Page tree


 

This documentation supports the 22.3 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

To view an earlier version, select the version from the Product version menu.

As a BMC Helix Single Sign-On administrator, you can create users stored locally on the BMC Helix Single Sign-On server for any realm with Local authentication type. Local users can access applications belonging to their realm. You can also add local groups, and then add users to these groups. Groups represent roles in your organization and can be used to control access to applications for which the single sign-on experience is enabled. For the difference between user, end user, and local user, see Glossary.


Creating and managing local users in the BMC Helix SSO Admin Console

If you have a realm configured for Local authentication on the BMC Helix SSO, then you should perform the following tasks in the BMC Helix SSO Admin Console:

  1. Create local users for a realm.
  2. (Optional) Create groups needed by your organization, and then add users to the appropriate groups.

Before you begin

Configure a realm for Local authentication.

To add a local user

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Users.

  3. From the Realm list, select a realm.

    Important

    To authenticate a user in all realms available on your BMC Helix SSO server, add it to the default _empty_ realm. This is a technical realm, and it is not shown on the Realms page.

    Users added to the _empty_ realm can access applications from any realm available on the BMC Helix SSO server.

  4. Click Add User, and complete the following fields:

    FieldDescription
    Login Name

    Enter the user's login name that must correspond to the requirements.

    Note: You cannot modify the login name after it is created.

    User Name Enter the user's full name.
    PasswordEnter the user's password. Password must be different from login and email, be between 8 and 128 characters, contain uppercase letters, lowercase letters, digits, and special characters. Do not use space as the first or the last character of the password. Spaces are allowed between the first and the last character.
    Confirm PasswordReenter the user's password.
    Description (Optional)Provide a description of the user.
    Enabled (Optional)Select this option to enable or disable a user in the BMC application. If you disable a user who is currently logged in to a BMC application, ensure that you invalidate the old sessions or OAuth2 tokens (if any) of the user. For more information, see Invalidating and configuring end user sessions.
    Force user to reset password (Optional)

    Select this option to force a local user to reset password. For more information, see To force a local user to reset password.

  5. Click Add.

Login name requirements for a local user account

The example of the valid login name - user 123

  • The login name is case insensitive.
  • The login name length must be between 1 and 255 characters.
  • The login name cannot contain any of these characters "+,:;<=>?[]|
  • The login name cannot contain the designated list of Unicode special characters

Decimal 

Hexadecimal

UTF-8 Hex

Name of the character

Unicode description

0

U+0000

00

?

Control character: Null

1

U+0001

01


Control character: Start Of Heading

2

U+0002

02


Control character: Start Of Text

3

U+0003

03


Control character: End Of Text

4

U+0004

04


Control character: End Of Transmission

5

U+0005

05


Control character: Enquiry

6

U+0006

06


Control character: Acknowledge

7

U+0007

07


Control character: Bell

8

U+0008

08


Control character: Backspace

9

U+0009

09


Control character: Character Tabulation

10

U+000A

0A


Control character: Line Feed (lf)

11

U+000B

0B


Control character: Line Tabulation

12

U+000C

0C


Control character: Form Feed (ff)

13

U+000D

0D


Control character: Carriage Return (cr)

14

U+000E

0E


Control character: Shift Out

15

U+000F

0F


Control character: Shift In

16

U+0010

10


Control character: Data Link Escape

17

U+0011

11


Control character: Device Control One

18

U+0012

12


Control character: Device Control Two

19

U+0013

13


Control character: Device Control Three

20

U+0014

14


Control character: Device Control Four

21

U+0015

15


Control character: Negative Acknowledge

22

U+0016

16


Control character: Synchronous Idle

23

U+0017

17


Control character: End Of Transmission Block

24

U+0018

18


Control character: Cancel

25

U+0019

19


Control character: End Of Medium

26

U+001A

1A


Control character: Substitute

27

U+001B

1B


Control character: Escape

28

U+001C

1C


Control character: Information Separator Four

29

U+001D

1D


Control character: Information Separator Three

30

U+001E

1E


Control character: Information Separator Two

31

U+001F

1F


Control character: Information Separator One

127

U+007F

7F


Control character: Delete

128

U+0080

C2 80

Control Character or Euro Sign

129

U+0081

C2 81

?

