• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC Helix Single Sign-On 22.1

    Page tree

     

    This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

    To view an earlier version, select the version from the Product version menu.

    Some BMC applications are designed to provide an additional security level to some business critical functionality available to end users. This protection mechanism invokes a reauthentication request, and end users are asked to provide their credentials when they perform some action in the system, for example, approving a service request.

    BMC Helix Single Sign-On handles authentication requests from applications integrated with them differently. Depending on how a realm is configured, BMC Helix Single Sign-On processes authentication requests in one of the following ways:

    • Enables automatic reauthentication—end users are not required to provide the user name and password at the time of reauthentication on the BMC Helix Single Sign-On login page. 
    • Enables manual reauthentication—end users are required to provide their credentials at the time of a reauthentication request.
    Related topics

    Single sign-on authentication methods

    Authentication fallback

    Realms

    Enabling authentication chaining mode

    Automatic reauthentication

    End users are automatically authenticated at the time of a reauthentication request, only if a single authentication method is configured for a realm, and if this method is one of the following:

    • Kerberos
    • Certificate-based
    • Preauthentication
    • SAML—when configured not to display the login page for end users.

    Manual reauthentication for a realm with a single authentication method

    If you have one of the following authentication methods configured for a realm, the reauthentication is manual, and end users are required to provide their credentials on the login page at the time of the reauthentication request:

    • AR
    • LDAP
    • Local
    • OpenID Connect
    • SAML configured to display the login page for end users

    For SAML and OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.
    For AR, Local and LPAD IdPs, the BMC Helix Single Sign-On login page is displayed.

    Manual reauthentication for a realm with a chain of authentication methods

    If you have an authentication chain configured for a realm, you can enable manual reauthentication. The secondary authentication in the chain is invoked at the time of a reauthentication request, and end users are required to provide their credentials on the login page at the time of the reauthentication request.

    The following diagram shows how reauthentication works for a realm with several authentication methods:

    Reauthentication model

    To configure manual reauthentication for a realm with several authentication methods, chain them in accordance with the principles described in the following table:

    Authentication typeAuthentication methods supportedNotes
    Primary authentication
    • SAML
    • Kerberous
    • Certificate-based
    • Preauthentication

    SAML note:

    If SAML IdP is configured not to display the login page to end users, then you must enable the Bypass for reauth requests setting in SAML configuration of the realm. For information about this setting, see Importing configuration from an identity provider and configuring SAML.

    Preauthentication notes:

    • If the authentication request from application contains JWT, then end users are authenticated via Preauth, and the request is not redirected to the next IdP in the chain.
    • If the authentication request from application does not contain JWT, the request is redirected to the next IdP in the chain.
    Secondary authentication
    • LDAP
    • AR
    • Local
    • OpenID Connect
    		For OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.


    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.