This documentation supports the 21.3 version of BMC Helix Single Sign-On.

To view an earlier version, select the version from the Product version menu.

Configuring Active Directory Federation Services as a SAML identity provider

After you configure BMC Helix SSO as a service provider and Active Data Federation Services (AD FS) as the remote identity provider (IdP) in BMC Helix SSO Admin Console, configure SAML for AD FS.

Before you begin

Task 1: To import service provider certificates to the AD FS identity provider

  1. To export the SSL certificate of the Tomcat on which BMC Helix SSO is deployed, perform the following steps:

    1. Open BMC Helix SSO URL, and click the padlock symbol in the address line of the browser.

    2. In the Certificate window, click the Details tab.

    3. Click Copy to File.

    4. In the Certificate Export Wizard, click Next.

    5. Select "DER encoded binary X.509 (.CER)", and click Next.

    6. Provide a name for the file and include the path in the file name.

      Important

      The Common Name (CN) attribute of this certificate must be the same as the FQDN of BMC Helix SSO server.

  2. To import certificates to the AD FS server, perform the following steps:

    1. From the Run dialog box, type mmc to open Microsoft Management Console (mmc).
    2. Open the File menu and click Add/Remove Snap-in.
    3. From the list of available snap-ins, select Certificates, and click Add.
      The Certificates snap-in dialog box is displayed.
    4. Select My User Account, and click Finish and OK.
    5. From the explorer panel, select Personal > Certificates.
    6. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
    7. Follow the wizard steps and import the following certificates:
      • SSL certificate of the Tomcat on which BMC Helix SSO is deployed
      • (Optional) If required, the service provider certificate signed by BMC Helix SSO.

Task 2: To configure a relying party trust

BMC Helix SSO is the relying party which depends on the IdP to check the claims of the user. In this case, AD FS is the IdP.

  1. On the AD FS server, open the AD FS 2.0 Management application.
  2. On the Trust Relationships tab, select Relying Party Trusts and right-click it.

  3. Select Add Relying Party Trust Wizard.
  4. Click Start.
  5. Select Import data about the relying party published online or on a local network radio button.

    Important

    If AD FS and BMC Helix SSO servers cannot connect via SSL because of some specific network settings, you might see a warning. This error message might be normal and you can ignore it. In this case, you can import the service provider metadata XML to the AD FS in the offline mode.

    If you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the BMC Helix SSO administrator for more information.

  6. In the Federation metadata address field, enter the link copied from the BMC Helix SSO Admin Console (click View Metadata and copy the URL).

  7. Click Next.
  8. In the Display Name field, type any value, for example rsso-sp, and then click Next.

  9. On the Choose Issuance Authorization Rules step, click Permit all users to access this relying party, and click Next.
  10. Do not change the default selections, and click Next.
  11. Clear the Open the Claims when this finishes check box.
  12. Click Close.

After you close the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list.

Task 3: To configure the claim rules for the relying party

  1. From AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.
  2. To add a claim rule, click Add Rule.
    1. Select the Send Claims Using Custom Rule claim-rule template.
    2. Enter the Send Claims Using UPN claim-rule name. Use the following script:

      c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
           => issue(
      Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
      Issuer = c.Issuer,
      OriginalIssuer = c.OriginalIssuer, 
      Value = c.Value, 
      ValueType = c.ValueType,
           
      Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = 
      "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
           
      Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = 
      "<idp-entity-id>",
           
      Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = 
      "<sp-entity-id>/<realm-id>"
           );
    3. To support SAML groups retrieving, add one more claim rule to the Relying Party Trust. Use the following script:

      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
       => issue(
      store = "Active Directory", 
      types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), 
      query = ";tokenGroups;{0}", 
      param = c.Value);

Important

Task 4: To import AD FS certificates to BMC Helix SSO

  1. To export the AD FS certificates as files, perform the following steps:
    1. Open the AD FS 2.0 Management console.
    2. From the explorer panel, navigate to Service > Certificates.
    3. Double-click the certificate name.
    4. Double-click the Details tab.
    5. Click Copy to File and then click Next.
    6. Select Do not export the private key and then click Next.
    7. Select DER and then select the file to save it.
    8. Click Finish.
    9. Perform steps c-h for all the other certificates.
  2. To import the AD FS certificates into BMC Helix SSO *.jks file with the third-party tool KeyStore Explorer (https://keystore-explorer.org/), perform the following steps:
    1. Open the truststore file by using the KeyStore Explorer.
    2. Select Tools and click Import Trusted Certificate.
    3. Select the file and import it.
  3. Restart the BMC Helix SSO server.

Demonstration videos

Watch these videos to understand how to configure AD FS as a SAML IdP provider.

Important

The following videos show an older version of BMC Helix SSO. The previous product name was Remedy SSO. Although there might be minor changes in the user interface, the overall functionality remains the same


 https://www.youtube.com/watch?v=HcW-u-V9yvo?rel=0



 https://www.youtube.com/watch?v=FsIxJOeursU?rel=0



Was this page helpful? Yes No Submitting... Thank you

Comments