Page tree

Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Skip to end of metadata
Go to start of metadata

This topic describes how to configure BMC Mobility for Remedy ITSM to support the Security Assertion Markup Language (SAML) on BMC Remedy Mid Tier.

Limitations

  • The mobile applications do not support pop-up windows for logon. The SAML IdP must provide a logon page that is compatible with the embedded WebKit browser.
  • The BMC Mobility server must be configured with secure socket layer (SSL) for SAML authentication. The mobile applications require a trusted SSL certificate and do not work with self-signed or untrusted certificates.
  • The following identity providers are supported:
    • Atrium SSO
    • ADFS
    • Okta

To configure BMC Mobility to support SAML

  1. Stop the BMC Mobility server.
  2. Copy the JAR files from the Webagent folder in your BMC Atrium Single Sign-On installation (webagent>dist>jee>WEB-INF>lib) and place them in the lib directory under WEB-INF on the BMC Mobility server.

  3. Uncomment the BMC Atrium Single Sign-On filter in the web.xml file on the BMC Mobility server.

    <!- Atrium SSO webagent filter. Un-comment when needed ->
      <filter>
        <filter-name>Agent</filter-name>
        <filter-class>com.bmc.atrium.sso.agents.web.SSOFilter</filter-class>
      </filter>
      <!- Atrium SSO webagent filter. Un-comment when needed ->
      <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/restapi/SSOLogin/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    
  4. Copy the cacerts file from JDKInstallationDirectory\jre\lib\security to the Tomcat conf folder (for example, C:\Program Files\Apache Software Foundation\Tomcat6.0\conf).
  5. To deploy the web agent that the BMC Mobility server will use to perform single sign-on using SAML, run the following script in the command line from the deployer directory (change directory to webagent > deployer):

    java -jar deployer.jar --install --container-type tomcatv7 --atrium-sso-url https://<FQDN-of-Atrium-SSO-Server>:<port>/atriumsso --web-app-url https://<FQDN-of-loadbalancer>:<port>/MobilityServer -–notify-url https://<FQDN-of-Mobility-Server>:<port>/MobilityServer --container-base-dir C:\Program Files\Apache Software Foundation\Tomcat6.0\ --admin-name [SSO Admin Username] --admin-pwd [SSO Admin Password] --jvm-truststore "C:\ProgramFiles\Java\jdk1.6.0_18\jre\lib\security\cacerts" --jvm-truststore-password changeit --trustore "C:\Program Files\Apache Software Foundation\Tomcat6.0\conf\cacerts" --truststore-password changeit --web-app-logout-uri /restapi/SSOLogin/Logout

    Note

    Ensure that the paths in the script are replaced by the actual paths on your server.

  6. Configure the Login URl and Logout URI for the BMC Atrium Single Sign-On server as follows:

    For Atrium SSO 8.1, 8.1SP1, 8.1SP2, 8.1SP3:


    a. Log on to the BMC Atrium SSO Admin Console, and click Agent Details.

    b. Select the /MobilityServer@FQDN:portNumber agent, and click Edit.

    c. In the Agent Editor, change the Login URl to be the same as the Mid-Tier Agent Login URl (for example, https://serverName:portNumber/atriumsso/spssoinit?metaAlias=/realmName/sp&idpEntityID=idp).

    d. In the Agent Editor, change the Logout URl to be the same as the Mid Tier Agent Logout URl (for example, https://serverName:portNumber/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=idp).

    For Atrium SSO 8.8:

    a. Log on to the BMC Atrium SSO Admin Console, and click Agent Details.

    b. Select the /MobilityServer@FQDN:portNumber agent, and click Edit.

    c. Click the Realms tab.

    d. Select and add the required tenants.

    e. Select the tenant, and click Edit.

    f. Add the Login URI and Logout URI.

        Login URL example: https://serverName:portNumber/atriumsso/spssoinit?metaAlias=/realmName/sp&idpEntityID=idp

        Logout URL example: https://serverName:portNumber/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=idp

    i. Go to Realms.

    j. Individually select the realms that were added.

    k. Click Edit for Tenant Domain.

    l. Add the URL through which the realm will be reached from the mobile devices (use semicolons between the domain URLs).

  7. To enable SAML logon for tenants:
    1. Open the Mobility Administration: Tenant form in a browser.
    2. Search for the record with the tenant name or tenant ID.
    3. Change the SAML Authentication setting to Yes.
    4. Save your changes.
  8. Start the BMC Mobility server.

Related topic

Agent manager