This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.

Importing configuration from an identity provider and configuring SAML

After you have configured the advanced options for SAML authentication, you can import SAML IdP metadata and configure the SAML authentication for a realm on your Remedy Single Sign-On server.


Before you begin

  • Create a realm for SAML authentication, and configure the general details for the realm. For more information, see Configuring general settings for a realm.
  • Obtain the following information from the IdP administrator:
    • Import from SAML IdP metadata URL or metadata file imported from the IdP
    • Identity provider entity ID  
    • Login URL of the identity provider

To import SAML metadata of the identity provider

  1. Click Import, and select one of the following options to import SAML metadata:
    • Select Import from URL, and type the URL where the IdP SAML configuration is stored.
    • Select Import from file, and upload the SAML configuration file from a local folder on your computer.
  2. Click Import.
    Once you import SAML metadata, most of the fields on the Authentication page get populated with imported values:

     FieldDescription
    IdP Entity ID

    Identity provider entity ID obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.

    Examples:
    http://adfs.local/adfs/services/trust
    http://www.okta.com/exk4mi22tbfhiAnIn0h7

    Login URL

    Login URL of the identity provider obtained from an external identity provider such as AD FS or Okta.

    Examples:
    https://adfs.local/adfs/ls
    https://dev-726770.oktapreview.com/app/bmcdev726770_oktaidp_1/exk4mi22tbfhiAnIn0h7/sso/saml

    Logout URL

    URL provided by the identity provider to which the user is redirected and automatically logged out by the service provider.

    If you do not provide any value in this parameter, then the value in the Login URL field is used for both login and logout endpoints.

    Logout Response URLURL provided by the identity provider to which the user is redirected for identity provider initiated logout.
    IdP Signing Certificate

    Signing certificate that Remedy SSO uses to sign requests that are sent to the identity provider.

    NameID Format

    Name identifier formats that the service provider supports. Name identifiers are a way for providers to communicate with each other regarding a user.

    The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote identity provider.

    A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary, and no data will be written to the user's persistent data store.

    Note: For linking user accounts from the service provider and the remote Identity provider together, after logging in, the persistent nameID format must be at the top of the list.

    Auth Context CompareOptions for the auth context compare. The options are: exact, minimum, maximum, better.
    Auth ContextAuthentication context that maps the SAMLv2-defined authentication context classes to the authentication level that is set for the user session for the service provider.
  3. Click Save.
    After you have imported the IdP settings, configure the rest of the authentication fields as required.

To configure SAML authentication   

Review the imported configuration fields, and configure the rest of the SAML fields as required:

 FieldDescription
Identity provider
Federation metadata URL

URL of the identity provider federation metadata.

Use this field to enable automatic rollover. Such rollovers are more frequent if you use Azure Active Directory as an identity provider.

Remedy SSO uses this URL to re-import the identity provider metadata automatically, including IdP Signing Certificate that can be updated.

HTTP Binding Type

HTTP binding for service provider initiated logout URL.

User ID AttributeUser ID attribute that is used to retrieve the user ID from the specified attribute in the SAML response. If the User ID attribute is not specified, the NameID will be used as the user ID.
Auth Issuer

Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.

If the value is not specified, by default, the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.

Assertion Time Skew

Time offset between Remedy SSO and the identity provider.

Assertion Time FormatTime format used by assertions.

Sign Request

Option to indicate whether the identity provider requires the authentication request to be signed.

To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, specify Signing Key Alias.

Force AuthenticationOption to enforce authentication.
Enable Single LogoutOption to delete the SAML IdP session on application logout. If an end user logs out from the application, the user will be logged out from SAML IdP as well. 
Sign Metadata

Option to indicate whether the identity provider requires SAML metadata to be signed.

You might need to sign the SAML metadata to ensure that the security policies of your organization are followed. When you configure a realm for SAML signing metadata, the Remedy SSO server gets the certificate and private key from the keystore's alias, and signs the metadata with it.

Signing Algorithm

Note

You can select the signing algorithm only if you select the Sign Request checkbox, the Sign Metadata checkbox or both.

Select one of the following signing algorithms containing a hash type function and key type:

  • SHA1withRSA 
  • SHA256withRSA

Select an algorithm supported by your IdP.



Service Provider
View Metadata

Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.

Template
Authentication Request TemplateTemplate used for SAML authentication request. You can select Default, or you can select Custom and edit the template if required.
SP Metadata Template

Service provider metadata template. You can select Default, or you can select Custom and edit the template if required.

Bypass for reauth requestsSetting to indicate that SAML must not be used for reauthentication requests in an authentication chain.
RSSO settings
Use SessionNotOnOrAfter parameter for session time

Option to define where the maximum time of an end user authentication session is configured.

By default, the maximum session time is specified by the value set in the Max Session Time field, configured in the General > Basic tab in the Remedy SSO Admin Console.

If the SessionNotOnOrAfter value configured on the IdP side is less than the value specified in the Max Session Time field on the Remedy SSO server, the maximum session time will be defined by the value configured on the IdP.

Xpath 1.0 for group retrieval

A field for entering an XPath query for extracting user groups from the SAML assertion.

Example:
//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='http://schemas.microsoft.com/ws/2008/06/identity/claims/role']/*[local-name()='AttributeValue']

The information about the user groups is stored in the authentication session attributes, and is retrieved from the response of the /token/groups REST API endpoint.

Note:

  • Make sure the XPath you specified is valid.
    If you enter an incorrect XPath, end users will be able to log in to applications protected by SAML but Remedy SSO will not be able to retrieve user groups from the SAML response. If you do not specify anything in this filed, no groups will be retrieved.
  • This option can be used only for IdP providers that allow retrieving user groups.

3. Click Save.

To obtain the Federation metadata address URL

After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.  

  1. In the left navigation panel of the Edit Realm page, click Authentication.
  2. Click View Metadata.
    The metadata file opens in the browser.
  3. Copy the URL displayed in the browser window, and save it to a text editor.  
    The URL might look as follows: https://clm-aus-567567.bmc.com:9443/rsso/getmetadata.jsp?tenantName=saml
    You will need this URL when you configure the IdP for SAML authentication.  

Demonstration video

Watch this video (3:53) on how to configure SAML in Remedy SSO.  This video covers the SAML configurations that are performed from the Remedy SSO Admin Console.

Important

The following video shows an older version of Remedy SSO. Although there might be minor changes in the user interface, the overall functionality remains the same.

 https://www.youtube.com/watch?v=UATasTrfliU?rel=0


Was this page helpful? Yes No Submitting... Thank you

Comments