN).
- Enabled, using the following domain: Users can log in using an email address-style name like
jdoe@marketing.example.com. Click Apply when done entering the email ID.
For more details, see Searching users in LDAP. |
LDAP Context |
Start searching at this node. Example value, dc=bmc,dc=com. |
LDAP User Attribute |
The attribute whose value should match the login name. Example value, cn. |
LDAP User Query |
Syntax to guide the search. Example value, OU=Domain Users, OU=Security. |
Pattern to compose username |
Type the required pattern between % symbol for composing the username. For example, %username%. |
User profile management using LDAP domain setting
Each LDAP domain can be set up either as an "LDAP managed" domain or as a "native" domain. This setting determines how the user's BMC TrueSight Capacity Optimization profile is maintained and authorized:
LDAP domain setting |
User profile |
User authorization |
Native |
The BMC TrueSight Capacity Optimization administrator must have created a user profile (account) in BMC TrueSight Capacity Optimization, which will be maintained just as for a locally authenticated user. The LDAP server is used to authenticate the user, but the user's full name and email address are configured manually by the BMC TrueSight Capacity Optimization administrator. |
The BMC TrueSight Capacity Optimization account will already have been authorized by the administrator by assigning it roles and access groups; additional authorization may be performed using LDAP groups (see below). |
LDAP managed |
The BMC TrueSight Capacity Optimization administrator does not need to create a user profile in BMC TrueSight Capacity Optimization. On the first successful login authenticated with the LDAP server, BMC TrueSight Capacity Optimization will query the LDAP server for the user's attributes including full name and email address, and BMC TrueSight Capacity Optimization will automatically create a BMC TrueSight Capacity Optimization account with the login user name and these attributes. |
Authorization will be performed using LDAP groups (see below). |
Bind method and LDAP authentication
Some LDAP implementations (for example, Microsoft Active Directory) can be set up to use User Principal Names (UPNs), where users can log in using an email address-style name like jdoe@marketing.example.com
. For integrating with this type of LDAP implementation, there is no need to set the above options to control search. Instead, use the following options:
Option |
value or example |
Meaning |
Bind method |
bind directly with BMC TrueSight Capacity Optimization user account |
The LDAP implementation allows all users to bind and search against the LDAP server. |
LDAP Authentication Using userPrincipalName (UPN) |
enabled |
Use UPN to log in. |
domain name to use |
(example) marketing.example.com |
User does not need to type the portion after the @ sign. |
Searching users in LDAP
LDAP directories have schemas that can be set up in a variety of ways. In order to find the user in the LDAP directory, BMC TrueSight Capacity Optimization needs to be told how to search the particular LDAP schema. The LDAP domain configuration in BMC TrueSight Capacity Optimization has three options that control how to search for the user:
Option |
Example value |
Meaning |
LDAP context |
DC=adprod,DC=bmc,DC=com |
Start searching at this node |
LDAP user attribute |
cn |
The attribute whose value should match the login name |
LDAP user query |
OU=Domain Users,OU=Security |
Syntax to guide the search |
- Click Save.
Workflow for updating user authentication after upgrade
To update the user authentication according to the authentication scenario for your deployment, refer to the following sections:
To update user authentication of deployments with LDAP authentication
To change the user authentication from LDAP to Atrium Single Sign-On after upgrade:
For deployment with single LDAP domain, move the configuration from LDAP to Atrium Single Sign-On. For more details, see
LDAP (Active Directory) Editor
and
LDAPv3 (Active Directory) User Store Editor
.
Configure TrueSight Capacity Optimization to use Atrium Single Sign-On as authentication mode instead of LDAP authentication. For more details, see To configure user authentication.
Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single Sign-On. For more details, see
Managing user groups in Atrium Single Sign-On
.
To update user authentication of deployments with local authentication
To change the user authentication from local authentication to Atrium Single Sign-On after upgrade:
Manually create users in Atrium Single Sign-On (internal LDAP) or migrate users in an external LDAP and then configure it to Atrium Single Sign-On.
Configure TrueSight Capacity Optimization to use Atrium Single Sign-On as authentication mode instead of local authentication. For more details, see To configure user authentication.
- Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single-Sign-On.
To update user authentication of deployments with Atrium Single Sign-On
Associate users with Capacity_View (for accessing Capacity Views in TrueSight Presentation Server) or Capacity_Administration (for accessing the Administration section of Capacity Views in TrueSight Presentation Server) group in the Atrium Single Sign-On.
Where to go from here
Complete one of the following tasks: