Unsupported content


This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring Remedy SSO to authenticate users with SAMLv2

As a Remedy Single Sign-On (Remedy SSO) administrator, you can configure the Remedy SSO server to authenticate users through SAMLv2 authentication. SAML V2.0 is implemented by forming a Circle of Trust that comprises a service provider and an identity provider.

The service provider hosts and protects the services that the user accesses. Remedy SSO is configured as a service provider for BMC products. The identity provider authenticates users and provides details of the authentication information to the service provider. 

The following image shows the tasks that you need to perform to configure the SAMLv2 authentication in Remedy SSO.


Before you begin

  • Ensure that you have performed the Remedy SSO server configuration. For more information, see Remedy SSO server general configuration.
  • If you want the SAML requests to be signed, in the Remedy SSO Admin console (General > Advanced > SAML Service Provider), enter details for the parameters Signing Certificate, Keystore File, Keystore Password, and Signing Key Alias. For more information, see Remedy SSO server general configuration.
  • There is a rollover of signing keys at the identity provider end. When Azure Active Directory is used as an identity provider, such rollovers are more frequent. In order for Remedy SSO to automatically track the rollovers, ensure that you have the URL for the new signing key.
  • If you want to decrypt the encrypted assertions in SAML responses, in the Remedy SSO Admin console (General > Advanced > SAML Service Provider), enter details for the Encryption Key Alias parameter. For more information, see Remedy SSO server general configuration.
  • Configure a realm for the authentication. For more information, see Configuring realms.
  • Obtain the following information from the identity provider administrator:
    • Identity provider entity ID  
    • Login URL of the identity provider

To configure SAMLv2 authentication

  1. (Optional) Select the Enable AR authentication for bypass check box to enable a bypass URL to authenticate against AR System.
    For more information, see Enabling AR authentication for bypassing other authentication methods
  2. Enter the SAML details.

    Identity Provider

    Dialog box for importing the identity provider metadata. You can provide a URL in the Import from URL field, or specify a local file in the Import from Local File field to import the data.

    Use this dialog box when you perform initial configuration of SAMLv2 or when you want to manually update the identity provider metadata.

    Federation metadata URL

    URL of the identity provider federation metadata.

    Use this field to enable automatic rollover. Such rollovers are more frequent if you use Azure Active Directory as an identity provider.

    Remedy SSO uses this URL to re-import the identity provider metadata automatically, including IdP Signing Certificate that can be updated.

    IdP Entity ID

    Identity provider entity ID that is obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.


    Login URL

    Login URL of the identity provider that is obtained from an external identity provider such as AD FS or Okta.


    Logout URL

    URL provided by the identity provider to which the user is redirected for SP initiated logout.

    If you do not provide any value in this parameter, then the value in the Login URL field is used for both login and logout endpoints.

    Logout Response URLURL provided by the identity provider to which the user is redirected for identity provider initiated logout.
    HTTP Binding Type

    HTTP binding for service provider initiated logout URL.

    IdP Signing CertificateSigning certificate that is used by Remedy SSO to sign requests that are sent to the identity provider.
    User ID AttributeUser ID attribute that is used to retrieve the user ID from the specified attribute in the SAML response. If it is not specified, the NameID will be used as the user ID.
    NameID Format

    Name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user.

    The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote identity provider.

    A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store.

    Note: For linking user accounts from the service provider and the remote Identity provider together, after logging in, the persistent nameID format must be at the top of the list.

    Auth Context CompareOptions (exact, minimum, maximum, better) available for the auth context compare.
    Auth ContextAuthentication context that maps the SAMLv2-defined authentication context classes to the authentication level that is set for the user session for the service provider.
    Auth Issuer

    Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.

    If the value is not specified, by default the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.

    Assertion Time SkewTime offset between Remedy SSO and the identity provider.
    Assertion Time FormatTime format used by assertions.

    Sign Request

    Option to indicate whether the identity provider requires authentication request to be signed.

    Force AuthenticationOption to select enforce authentication.
    Enable Single LogoutOption to delete SAML IdP session on an application logout. If an end user logs out from an application, the user will be logged out from SAML IdP as well.
    Sign Response

    Setting to indicate whether Remedy SSO requires a signed response from the identity provider.

