• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC Helix Single Sign-On 22.1

    Page tree

     

    This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

    To view an earlier version, select the version from the Product version menu.

    As a BMC Helix Single Sign-On administrator, you might need to configure an authentication fallback for a realm to invoke an alternate authentication method in any of the following cases:

    • When the primary authentication fails due to some reason, such as user credentials are not accepted by the identity provider (IdP), or the IdP is unavailable due to some reason
    • If a user logs in to a system from one domain and then tries accessing the system from another domain.

    To enable authentication fallback for a realm, you must configure several authentication methods for a realm and chain them according to the authentication fallback chaining principles.  

    Related topics

    Reauthentication

    Single sign-on authentication methods

    Realms

    Enabling authentication chaining mode

    How authentication fallback works

    When authentication fallback is configured, BMC Helix SSO invokes a secondary authentication method configured in the authentication chain, and end users are not prompted to log in to applications again.  

    The following diagram shows a model for enabling authentication fallback in BMC Helix SSO:

    Authentication fallback

    If authentication fails at one IdP in the chain, then the request is redirected to the next IdP in the chain. If authentication fails at all IdPs configured in the chain, the system shows an authentication failure message. 

    Authentication fallback chaining principles

    To enable authentication fallback, add authentication methods into an authentication chain taking into account the following principles:

    • If you are using a certificate-based authentication or Kerberos authentication, do not set them as the last authentication method in a chain.

    • If you are using a SAML or OIDC authentication method, do not set them as the first authentication method in the chain.

    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.