Control character: Unknown

130

U+0082

C2 82

Control character: Break Permitted Here

131

U+0083

C2 83

ƒ

Control character: No Break Here

132

U+0084

C2 84

Control character: Unknown

133

U+0085

C2 85

Control character: Next Line (nel)

134

U+0086

C2 86

Control character: Start Of Selected Area

135

U+0087

C2 87

Control character: End Of Selected Area

136

U+0088

C2 88

ˆ

Control character: Character Tabulation Set

137

U+0089

C2 89

Control character: Character Tabulation With Justification

138

U+008A

C2 8A

Š

Control character: Line Tabulation Set

139

U+008B

C2 8B

Control character: Partial Line Forward

140

U+008C

C2 8C

Œ

Control character: Partial Line Backward

141

U+008D

C2 8D

?

Control character: Reverse Line Feed

142

U+008E

C2 8E

Ž

Control character: Single Shift Two

143

U+008F

C2 8F

?

Control character: Single Shift Three

144

U+0090

C2 90

?

Control character: Device Control String

145

U+0091

C2 91

Control character: Private Use One

146

U+0092

C2 92

Control character: Private Use Two

147

U+0093

C2 93

Control character: Set Transmit State

148

U+0094

C2 94

Control character: Cancel Character

149

U+0095

C2 95

Control character: Message Waiting

150

U+0096

C2 96

Control character: Start Of Guarded Area

151

U+0097

C2 97

Control character: End Of Guarded Area

152

U+0098

C2 98

˜

Control character: Start Of String

153

U+0099

C2 99

Control character: Unknown

154

U+009A

C2 9A

š

Control character: Single Character Introducer

155

U+009B

C2 9B

Control character: Control Sequence Introducer

156

U+009C

C2 9C

œ

Control character: String Terminator

157

U+009D

C2 9D

?

Control character: Operating System Command

158

U+009E

C2 9E

ž

Control character: Privacy Message

159

U+009F

C2 9F

Ÿ

Control character: Application Program Command

160

U+00A0

C2 A0


No-break Space

  • The login name cannot contain the designated list of Unicode space characters and zero-width spaces.

Code

Name of the character

Sample

Width of the character

U+1680OGHAM SPACE MARKfoo?barUnspecified; usually not really a space but a dash
U+180EMONGOLIAN VOWEL SEPARATORfoo?bar0
U+2007FIGURE SPACEfoo?bar“Tabular width”, the width of digits
U+2008PUNCTUATION SPACEfoo?barThe width of a period “.”
U+200AHAIR SPACEfoo?barNarrower than THIN SPACE
U+200BZERO WIDTH SPACEfoo?bar0
U+202FNARROW NO-BREAK SPACEfoo?barNarrower than NO-BREAK SPACE (or SPACE), “typically the width of a thin space or a mid space”
U+205FMEDIUM MATHEMATICAL SPACEfoo?bar4/18 em
U+FEFFZERO WIDTH NO-BREAK SPACEfoobar0
U+2000EN QUADfoo bar1 en (= 1/2 em)
U+2001EM QUADfoo bar1 em (nominally, the height of the font)
U+2004THREE-PER-EM SPACE (thick space)foo bar1/3 em
U+2005FOUR-PER-EM SPACE (mid space)foo bar1/4 em
U+2006SIX-PER-EM SPACEfoo bar1/6 em
U+3000IDEOGRAPHIC SPACEfoo barThe width of ideographic (CJK) characters.
U+2002EN SPACE (nut)foobar1 en (= 1/2 em)
U+2003EM SPACE (mutton)foobar1 em
U+2009THIN SPACEfoobar1/5 em (or sometimes 1/6 em)

To change a local user's password 

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Users.

  3. From the Realm list, select a realm.

  4. Locate the user, and in the Action column, click Change Password.
  5. In the New Password field, enter the new password, and the Confirm Password field, enter the password again.
  6. Click Change Password.
    All local users' sessions are removed after the password change.

