24.1 enhancements and patches

Review the BMC Helix SSO 24.1 enhancements and patches for features that will benefit your organization and to understand changes that might impact your users.

VersionSaaSOn premisesFixed issuesUpdates and enhancements
Known and corrected issues24.1.01
24.1.00(tick)(tick)Known and corrected issues24.1

For a list of recent updates and enhancements across multiple versions, see Release notes and notices.

BMC applies upgrades as described in the BMC Helix Upgrade policy Open link . BMC applies upgrades and patches during Maintenance windows Open link .


Access to view custom templates for users with read-only permissions

Administrator users with read-only permissions now have access to custom templates defined for SAML based authentication.


BMC Helix SSO agent sends 401 responses with a special header for unauthenticated javascript client requests

BMC Helix SSO agent distinguishes between javascript requests and requests from the user application forms. When a session timeout occurs, BMC Helix SSO agent responds to the javascript client request with a special header and the 401 HTTP code. Application developers can use this header and the response for their applications. This is also applicable for multi-domain configurations.

For more information about enabling the functionality to respond with the appropriate error code based on the source of the request, see ajax-requests-support.

Support for launching Auth Proxy authenticated applications in iframes

Applications hosted on different domains and configured to use the same BMC Helix SSO server can be launched in iframes. Auth Proxy authenticated application requests for iframe use OAuth2 multi-domain clients to access the application.

For more information about launching applications from other domains in iframes, see Allowing BMC Helix SSO to open applications in iframes.


Optimize BMC Helix Single Sign-On server configuration

Use the new api/v2.0-beta/validate/config REST API endpoint to validate BMC Helix SSO server configuration or tenant configurations of BMC Helix SSO servers. The API endpoint validates the following BMC Helix Single Sign-On server configurations and provides recommendations where applicable:

  • Secured Cookie is not set
  • Same-site None is not set
  • SAML federation metadata is specified
  • SAML Assertion time skew is not greater than 5 minutes
  • HTTPS URLs are specified in the OpenID Connect IdP
  • LDAPs URLs are specified in the LDAP IdP
  • LDAPs URLs are specified in Admin External Configuration
  • Recommends to switch to SAML for OpenIDConnect when possible
  • OpenID Connect Issuer is not set
  • OpenID Connect JWK's list is empty
  • The keystore with signing alias is configured when SAML enable signing is enabled
  • The keystore with encryption alias is configured when SAML encrypt is enabled

Immediate logout from all applications when the session quota is exceeded

Session quota limit is set for a realm and applied to users logged in to different applications via the realm. When the session quota limit for a realm is exceeded, BMC Helix SSO logs out users from the exceeded applications by using immediate logout. Exceeded user sessions and related OAuth access tokens are invalidated. Immediate logout, along with the session quota limitation ensures that user session caching is avoided.

You must enable immediate logout and configure the server and agent with a Redis server for immediate logout to work for the session quota.

For more information about configuring session quota, see Configuring general settings for a realm.

For more information about configuring immediate logout with Redis server configuration, see Configuring BMC Helix SSO to support immediate logout from all applications.

Was this page helpful? Yes No Submitting... Thank you