Authentication options
Your BMC Helix service entitles you to use the BMC Helix Single Sign-On (BMC Helix SSO) application. BMC Helix SSO is provisioned by default with your service. For BMC Helix SSO product-specific documentation, see
BMC Helix Single Sign-On overview
.
BMC Helix SSO is an authentication system for a multi software environment that enables users to present credentials for authentication only once. After BMC Helix SSO authenticates the user, the user can gain access to any other configured application with automatic authentication without providing the credentials again.
This section describes the authentication options that are supported by the BMC Helix services and includes the following information:
These options range from the intrinsic, basic authentication of the AR System platform to advanced, single sign-on capability. Authentication options can also be chained, which allows combinations of these approaches to match your specific requirements.
Summary of options
The following authentication options are available for BMC Helix services:
- Federated authentication - BMC supports OpenID Connect 1.0 and SAML 2.0 authentication for all products. BMC SaaS Operations can assist in the configuration of OpenID Connect 1.0 or SAML 2.0 based on your request. See Authentication integration for details.
- Standard AR authentication (BMC Helix ITSM and Digital Workplace services only) - the customer may configure users to use in-app authentication by configuring login IDs and passwords for each user. Specific user permissions may be required for different products. This method is not recommended for an enterprise deployment although it is used prior to the setup of a permanent authentication implementation.
LDAP pass-through authentication - this method uses common LDAP pass-through for all products. Multiple LDAP sources can be configured in the system if needed. Configuration of the LDAP pass-through authentication is usually covered by your onboarding team under a separate statement of work.
Important
- BMC's preferred method of authentication is the federated authentication option via OpenID Connect 1.0. This option aligns with typical SaaS-based authentication mechanisms seen in the industry.
- Kerberos is not supported for BMC Helix services.
BMC Helix Single Sign-On acts as an authentication broker and relies on the Identity Provider on customers side, and offers not only two-factor and multi-factor authentication but also device-based conditional access, time-based conditional access, etc.
If your application is integrated with the BMC Helix SSO server that is configured to use the OpenID Connect protocol to authenticate users accessing an application, then for the end users to pass the authentication flow, multi-factor authentication must be enabled and configured on the OpenID Connect Identity Provider.
Comments
The Double Authentication link seems to be broken
Also Configuring Remedy SSO for authenticating users with LDAP is broken
All links updated
I think the statement on MFA is misleading and it creates the impression that MFA cannot function with Helix. To suggest something is "not supported" is to suggest that it is something you should not consider implementing. I've had someone comment to me that they believed that MFA will not work with Helix due to this statement.
This is the wording on the same subject from the SSO docs page which is a lot clearer on how this works. We should consider rewording to something like the below..........
"Multi-factor authentication is not implemented on the BMC Helix SSO side. BMC Helix SSO only supports scenarios where the Identity Provider that is configured in BMC Helix SSO for authentication has configured multi-factor authentication.
For example, if your application is integrated with the BMC Helix SSO server that is configured to use the SAML protocol to authenticate users accessing an application, then for the end users to pass the authentication flow, multi-factor authentication must be enabled and configured on the SAML Identity Provider."
Thank you for the suggestion, Howard! I have made the changes as suggested.
Regards,
Dhanya
Howard, this is all correct. Speaking broadly, external IDPs can do way more things than 2FA/MFA, for example, use authentication/authorization policies such as
and so forth.
Dhanya, I suggest reflecting on this, and replacing SAML with OpenID Connect.
If your application is integrated with the BMC Helix SSO server that is configured to use the OpenID Connect protocol to authenticate users accessing an application, then for the end users to pass the authentication flow, multi-factor authentication must be enabled and configured on the OpenID Connect Identity Provider."
and omit "for example."
Hello Andrii,
Thank you for the suggestions. I have updated this topic.
Regards,
Dhanya
Good point Howard!
Log in or register to comment.