This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.

Configuring Active Directory Federation Services as a SAML identity provider

After you configure Remedy SSO as a service provider and Active Data Federation Services (AD FS) as the remote identity provider (IdP) in Remedy SSO Admin Console, configure SAML for AD FS.

Before you begin

Task 1: To import service provider certificates to the AD FS identity provider

  1. To export the SSL certificate of the Tomcat on which Remedy SSO is deployed, perform the following steps:

    1. Open Remedy SSO URL, and click the padlock symbol in the address line of the browser.

    2. In the Certificate window, click the Details tab.

    3. Click Copy to File.

    4. In the Certificate Export Wizard, click Next.

    5. Select "DER encoded binary X.509 (.CER)", and click Next.

    6. Provide a name for the file and include the path in the file name.


      The Common Name (CN) attribute of this certificate must be the same as the FQDN of Remedy SSO server.

  2. To import certificates to the AD FS server, perform the following steps:

    1. From the Run dialog box, type mmc to open Microsoft Management Console (mmc).
    2. Open the File menu and click Add/Remove Snap-in.
    3. From the list of available snap-ins, select Certificates, and click Add.
      The Certificates snap-in dialog box is displayed.
    4. Select My User Account, and click Finish and OK.
    5. From the explorer panel, select Personal > Certificates.
    6. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
    7. Follow the wizard steps and import the following certificates:
      • SSL certificate of the Tomcat on which Remedy SSO is deployed
      • (Optional) If required, the service provider certificate signed by Remedy SSO.

Task 2: To configure a relying party trust

Remedy SSO is the relying party which depends on the IdP to check the claims of the user. In this case, AD FS is the IdP.

  1. On the AD FS server, open the AD FS 2.0 Management application.
  2. On the Trust Relationships tab, select Relying Party Trusts and right-click it.

  3. Select Add Relying Party Trust Wizard.
  4. Click Start.
  5. Select Import data about the relying party published online or on a local network radio button.


    If AD FS and Remedy SSO servers cannot connect via SSL because of some specific network settings, you might see a warning. This error message might be normal and you can ignore it. In this case, you can import the service provider metadata XML to the AD FS in the offline mode.

    If you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the Remedy SSO administrator for more information.

  6. In the Federation metadata address field, enter the link copied from the Remedy SSO Admin Console (click View Metadata and copy the URL).

  7. Click Next.
  8. In the Display Name field, type any value, for example rsso-sp, and then click Next.

  9. On the Choose Issuance Authorization Rules step, click Permit all users to access this relying party, and click Next.
  10. Do not change the default selections, and click Next.
  11. Clear the Open the Claims when this finishes check box.
  12. Click Close.

After you close the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list.

Task 3: To configure the claim rules for the relying party

  1. From AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.
  2. To add a claim rule, click Add Rule.
    1. Select the Send Claims Using Custom Rule claim-rule template.
    2. Enter the Send Claims Using UPN claim-rule name. Use the following script:

      c:[Type == ""]
           => issue(
      Type = "",
      Issuer = c.Issuer,
      OriginalIssuer = c.OriginalIssuer, 
      Value = c.Value, 
      ValueType = c.ValueType,
      Properties[""] = 
      Properties[""] = 
      Properties[""] = 
    3. To support SAML groups retrieving, add one more claim rule to the Relying Party Trust. Use the following script:

      c:[Type == "", Issuer == "AD AUTHORITY"]
       => issue(
      store = "Active Directory", 
      types = (""), 
      query = ";tokenGroups;{0}", 
      param = c.Value);


Task 4: To import AD FS certificates to Remedy SSO

  1. To export the AD FS certificates as files, perform the following steps:
    1. Open the AD FS 2.0 Management console.
    2. From the explorer panel, navigate to Service > Certificates.
    3. Double-click the certificate name.
    4. Double-click the Details tab.
    5. Click Copy to File and then click Next.
    6. Select Do not export the private key and then click Next.
    7. Select DER and then select the file to save it.
    8. Click Finish.
    9. Perform steps c-h for all the other certificates.
  2. To import the AD FS certificates into Remedy SSO *.jks file with the third-party tool KeyStore Explorer (, perform the following steps:
    1. Open the truststore file by using the KeyStore Explorer.
    2. Select Tools and click Import Trusted Certificate.
    3. Select the file and import it.
  3. Restart the Remedy SSO server.

Demonstration videos

Watch these videos to understand how to configure AD FS as a SAML IdP provider.


The following videos show an older version of Remedy SSO. The previous product name was Remedy SSO. Although there might be minor changes in the user interface, the overall functionality remains the same

Was this page helpful? Yes No Submitting... Thank you