To enable the lockout functionality for local users

Local user account lockout is configurable per tenant. This functionality is not available in the chaining mode.

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Configuration.
  3. In Lockout threshold, select the number of unsuccessful login attempts after which the local user's account is locked.

    Important

    To disable the account lockout functionality, select 0.

    For example, if you select 3, the local user will be locked after the third attempt to log in with an incorrect user name or password.
    For fresh installation and newly created tenants on the upgraded environment, the default lockout threshold is 5. For upgrade, the default value is 0.
    The number of unsuccessful login attempts is calculated within 1 min.

  4. In Lockout interval, select the duration for which the local user account is locked.
    The default lockout interval is 30 min.

To unlock a locked local user account

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Users.
  3. Click the lock icon.

A locked local user account can also be unlocked in the following ways:

  • The system unlocks the local user account automatically within 10 min after the lockout interval expires.
  • Local users unlock themselves when providing correct credentials after the lockout interval expires.

The cross and lock icons are shown when a local user is locked.

The following screenshot shows the local user's login page after the user has provided correct credentials, but the account has been locked:

To force a local user to reset password

For security reasons, the BMC Helix SSO administrator can force users to reset password when they successfully log in to the BMC application integrated with BMC Helix SSO. Users must enter a new password that is not the same as previous. After the user resets the password, the Force user to reset password check box becomes cleared.

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Users.
  3. From the Realm list, select a realm.
  4. Locate the user, and in the Action column, click Edit User.
  5. Select the Force user to reset password check box.
    You can also select this check box while adding a local user.
  6. Click Save.
  7. (Optional) To force several users to reset password, repeat steps 3-6.

The following screenshot shows the local user's login page after forced password reset:


To search for a local user

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Users.

  3. In the Users tab search field, enter the search criteria by using the following format:
    text=<searchText/*> AND enabled=<true/false/*>

  4.  Click Enter.

The following table describes how to use the search criteria:

Search criteriaDescription
text=<searchText/*>

Use text= to enter a string to search for the value of one of the following fields:

  • User Name
  • Login Name
  • Description

You can pass a partial search value enclosed in % for text to search for all users having the partial search value in one of the User Name, Login Name, or Description fields.

You can use an asterisk as a wildcard to return all users.

Examples:

  • text=BMC returns users with the exact value of "BMC" in one of the 3 fields.
  • text=%BMC% returns users with "BMC" as a partial value, such as "BMCadmin" as User Name.
  • text=* AND enabled=true returns all enabled users.
enabled=<true/false/*>

Use enabled= to enter a string to search on users' enabled state.

You can use an asterisk as a wildcard to return users in any enabled state.

Examples:

  • enabled=false returns disabled users.
  • text=* AND enabled=* returns all users (enabled and disabled).
  • text=BMC AND enabled=true returns all enabled users with the exact value of "BMC" in one of the 3 fields.

To add a group to a realm

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Groups.
  3. From the Realm list, select a realm.
  4. Click Add Group, and complete the following fields:

    FieldDescription
    Group Name

    Enter the group name.

    You cannot modify the group name after it is created.

    DescriptionEnter a description for the group name.
  5. In the Action column, click Save.

To add or remove local users from a group

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select the Local User > Groups.
  3. From the Realm list, select a realm.
  4. Locate the group and, in the Action column, click Assign/Remove User(s).
  5. Use the appropriate procedure to assign or remove users to or from the group.
    • To assign users to a group
      • In the Available users column, select one or more users and click Assign to move the users to the Assigned users column.
      • To assign all users in the list, in the Available users column, select the top check box and click Assign to move the users to the Assigned users column.
      • Search for users in the Search field of the Available users column, select them, and click Assign to move them to the Assigned users column.
    • To remove users from a group
      • In the Assigned users column, select one or more users and click Remove to move the users to the Available users column.
      • To remove all users in the list, select the top check box in the Assigned users column, and click Remove to move the users to the Available users column.
      • Search for users in the Search field of the Assigned users column, select them, and click Remove to move them to the Available users column.
  6. Click Done.

Write a comment...