Transforming userID to match login ID
During the login procedure, BMC Helix Single Sign-On checks that the login ID provided by an end user matches the userID available in the user store of an identity provider (IdP). In many use cases, the login ID and the userID do not match, and end users cannot login by using their login credentials. In such cases, BMC Helix Single Sign-Ontransform the userID for an authentication method by specifying a userID transformation type.
For example, the user name from the identity provider response is CustomeUserName@gmail.com coming from the identity provider response and the user name specified in the Remedy AR System is CustomUserName. To configure the authentication method for end users' login, you must remove the domain from the userID.
You might also need to transform a userID when you integrate BMC Helix SSO with BMC applications, set up an authentication method, and then change the original authentication method. The new authentication method might not provide the same userID format that was available with the original method, and you must specify a userID transformation type for this authentication type.
Important
The user ID transformation options are supported for all authentication types except "Local".
To transform the userID to match the login ID
In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
- In the UserID Transformation field, specify a required transformation type.
Click Save.
The following table lists the userID transformation options available in the UserID Transformations list:
Transformation | Description |
---|---|
None | Displays the entered userID without any transformation. |
RemoveBMCDomain | Displays the userID without the suffix, for example, abc@ is a suffix for the abc@<anyemaildomain>. |
RemoveDomain | Displays the userID without the prefix <domain>. Example: companyname\userid is transformed to userID. |
RemoveEMailDomain | Displays userID without the suffix@<anyemaildomain>. |
ToLowerCase | Displays userID after converting it to lower case. Example: UserID is transformed to userid. |
ToUpperCase | Displays userID after converting it to upper case. Example: userid is transformed to USERID. |
In addition to the options provided by BMC Helix SSO, you can create and deploy custom transformation types. For more information, see Creating User ID custom transformation types.
To specify a custom userID to match the login ID
- In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
- In the Custom Expression field, specify your value in the following format
"userId + {value}"
.
For example, by using the #userId + "@bmc.com" expression, you construct Mary@bmc.com. - Click Save.
You can specify a custom userID by using the predefined string functions. The list of Java string functions and their description is displayed in the following table:
Function | Description |
---|---|
strip() | Returns a string whose value is this string, with all leading and trailing white spaces removed. |
substring(int beginIndex) | Returns a string that is a substring of this string. The substring begins with the character at the specified index and extends to the end of this string. |
substring(int beginIndex, int endIndex) | Returns a string that is a substring of this string. The substring begins at the specified beginIndex and extends to the character at index endIndex - 1. |
toLowerCase() | Converts all of the characters in this string to lower case. |
toUpperCase() | Converts all of the characters in this string to upper case. |
split(String regex) | Splits a string at matches of the given regular expression. |
replace(String target, String replacement) | Returns a string resulting from replacing all occurrences of target in this string with replacement. |
The following table represents examples of using string functions.
Expression | Current value | Transformed value |
---|---|---|
#userId.split('@')[0] | user1@example.com | user1 |
#userId.split('@')[0].toUpperCase() | user1@example.com | USER1 |
#userId.replace("@example.com", "@abc.com") | user1@example.com | user1@abc.com |
#userid.substring(2) | p_user12345 | user12345 |
#userid.substring(4, 9) + #userid.substring(0, 4) | user12345 | 12345user |
To transform AR System login ID
When your AR System login ID doesn't match the BMC Helix SSO login ID format, you can transform the login ID with the help of AR REST API. For information about the AR REST API, see AR Server REST API architecture .
To activate the login ID transformation option:
- In BMC Helix SSO, navigate to the appropriate realm.
In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
In the Custom Expression field, specify your value in the following format:
#arAliasToLoginName.convert('AR REST API URL', 'ARUser', 'encrypted ARUser Password', Field ID, #userId)
4. Click Save.
As an example, you can get the following result:
#arAliasToLoginName.convert('https://example.com:8443', 'Demo', 'AES-GCM:5de2a10c228a89e8aaaf069c5fb7e448afb997565c0d3c46ba3ddac39fccbddc', 117, #userId)
Where '117' is a field id for "Full Name" on schema User.
A password for BMC Helix SSO should be encrypted. For information about how to encrypt passwords, see Configuring after installation.
Comments
Log in or register to comment.