Configuring Remedy SSO to authenticate users with SAMLv2
As a Remedy Single Sign-On (Remedy SSO) administrator, you can configure the Remedy SSO server to authenticate users through SAMLv2 authentication. SAML V2.0 is implemented by forming a Circle of Trust that comprises a service provider and an identity provider.
The service provider hosts and protects the services that the user accesses. Remedy SSO is configured as a service provider for BMC products. The identity provider authenticates users and provides details of the authentication information to the service provider.
The following image shows the tasks that you need to perform to configure the SAMLv2 authentication in Remedy SSO.
- (Optional) Select the Enable AR authentication for bypass check box to enable a bypass URL to authenticate against AR System.
For more information, see .
Enter the SAML details.
Field Description Identity Provider Import
Dialog box for importing the identity provider metadata. You can provide a URL or specify a local file to import the data.
Federation metadata URL
URL of the identity provider's federation metadata and using this URL, the new signing key of the identity provided can be retrieved.
When details are entered for this parameter and if the existing signing key of the identity provider has expired, Remedy SSO verifies whether a new signing key exists at this URL. If the new signing key exists, Remedy SSO uses the information to pass the authentication.
The federation metadata URL can also be used in the Import parameter to import the certificate containing the new signing key.
The existing certificate details are entered in the .
IdP Entity ID
Identity provider entity ID that is obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.
Login URL of the identity provider that is obtained from an external identity provider such as AD FS or Okta.
URL provided by the identity provider to which the user is redirected for SP initiated logout.
If you do not provide any value in this parameter, then the value in the Login URL field is used for both login and logout endpoints.
Logout Response URL URL provided by the identity provider to which the user is redirected for identity provider initiated logout. HTTP Binding Type
HTTP binding for service provider initiated logout URL.
IdP Signing Certificate Signing certificate that is used by Remedy SSO to sign requests that are sent to the identity provider. User ID Attribute User ID attribute that is used to retrieve the user ID from the specified attribute in the SAML response. If it is not specified, the NameID will be used as the user ID. NameID Format
Name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user.
The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote identity provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store.
Note: For linking user accounts from the service provider and the remote Identity provider together, after logging in, the persistent nameID format must be at the top of the list.
Auth Context Compare Options (exact, minimum, maximum, better) available for the auth context compare. Auth Context Authentication context that maps the SAMLv2-defined authentication context classes to the authentication level that is set for the user session for the service provider. Auth Issuer
Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.
If the value is not specified, by default the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.
Assertion Time Skew Time offset between Remedy SSO and the identity provider. Assertion Time Format Time format used by assertions.
Option to indicate whether the identity provider requires authentication request to be signed.
Force Authentication Option to select enforce authentication. Enable Single Logout Option to delete SAML IdP session on an application logout. If an end user logs out from an application, the user will be logged out from SAML IdP as well. Sign Response
Setting to indicate whether Remedy SSO requires a signed response from the identity provider.
Remedy SSO validates the signature from the authentication response.
Compress Request Setting to indicate whether to compress the SAML message to save space in the URL. Service Provider View Metadata Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter. Template Authentication Request Template Template used for SAML authentication request. You can select Default or you can select Custom and edit the template if required. SP Metadata Template
Service provider metadata template. You can select Default or you can select Custom and edit the template if required.
After an upgrade, use the following information to upgrade the SP Metadata Template:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="%%ISSUER%%" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="%%SIGN_REQUEST%%" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>%%CERTIFICATE_DATA%%</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>%%ENC_CERTIFICATE_DATA%%</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST" Location="%%LOGOUT_REQUEST%%" ResponseLocation="%%LOGOUT_RESPONSE%%"/> <NameIDFormat>%%NAMEIDFORMAT%%</NameIDFormat> <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc: SAML:2.0:bindings:HTTP-POST" Location="%%CONSUMER%%"/> </SPSSODescriptor> </EntityDescriptor>
If you enable the IdP initiated single logout feature, include the following information in the SP metadata template after the <AssertionConsumerService> tag and then update the settings of the identity provider with the new metadata.
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="%%LOGOUT_REQUEST%%" ResponseLocation="%%LOGOUT_RESPONSE%%"/>
- Location is the endpoint for the identity provider to send the logout request; for example: .
- ResponseLocation is the endpoint for the identity provider to send the logout response after getting the logout request from Remedy SSO; for example:
Bypath for reauth requests Setting to indicate that SAML must not be used for reauthentication requests in an authentication chain.
Configuring Active Directory Federation Services as a SAML identity provider
After you configure Remedy SSO as a service provider and Active Data Federation Services as the remote identity provider in the Remedy SSO Admin Console, perform the following steps to configure Active Data Federation Services to handle the SAML protocol:
To import SSL certificates to the identity provider
To configure a relying party trust
Remedy SSO is the relying party which depends on the identity provider to check the claims of the user. In this case, Active Directory Federation Services is the identity provider.
After you close the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list.
To modify the secure hash algorithm
To configure the claim rules for the relying party
To import Active Directory Federation Services certificates to Remedy SSO
Click the images to view the videos.