BMC Helix Single Sign-On (BMC Helix SSO) provides realms to support multitenancy for integrated applications and split applications availability. Each realm is identified by a unique identifier and contains one or more application domains.
As a BMC Helix SSO administrator, you manage realms from the BMC Helix SSO Admin console. You can configure a single authentication method for a realm, or a chain of multiple authentication methods to enable authentication fallback or reauthentication mechanisms.
Role of realms in the authentication process in BMC Helix SSO
In BMC Helix SSO, a realm associates application domains of the integrated BMC Helix SSO applications with an identity provider, and a realm also defines an authentication method to be used to protect integrated applications. End users accessing applications integrated with BMC Helix SSO are authenticated based on domains they can access.
The following diagram shows the role of realms in an authentication flow:
- In a browser window, an end user enters an application URL to access an application integrated with BMC Helix SSO.
- The BMC Helix SSO agent intercepts the login request, validates it, and then sends it to the BMC Helix SSO server.
- Based on information extracted from the application URL, the BMC Helix SSO server defines a correct realm for the authentication flow. For more information about this process, see Identifying a realm by application domains.
- BMC Helix SSO server allows authentication according to the authentication method specified for the realm.
- Depending on the authentication method, the user is redirected to the login page or is automatically authenticated by BMC Helix SSO. For information about the login options, see Login and logout experience for end users.
- When the end user is successfully authenticated on the BMC Helix SSO login page, the end user is automatically redirected to the application.
Identifying a realm by application domains
Realm identification is based on the application URL used for accessing an end user application.
For example, an end user uses the application.domain.com URL to access an application. To authenticate the user, BMC Helix SSO needs to identify the realm by checking the following mappings in all realms available on the BMC Helix SSO server:
When a realm with a matching application domain is found, this realm is used for authentication.
If you have several realms with the same matching application domain parts, realm selection becomes unpredictable. To avoid authentication errors, application domain mapping must be unique across all realms on the BMC Helix SSO.
Usage example: Configuring realms for application domains
Suppose an organization has the following applications:
- Helpdesk—accessed by all users through the URL
- ITSM—accessed through
- BMC Helix Digital Workplace—accessed o through
You can create helpdesk and itsm realms and map the application domains and authentication methods to these realms described in the following table:
The helpdesk realm contains one, and it is authenticated by the SAML 2.0 authentication method.
The itsm realm has two application domains:and Both application domains are authenticated by the Kerberos authentication method.
When an end user accesses the Helpdesk application belonging to the helpdesk.yourcompany.com application domain (Domain 1 in the diagram), the end user gets authenticated through BMC Helix SSO, via helpdesk realm (see Realm 1 in the diagram) which is configured for SAML authentication method (Authentication 1 in the diagram), and allows authentication via helpdesk.yourcompany.com (Domain 1 in the diagram).
This end user can access the ITSM application belonging to the itsm.yourcompany.com application domain (Domain 2 in the diagram). The end user gets authenticated through BMC Helix SSO, via itsm realm (see Realm 2 in the diagram) which is configured for Kerberos authentication method (Authentication 2 in the diagram), and allows authentication via itsm.yourcompany.com (Domain 2 in the diagram).