Configuring BMC Helix SSO for applications hosted on different domains

You configure multiple domain support so BMC Helix Single Sign-On can provide authentication for applications hosted on different domains. For example, your application is hosted in your company data center and the BMC Helix SSO server is hosted in another data center, such as a BMC data center. In this scenario, the BMC Helix SSO agent and server must act as an OpenID Client and OpenID provider respectively.

To allow applications hosted on different domains to use the same BMC Helix SSO server for authentication

1. In the BMC Helix SSO Admin Console, register an application as an OAuth2 client. For information about how to configure the OAuth2 client, see Configuring OAuth 2.0. 

2. Select the openid (Scope used for OpenID connect) check box to enable the OpenID scope for this client.

3. Configure the token timeout for the OAuth client as follows:
   1. Set the OpenID Issuer URL. The value must correspond to the sso-external-url configured in the rsso-agent.properties file.
   2. Configure the Access Token Timeout value for managing the user session time.
4. Generate the JWK Id for OAuth flow.

5. Copy the Client ID and Client Secret generated after registering the client as OAuth2 and save them.

6. On a server with the BMC Helix SSO agent, configure the rsso-agent.properties file as follows: 

   multi-domain-support=true
   oauth-client-id=<Client ID>
   oauth-client-secret=<Client Secret>

7. Save the rsso-agent.properties file. 

   BMC Helix SSO is now configured for using OpenID connect.

   Important

   If you are using the Chrome browser version 80 and later, you must enable the cross-site cookie in the Advanced settings of the BMC Helix SSO server. For more information about this setting, see Configuring settings for the BMC Helix SSO server.

   You also need to enable this setting if you are using Chrome browser version 79 and earlier if you have the SameSite by default cookies option enabled for the browser.