×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Helix Subscriber Information ... Getting started BMC Helix services lifecycle Technical services

Authentication options

Your BMC Helix service entitles you to use the BMC Helix Single Sign-On (BMC Helix SSO) application. BMC Helix SSO is provisioned by default with your service. For BMC Helix SSO product-specific documentation, see BMC Helix Single Sign-On overview Open link .

BMC Helix SSO is an authentication system for a multi software environment that enables users to present credentials for authentication only once. After BMC Helix SSO authenticates the user, the user can gain access to any other configured application with automatic authentication without providing the credentials again.

This section describes the authentication options that are supported by the BMC Helix services and includes the following information:

These options range from the intrinsic, basic authentication of the AR System platform to advanced, single sign-on capability. Authentication options can also be chained, which allows combinations of these approaches to match your specific requirements.

Related topics

Single sign-on authentication methods Open link

Configuring SAML 2.0 authentication Open link

Configuring LDAP authentication Open link

Reauthentication Open link

OpenID Connect authentication Open link

Summary of options

The following authentication options are available for BMC Helix services:

  • Federated authentication - BMC supports OpenID Connect 1.0 and SAML 2.0 authentication for all products. BMC SaaS Operations can assist in the configuration of OpenID Connect 1.0 or SAML 2.0 based on your request. See Authentication integration for details.
  • Standard AR authentication (BMC Helix ITSM and Digital Workplace services only) - the customer may configure users to use in-app authentication by configuring login IDs and passwords for each user. Specific user permissions may be required for different products. This method is not recommended for an enterprise deployment although it is used prior to the setup of a permanent authentication implementation.

  • LDAP pass-through authentication - this method uses common LDAP pass-through for all products. Multiple LDAP sources can be configured in the system if needed. Configuration of the LDAP pass-through authentication is usually covered by your onboarding team under a separate statement of work. 

    Important

    • BMC's preferred method of authentication is the federated authentication option via OpenID Connect 1.0. This option aligns with typical SaaS-based authentication mechanisms seen in the industry.
    • Kerberos is not supported for BMC Helix services.

    • BMC Helix Single Sign-On acts as an authentication broker and relies on the Identity Provider on customers side, and offers not only two-factor and multi-factor authentication but also device-based conditional access, time-based conditional access, etc.

    • If your application is integrated with the BMC Helix SSO server that is configured to use the OpenID Connect protocol to authenticate users accessing an application, then for the end users to pass the authentication flow, multi-factor authentication must be enabled and configured on the OpenID Connect Identity Provider.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Dhanya Menon on Jul 21, 2023
authentication saml access_control bmc_atrium_core single_sign_on ldap federated_authentication rsso

Comments

  1. Robert Page

    The Double Authentication link seems to be broken

    May 26, 2020 10:57
  2. Lorenzo Lissoni

    Also Configuring Remedy SSO for authenticating users with LDAP is broken

    Jun 17, 2020 03:42
  3. Martha Mulvaney

    All links updated

    Jun 21, 2020 11:36
  4. Howard Robinson

    I think the statement on MFA is misleading and it creates the impression that MFA cannot function with Helix. To suggest something is "not supported" is to suggest that it is something you should not consider implementing. I've had someone comment to me that they believed that MFA will not work with Helix due to this statement.

    This is the wording on the same subject from the SSO docs page which is a lot clearer on how this works. We should consider rewording to something like the below..........

    "Multi-factor authentication is not implemented on the BMC Helix SSO side. BMC Helix SSO only supports scenarios where the Identity Provider that is configured in BMC Helix SSO for authentication has configured multi-factor authentication.

    For example, if your application is integrated with the BMC Helix SSO server that is configured to use the SAML protocol to authenticate users accessing an application, then for the end users to pass the authentication flow, multi-factor authentication must be enabled and configured on the SAML Identity Provider."

    Feb 24, 2023 07:41
    1. Dhanya Menon

      Thank you for the suggestion, Howard! I have made the changes as suggested.

      Regards,

      Dhanya

      Mar 30, 2023 03:02
      1. Andrii Deinega

        Howard, this is all correct. Speaking broadly, external IDPs can do way more things than 2FA/MFA, for example, use authentication/authorization policies such as

        1. a user is allowed to be logged in between 9 AM and 5 PM
        2. a user can be only logged in using "approved" or "pre-approved" devices

        and so forth.

        Dhanya, I suggest reflecting on this, and replacing SAML with OpenID Connect.

        If your application is integrated with the BMC Helix SSO server that is configured to use the OpenID Connect protocol to authenticate users accessing an application, then for the end users to pass the authentication flow, multi-factor authentication must be enabled and configured on the OpenID Connect Identity Provider."

        and omit "for example."

        Jun 28, 2023 12:26
        1. Dhanya Menon

          Hello Andrii,

          Thank you for the suggestions. I have updated this topic.

          Regards,

          Dhanya

          Aug 04, 2023 05:49
  5. Chris Hughes

    Good point Howard!

    Feb 24, 2023 10:24

Log in or register to comment.

Technical services
Federated authentication
© Copyright 2018 - 2023 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.