BMC Helix Single Sign-On provides preauthentication mechanism to allow end users to access applications if they have already been authenticated by another authentication provider. 

To be able to use the preauthentication method, the following preconditions must be met:

  • A third-party authentication provider must issue a JSON Web Token (JWT) as a result of authentication
  • The JWT which contains the user principals must be signed.

To use preauthentication, as the BMC Helix SSO administrator, you must first configure an appropriate realm for the preauthentication type. You must then specify the JWT attributes and the certificate that will be used to validate the authentication server signature under the user principals.

Preauthentication flow

The following table provides the preauthentication login flow:


An end user passes authentication against a third-party authentication server, and gets the JWT representing the authenticated person and signed by the authentication server.


The BMC Helix SSO agent deployed on the application side forwards the unauthenticated request to the BMC Helix SSO server and passes the JWT value in the rsso_preauth parameter in the HTTP request.


The BMC Helix SSO server verifies that the JWT has been issued by the trusted server and is valid, and then extracts the user name by using the configured JWT attribute.


BMC Helix SSO proceeds with the standard authentication flow. It authenticates the user, creates the session, sets the authentication cookie, and redirects the request to the original application.

Was this page helpful? Yes No Submitting... Thank you