This documentation supports the 18.02 version of Remedy Single Sign-On.

To view the latest version, select the version from the Product version menu.

IdP initiated login and logout process

Starting from version 9.1.02, Remedy Single Sign-On (Remedy SSO) supports Identity Provider (IdP) initiated login and logout.

IdP initiated login

In an IdP initiated login, a user gains access to the IdP site first and then clicks on one of the services provided by the remote Service Provider (SP). After the user selects the required service, the IdP initiates the authentication process.

IdP initiated login has the following advantages:

  • In an SP initiated login, users need to use different links to gain access to different services provided by a service provider. Hence they might need to bookmark all links. The advantage of using IdP initiated login over SP initiated login is that end users need to use only one link, that is the IdP link, to gain access to any services provided by a service provider. For example, if the IdP is AD FS 2.0, the user might enter the URL https://adfs-server.contoso.com/adfs/ls/IdpInitiatedSignon.aspx to gain access to the IdP site.
  • Users get the same SSO experience for gaining access to BMC products and the third-party products as they click the same IdP link to gain access to these products.

IdP initiated single logout

In the IdP initiated single logout (SLO), if a user logs out from any of the applications belonging to a single login session, the user gets logged out from all applications, BMC and third-party, that belong to the same session. IdP initiated logout is triggered when the user clicks a logout option from the IdP logout page. 

IdP initiated SLO has the following advantages:

  • Customers get the same logout experience for both BMC and third-party products as they click the same link on the IdP site to log out from IdP and all applications provided by different SPs that share the common SSO session.
  • When the user logs out from IdP, the user gets logged out from all other logged in applications including Remedy SSO. After logging out, if the user tries to gain access to any of the applications, the user is authenticated again.

To enable the SLO feature, ensure that you provide the single logout service information in the SP metadata. For more information about the single logout service, see SAMLv2 authentication process.

For more information, refer the following topics:

IdP initiated login workflow

The following table provides the sequence of events that occur for the IdP initiated login.

StageDescription
1User enters the IdP link in a browser.
2Browser sends the request to the IdP.
3IdP requests for user credentials if the user does not have an existing local security context.
4User enters the credentials and logs into the IdP server.
5IdP creates a local security context for the user and displays a list of services that are offered by the SP.
6User clicks the link of the required service.
7

IdP invokes its SSO service that creates a SAML assertion and places this assertion in the response message of an HTML form.

8

IdP sends the HTML form to the browser.

9Browser sends the HTML form to Assertion Consumer Service of the Remedy SSO server.
10Assertion Consumer Service validates the digital signature on the SAML assertion. After validation, the Assertion Consumer Service extracts the response message from the HTML form to create a local logon security context of the user on the Remedy SSO server.
11Remedy SSO server retrieves the service URL from the HTML form and sends an HTTP redirect response to the browser to access the service.
12SSO agent of the service verifies the access check for the user. If the user has the correct authorization, the SSO agent returns the service to the browser.

IdP initiated single logout workflow

StageDescription
1User clicks the logout link on the IdP logout page.
2IdP determines all applications that belong to that session.
3IdP builds a digitally signed SAML log out request that represents the security context of the user and places this assertion in an HTML form as a SAML request.
4IdP uses the HTTP redirect binding to send the log out request to all service providers including Remedy SSO.
5Remedy SSO performs the following tasks:
  1. Validates the SAML request.
  2. Checks if the token is still valid.
  3. Removes the session and destroys the session cookie.
  4. Builds a SAML log out response and uses HTTP redirect to send the response back to IdP.
6IdP redirects the client browser to the IdP final logout URL.

Related topics


Was this page helpful? Yes No Submitting... Thank you

Comments