SAML 2.0 authentication

You can use SAML 2.0 to authenticate users. SAML 2.0 is implemented by forming a Circle of Trust that comprises a Service Provider (SP) and an Identity Provider (IdP).

The SP hosts and protects services that end users access. BMC Helix Single Sign-On is configured as an SP for BMC products. The IdP authenticates users and provides details of the authentication information to the SP.

You can configure SAML 2.0 to support the following authentication flows:

Related topics

Configuring SAML 2.0 authentication

SAML 2.0 standard Open link

SP initiated login flow

The following table provides the SP initiated authentication flow:

1.An end user accesses the protected application from a mobile device or through a web browser.

BMC Helix SSO agent redirects the end user to BMC Helix SSO server.


BMC Helix SSO sends a request to IdP to authenticate the end user.

4.The IdP presents a login page to the end user for authentication.
5.The end user enters valid credentials.
6.The IdP performs user authentication.

The IdP generates an authentication response and sends it back to BMC Helix SSO server.


BMC Helix SSO server processes the authentication response, validates it, and extracts the assertion that carries user data.


BMC Helix SSO creates a session for the user.

10.The end user is able to access the application.

SP initiated logoff flow

When an end user logs out from an application that is integrated with BMC Helix SSO, the end user gets logged out from applications of all service provider sites that have a single sign-on session. To enable the single logout feature, you must configure the SAML 2.0 authentication.

The following table provides the sequence of events that occur for the SP initiated SAML 2.0 single logout.


An end user initiated a logout from an application that is integrated with BMC Helix SSO and that has a single sign-on session.


BMC Helix SSO sends a logout request to the Identity Provider (IdP).


The IdP sends the logout response to BMC Helix SSO.


BMC Helix SSO logs out the user by deleting the application session and authentication cookies.


BMC Helix SSO redirects the browser to a URL specified in the After Logout URL field configured for the realm.

IdP initiated single login flow

In an IdP initiated login, a user gains access to the IdP site first and then clicks on one of the services provided by the remote Service Provider (SP). After the user selects the required service, the IdP initiates the authentication workflow.

IdP initiated login has the following advantages:

  • In an SP initiated login, users need to use different links to gain access to different services provided by a service provider. Hence they might need to bookmark all links. The advantage of using IdP initiated login over SP initiated login is that end users need to use only one link, that is the IdP link, to gain access to any service provided by a service provider. For example, if the IdP is AD FS 2.0, the user might enter the URL to gain access to the IdP site.
  • Users get the same single sign-on experience for gaining access to BMC products and the third-party products as they click the same IdP link to gain access to these products.

The following table provides the sequence of events that occur for the IdP initiated login.

1.An end user enters an IdP link in a browser.
2.A browser sends the request to the IdP.
3.The IdP requests for user credentials if the user does not have an existing local security context.
4.The end user enters the credentials and logs into the IdP server.
5.The IdP creates a local security context for the user and displays a list of services that are offered by the SP.
6.The end user clicks the link of the required service.

The IdP invokes its Single Sign-On service that creates a SAML assertion and places this assertion in the response message of an HTML form.


The IdP sends the HTML form to the browser.


The browser sends the HTML form to the Assertion Consumer Service of BMC Helix SSO server.


The Assertion Consumer Service validates the digital signature on the SAML assertion. After validation, the Assertion Consumer Service extracts the response message from the HTML form to create a local login security context of the user on the BMC Helix SSO server.


The BMC Helix SSO server retrieves the service URL from the HTML form and sends an HTTP redirect response to the browser to access the service.


BMC Helix SSO agent of the service verifies the access check for the user. If the user has the correct authorization, the BMC Helix SSO agent returns the service to the browser.

IdP initiated single logout flow

In the IdP initiated single logout (SLO), if a user logs out from any of the applications belonging to a single login session, the user gets logged out from all applications, BMC and third-party, that belong to the same session. IdP initiated SLO is triggered when the user clicks a logout option from the IdP logout page. 

IdP initiated SLO has the following advantages:

  • End users have the same logout experience for both BMC and third-party products.  To log out from the IdP  and all applications provided by different SPs that share the common single sign-on session, end users click the same link on the IdP site.
  • When end users log out from the IdP, they get logged out from all other logged in applications including BMC Helix SSO. After logging out,  if an end user tries to gain access to any of the applications, the end user is authenticated again.

To enable the SLO feature, ensure that you provide the single logout service information in the SP metadata. For more information about the single logout service, see SAMLv2 authentication process. 

1.An end user clicks the logout link on the IdP logout page.
2.The IdP determines all applications that belong to that session.
3.The IdP builds a digitally signed SAML log out request that represents the security context of the user and places this assertion in an HTML form as an SAML request.

The IdP uses the HTTP redirect binding to send the log out request to all service providers including BMC Helix SSO.


BMC Helix SSO performs the following tasks:

  1. Validates the SAML request.
  2. Verifies that the token is still valid.
  3. Removes the session and destroys the session cookie.
  4. Builds a SAML logout response and uses HTTP redirect to send the response back to IdP.
6.The IdP redirects the client browser to the IdP final logout URL.

Was this page helpful? Yes No Submitting... Thank you