FAQs
Frequently asked questions about BMC Helix SSO
Frequently asked questions about multi-factor authentication
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*
Here are some answers to the most frequently asked questions about the BMC Helix Single Sign-On product.
Related topics
Identity providers do not automatically notify BMC Helix SSO about the password change. Hence, an end user's BMC Helix SSO session remains active until it expires, and is not revoked after password change on the identity provider (IdP). To force the logoff, and receive the request for entering a new password, an end user needs to ask a BMC Helix SSO administrator to delete all active sessions/OAuth of this end user.
You can change your password in the BMC Helix SSO Admin Console, in the Admin User Management. To change your password, select your user account name, and then edit your password as required. See Setting up Remedy SSO administrator accounts for more details about how to change the password of an administrator.
You can obtain the BMC Helix SSO server version information through the <RSSO Server>/config/server-status URL. You must be authenticated as a BMC Helix SSO administrator before that.
Yes, you can do this.
If the OpenID Issuer URL is configured for the OAuth 2.0, developers of third-party applications can retrieve the OAuth metadata from the BMC Helix SSO server by using the following autodiscovery URL: RSSO_host:RSSO_port/rsso/.well-known/openid-configuration.
Running this request in the browser window returns details about the OpenID Connect (OIDC) provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints.
Yes.
You can enable audit records for end-user events in the BMC Helix SSO Admin Console > General > Advanced > select the End-user events check box.
Multi-factor authentication (MFA) is not directly implemented in BMC Helix SSO. However, the product supports MFA-enabled IdPs configured for authentication.
For example, if your application integrates with the BMC Helix SSO server by using the SAML protocol, then MFA must be enabled and configured on the SAML IdP for end users to complete the authentication flow.
Important
MFA is not considered state-of-the-art, but it is effective in providing strong and phishing-resistant authentication.
If your application integrates with BMC Helix SSO by using protocols such as OIDC or SAML 2.0, MFA must be configured on the external IdP (for example, Okta Verify and Azure Active Directory). BMC Helix SSO redirects users to the IdP that manages the MFA process.
BMC recommends using OIDC or SAML 2.0 for federated authentication in on-premises deployments of BMC Helix SSO and in SaaS environments. For more details, see the following documentation:
For SaaS deployments, BMC recommends using federated authentication through OIDC 1.0 or SAML 2.0. MFA must be configured on the IdP side.
For on-premises environments, must also use federated authentication with an external IdP that supports MFA. BMC Helix SSO redirects users to the IdP that manages the MFA process. For more details, seeAuthentication options.