Realms

Role of realms in the authentication process in BMC Helix SSO

In BMC Helix SSO, a realm associates application domains of the integrated BMC Helix SSO applications with an identity provider, and a realm also defines an authentication method to be used to protect integrated applications. End users accessing applications integrated with BMC Helix SSO are authenticated based on domains they can access.

The following diagram shows the role of realms in an authentication flow:

1. In a browser window, an end user enters an application URL to access an application integrated with BMC Helix SSO.
2. The BMC Helix SSO agent intercepts the login request, validates it, and then sends it to the BMC Helix SSO server.
3. Based on information extracted from the application URL, the BMC Helix SSO server defines a correct realm for the authentication flow. For more information about this process, see Identifying a realm by application domains.
4. BMC Helix SSO server allows authentication according to the authentication method specified for the realm. 
5. Depending on the authentication method, the user is redirected to the login page or is automatically authenticated by BMC Helix SSO. For information about the login options, see Login and logout experience for end users.
6. When the end user is successfully authenticated on the BMC Helix SSO login page, the end user is automatically redirected to the application.

Identifying a realm by application domains

Realm identification is based on the application URL used for accessing an end user application.

For example, an end user uses the application.domain.com URL to access an application. To authenticate the user, BMC Helix SSO needs to identify the realm by checking the following mappings in all realms available on the BMC Helix SSO server: 

• application
• application.domain
• application.domain.com

When a realm with a matching application domain is found, this realm is used for authentication.

If you have several realms with the same matching application domain parts, realm selection becomes unpredictable. To avoid authentication errors, application domain mapping must be unique across all realms on the BMC Helix SSO.

Usage example: Configuring realms for application domains

Suppose an organization has the following applications:

• Helpdesk—accessed by all users through the URL http://helpdesk.yourcompany.com
• ITSM—accessed only by the IT team through the URL http://itsm.yourcompany.com
• BMC Helix Digital Workplace—accessed only by the IT team through the URL http://dwp.yourcompany.com 
  

You can create helpdesk and itsm realms and map the application domains and authentication methods to these realms described in the following table:

When an end user accesses the Helpdesk application belonging to the helpdesk.yourcompany.com application domain (Domain 1 in the diagram), the end user gets authenticated through BMC Helix SSO, via helpdesk realm (see Realm 1 in the diagram) which is configured for SAML authentication method (Authentication 1 in the diagram), and allows authentication via helpdesk.yourcompany.com (Domain 1 in the diagram).

This end user can access the ITSM application belonging to the itsm.yourcompany.com application domain (Domain 2 in the diagram). The end user gets authenticated through BMC Helix SSO, via itsm realm (see Realm 2 in the diagram) which is configured for Kerberos authentication method (Authentication 2 in the diagram), and allows authentication via itsm.yourcompany.com (Domain 2 in the diagram).