Configuring the Remedy SSO agent

Identifies a BMC application integrated with Remedy SSO. You can specify any text value or an application URL for this property. If you have Remedy SSO deployed in high-availability mode, you must specify the same value as agent-id on all nodes in the cluster. However, you must not use the same value for integration with other applications because the agent identifier must be unique per integration with other applications. 

Example

# agent-id=http://midtier-hostname/arsys

Disables the Remedy SSO agent if the parameter is set to true. In this case, requests are not processed by Remedy SSO.

Example

# skip-filter=false

Note: 

If RSSOAuthenticator in Mid Tier is used, perform the following steps to disable the Remedy SSO agent:

1. From the <MT>/WEB-INF/classes directory, open the config.properties file.
2. Set the following value for the arsystem.authenticator parameter:

arsystem.authenticator=com.remedy.arsys.session.DefaultAuthenticator

If you have Remedy SSO and an integrated BMC application deployed on different domains, you must configure the Remedy SSO agent to support this deployment use case. For more information about this use case, see Deployment scenarios.

Set the multi-domain-support property to true, and then configure the values for auth-client-id and oauth-client-secret properties. For more information about how to configure multi-domain support, see Configuring Remedy SSO for applications hosted on different domains.

Example

# multi-domain-support=true
# oauth-client-id=
# oauth-client-secret=

Note: This property is applicable only when multi-domain support is enabled.

If this property is set to true, the time difference between the Remedy SSO agent and the Remedy SSO server is ignored. This property, set in seconds, specifies the time offset between the Remedy SSO server and the Remedy SSO agent. For example, if the Remedy SSO agent receives a token from the Remedy SSO server, and the token issue time according to the time set on the Remedy SSO agent is future, the Remedy SSO agent accepts the token without any errors.

By default, token-timeout-synchronization is 10 seconds.

Example

# token-timeout-synchronization=10

Enables the Remedy SSO agent to expect JSON Web Token (JWT) in the authentication flow. Depending on how the integrated BMC application sends a JWT to Remedy SSO, configure the Remedy SSO agent to expect JWT by HTTP GET or POST method. By default, the GET method is configured.

Example

# preauth-type=get

For more information about the preauthentication authentication type, see Preauthentication.

action-path-mask

Enables end users to change their passwords by accessing the Action Request System  server from Remedy SSO. The following setting is enabled by default in the rsso-agent.properties configuration file:

# action-path-mask=/_rsso

For more information about how to use this option, see Configuring the Remedy SSO agent to enable end users to change their passwords.

msp-deployment

If this property is set to true, the realm entry page for Multi-Service Provider (MSP) deployments is displayed to end users in cases where the Remedy SSO server cannot identify to which realm an end user belongs. To always display the realm entry page for MSP deployments, set the msp-always-show-domain-entry-page property to true.

# msp-deployment=true
# msp-always-show-domain-entry-page=true

Defines a server user-facing (external) URL of the Remedy SSO server. The external URL can be the same or different from the internal URL, but both of these URLs must point to the same server where Remedy SSO is deployed. The external URL is the user-facing RSSO Server URL which may actually be the LB or ingress controller behind which the actual RSSO Server is deployed. This URL must be accessible by the end users

The Remedy SSO agent redirects the browser (user’s request) to sso-external-url after detecting one of the following events: 

• A request needs to be authenticated.
• An application logout is completed (only if the request refers to logout-urls).

To support multiple Remedy SSO web applications, set the value to a comma separated string: each represents an 'application FQDN' mapping, with the format of <application FQDN>:<url>.

Example

# <application FQDN>:https://<server1/rsso>,<application FQDN>:https://<server2/rsso>
sso-external-url=https://yourcompany.com/rsso

Defines a service (internal) URL of the Remedy SSO server. Internal service calls are server-to-server. 

The Remedy SSO agent uses the sso-service-url parameter to call the Remedy SSO web application APIs to perform the following tasks:

• Retrieve configuration details, such as cookie name, cookie domain, and realm-domain mappings.
• Check whether the token cookie from the browser (user's request) is valid
• Register the Remedy SSO server to track other application agents. The tracking helps the agent know the login status of other application agents prior to logging out.

Example

# sso-service-url=http://rsso-lb.yourcompany.internal/rsso

Important: When you configure support of multiple Remedy SSO web applications, set the value to a comma separated string, each representing a domain to the server URL mapping, with the <application FQDN>:<server url> format.

# <application FQDN>:https://<server1/rsso>,<application FQDN>:https://<server2/rsso>
sso-service-url=http://rsso-lb.yourcompany.internal/rsso

For more details about this use case, see Connecting the same Remedy SSO agent to different Remedy SSO servers.

Identifies a BMC application URL that triggers Remedy SSO logout. If the logout link generated by the BMC application matches the logout-urls pattern, the Remedy SSO agent triggers the Remedy SSO logout flow when an end user initiates a logout from this application.

Example

# logout-urls=/shared/loggedout.jsp

Defines which URLs must not go through the Remedy SSO web agent filter.

By default, the following configuration is applied:

# excluded-url-pattern=.*\\.xml|.*\\.gif|.*\\.css|.*\\.ico|/shared/config/.*|/WSDL/.*|/shared/error.jsp

Provides a means to enable or disable the option to check the application context by the Remedy SSO agent filter. To include the application context in excluded-url-pattern, set the context-included flag to true. By default, the following configuration is applied:

# context-included=false

Identifies a URL to which a user must be redirected after Remedy SSO completes a logout flow. Remedy SSO redirects an end user only to the same domain as the application domain after the completion of the logout process. For example, if the application domain is bmc.com, any combination of <URL>.bmc.com is allowed.

Example

# callback-url=http://www.bmc.com

Alternatively, you can add the callback-url query parameter to logout-urls generated by the application:

http://application.bmc.com/arsys/shared/loggedout.jsp?callback-url=http%3A%2F%2Fwww.bmc.com

If you combine callback-url with logout-urls, the callback-url as a query parameter has higher priority than the logout-urls property specified in the rsso-agent.properties file.

If you do not specify both callback-url and After Logout URL for a realm in the Remedy SSO Admin Console, the Remedy SSO server logout page is displayed to end users.

If you specify After logout URL for a realm in the Remedy SSO Admin Console, end users are redirected to the specified URL page.

For more information about After logout URL, see Configuring general settings for a realm.

The Remedy SSO agent answers 401 Unauthorized with hidden auto-post form to the /rsso/start page instead of 302 Redirect, which breaks the compatibility with some products. Therefore, to keep 302 Redirect, the redirect-mode parameter is used.

By default, the value of this property is false and the Remedy SSO agent answers 401 Unauthorized. If this value is true, the Remedy SSO agent switches back to the old-style 302 Redirect behavior.

# redirect-mode=true

Note: If the multi-domain support is enabled, the Remedy SSO agent answers 302 Redirect irrespective of the redirect-mode parameter setting. For more information about how to configure multi-domain support, see Configuring Remedy SSO for applications hosted on different domains.

Defines the time during which the cached session token remains valid without verification by the  Remedy SSO server. Time is indicated in seconds.

Example

# token-status-cache-timeout=180

Enables you to choose between an HTTP session and in-memory cache to store the token data. 

Note: After you enable the in-memory cache, restart the BMC application integrated with Remedy SSO.

Examples

# use-in-memory-cache=false

# use-in-memory-cache=true