×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.
Remedy Single Sign-On 20.08 ... Administering Setting up end user authentication Configuring authentication Configuring SAML 2.0 authentication

Importing configuration from an identity provider and configuring SAML

After you have configured the advanced options for SAML authentication, import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your Remedy Single Sign-On server.

Related topic

Configuring SAML 2.0 authentication

Video about configuring SAML

Watch this video (3:53) on how to configure SAML in the Remedy SSO Admin Console.

https://www.youtube.com/watch?v=UATasTrfliU?rel=0



Before you begin

  • Create a realm for SAML authentication, and configure the general details for the realm. For more information, see Configuring general settings for a realm.
  • Obtain the following information from the IdP administrator:
    • Import from URL or SAML metadata file imported from the IdP
    • IdP entity ID  
    • IdP login URL


To configure SAML authentication

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.

  2. In the Authentication Type field, select SAML.

  3. Configure the SAML fields as required:
 FieldDescription
Identity Provider
Import

Option to import the SAML metadata. Perform one of the following actions:

  • Select Import from URL, and type the URL where the IdP SAML configuration is stored.
  • Select Import from file, and upload the SAML configuration file from a local folder on your computer.

After you import SAML metadata, most of the fields on the Authentication page get populated with imported values. 

Federation metadata URL

URL of the IdP federation metadata.

Use this URL to enable automatic rollover — Automatic certificate update on the Remedy SSO server after this certificate is updated on the SAML IdP side. Such rollovers are more frequent if you use Azure Active Directory as an identity provider. 

If the IdP federation metadata URL is not specified, an administrator must renew the signing certificate manually.

IdP Entity ID

Identity provider entity ID obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.

Example: http://adfs.local/adfs/services/trust

Login URL

Login URL obtained from an external IdP such as AD FS or Okta.

Example: https://adfs.local/adfs/ls

Logout URL

URL provided by the IdP to which the user is redirected for service provider (SP) initiated logout.

If you do not provide any value for this parameter, the value specified in the Login URL field is used both for both login and logout.

Logout Response URL

URL provided by the IdP to which the user is redirected for IdP initiated logout.

HTTP Binding Type

HTTP binding for the SP initiated logout URL.

IdP Signing Certificate

Signing certificate that Remedy SSO uses to sign requests that are sent to the IdP.

(Optional) User ID AttributeUsed to retrieve the user ID from the specified attribute in the SAML response. If a value is not specified, the NameID is used as the user ID. The value of this field depends on the SAML IdP configuration.
NameID Format

Name identifier formats supported by a SP. SPs use name identifiers to pass information about users.

In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.

If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.

Note: For linking user accounts from the SP and the remote IdP together, after an end user logs in to the integrated BMC application through the SAML IdP, the persistent NameID format must be at the top of the list.

For more information about Name Format Identifiers, see paragraph 8.2 in Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Open link .

Auth Issuer

Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.

If the value is not specified, by default, the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.

Auth Context Compare

Options (exact, minimum, maximum, better) available for the Auth Context Compare.

For more information about Auth Context Compare options, see Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Open link .

Auth Context

Authentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the SP.

Auth Issuer

Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the SP for this request.

If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.

Assertion Time Skew

Time offset between Remedy SSO and the IdP. The value must be specified in minutes.

Assertion Time Format

Time format used by assertions and depends on the defined patterns. For more information, see Patterns for Formatting and Parsing Open link .

Example:

yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Sign Request

Option to indicate whether the IdP requires the authentication request to be signed.

To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, specify the Signing Key Alias.

Force AuthenticationOption to enforce authentication.
Enable Single LogoutOption to delete the SAML IdP session on application logout. If an end user logs out from the application, the user will be logged out from SAML IdP as well. 
Sign Metadata

Option to indicate whether the identity provider requires SAML metadata to be signed.

You might need to sign the SAML metadata to ensure that the security policies of your organization are followed. When you configure a realm for SAML signing metadata, the Remedy SSO server gets the certificate and private key from the keystore's alias, and signs the metadata with it.

Signing Algorithm

Note

You can select the signing algorithm only if you select the Sign Request checkbox, the Sign Metadata checkbox or both.

Select one of the following signing algorithms containing a hash type function and key type:

  • SHA1withRSA 
  • SHA256withRSA

Select an algorithm supported by your IdP.

Service Provider
View Metadata

Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.

Template
Authentication Request Template

Template used for a SAML authentication request.

You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the authentication request template is not updated. To be able to use the new functionality after upgrade, you must manually edit and update the template in the realm settings.

SP Metadata Template

SP metadata template. 

You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the SP metadata template is not updated. To be able to use the new functionality after upgrade, you must manually update the metadata template. For more information about updating the metadata template after upgrading, see Upgrading.

Bypass for reauth requestsSetting to indicate that SAML must not be used for reauthentication requests in an authentication chain.
RSSO settings
Use SessionNotOnOrAfter parameter for session time

Option to define where the maximum time of an end user authentication session is configured.

By default, the maximum session time is specified by the value set in the Max Session Time field, configured in the General > Basic tab in the Remedy SSO Admin Console.

If the SessionNotOnOrAfter value configured on the IdP side is less than the value specified in the Max Session Time field on the Remedy SSO server, the maximum session time will be defined by the value configured on the IdP.

Xpath 1.0 for group retrieval

A field for entering an XPath query for extracting user groups from the SAML assertion.

Example:
//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='()='AttributeValue']

The information about the user groups is stored in the authentication session attributes, and is retrieved from the response of the /token/groups REST API endpoint.

Notes:

  • Make sure the XPath you specified is valid.
    If you enter an incorrect XPath, end users will be able to log in to applications protected by SAML but Remedy SSO will not be able to retrieve user groups from the SAML response. If you do not specify anything in this filed, no groups will be retrieved.
  • This option can be used only for IdP providers that allow retrieving user groups.

4. Click Save.

To obtain the Federation metadata address URL

After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.  

  1. In the left navigation panel of the Edit Realm page, click Authentication.
  2. Click View Metadata.
    The metadata file opens in the browser.
  3. Copy the URL displayed in the browser window, and save it to a text editor.  
    The URL might look as follows: https://hostname:port/rsso/getmetadata.jsp?tenantName=saml
    You will need this URL when you configure the IdP for SAML authentication.  

Where to go from here

Configuring Active Directory Federation Services as a SAML identity provider

Was this page helpful? Yes No Submitting... Thank you
Last modified by Priya Shetye on Sep 11, 2023
task administering videos reference saml idp

Comments

Log in or register to comment.

Configuring advanced functions for SAML authentication
Configuring Active Directory Federation Services as a SAML identity provider
© Copyright 2005-2007, 2009-2020 BMC Software, Inc.
© Copyright 2005-2007, 2009-2020 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.