    Remedy SSO validates the signature from the authentication response.

    Compress RequestSetting to indicate whether to compress the SAML message to save space in the URL.
    Service Provider
    View MetadataRemedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.
    Authentication Request TemplateTemplate used for SAML authentication request. You can select Default or you can select Custom and edit the template if required.
    SP Metadata Template

    Service provider metadata template. You can select Default or you can select Custom and edit the template if required.

    After an upgrade, use the following information to upgrade the SP Metadata Template:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="%%ISSUER%%" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="%%SIGN_REQUEST%%" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>%%CERTIFICATE_DATA%%</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>%%ENC_CERTIFICATE_DATA%%</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST" Location="%%LOGOUT_REQUEST%%" ResponseLocation="%%LOGOUT_RESPONSE%%"/> <NameIDFormat>%%NAMEIDFORMAT%%</NameIDFormat> <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc: SAML:2.0:bindings:HTTP-POST" Location="%%CONSUMER%%"/> </SPSSODescriptor> </EntityDescriptor>

    If you enable the IdP initiated single logout feature, include the following information in the SP metadata template after the <AssertionConsumerService> tag and then update the settings of the identity provider with the new metadata.

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="%%LOGOUT_REQUEST%%" ResponseLocation="%%LOGOUT_RESPONSE%%"/>

    • Location is the endpoint for the identity provider to send the logout request; for example: https://access.bmc.com:8443/rsso/receiver/Saml .
    • ResponseLocation is the endpoint for the identity provider to send the logout response after getting the logout request from Remedy SSO; for example: https://access.xyz.com:8443/rsso/receiver/Saml .
    Bypath for reauth requestsSetting to indicate that SAML must not be used for reauthentication requests in an authentication chain.

Configuring Active Directory Federation Services as a SAML identity provider

After you configure Remedy SSO as a service provider and Active Data Federation Services as the remote identity provider in the Remedy SSO Admin Console, perform the following steps to configure Active Data Federation Services to handle the SAML protocol:

Step No.ActionDescription

To import SSL certificates to the identity provider

  1. Export the SSL certificate of the Tomcat on which the Remedy SSO is deployed.

    1. Open the Remedy SSO URL, and click the padlock symbol in the address line of the browser.

    2. In the Certificate window, click the Details tab.

    3. Click Copy to File.

    4. In the Certificate Export Wizard, click Next.

    5. Select "DER encoded binary X.509 (.CER)".

    6. Click Next.

    7. Provide a name for the file and include the path in the file name.

      The Common Name (CN) attribute of this certificate must be the same as the FQDN of the Remedy SSO server.

  2. From the Active Directory Federation Services server, import the following certificates through the mmc console to the Trusted Root Certificate Authorities folder.

    • Import the SSL certificate of the Tomcat on which the Remedy SSO is installed. You must establish an https connection between Remedy SSO and the Active Directory Federation Services.

        1. From the Run dialog box, type mmc to open Microsoft Management Console (mmc).
        2. Open the File menu and click Add/Remove Snap-in… .
        3. From the list of available snap-ins, select Certificates, and click Add.
          The Certificates snap-in dialog box is displayed.
        4. Select My User Account, and click Finish and OK.
        5. From the explorer panel, select Personal > Certificates.
        6. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
        7. Import the SSL certificate of the Tomcat on which the Remedy SSO is deployed and the Signing certificate.
        8. From the explorer panel, select Trusted Root Certification Authorities > Certificates.
        9. Import the SSL certificate of the Tomcat on which Remedy SSO is deployed.
    • (Optional) Signing certificate - Remedy SSO may sign SAML messages. In such a case, the certificate for verifying such signature must be provided. This certificate must be stored in a *.jks file and path to it should be specified in the Remedy SSO Admin UI (General > Advanced > SAML Service Provider > Keystore File).

To configure a relying party trust

Remedy SSO is the relying party which depends on the identity provider to check the claims of the user. In this case, Active Directory Federation Services is the identity provider.

  1. From the Active Directory Federation Services server, open the AD FS 2.0 Management application.
  2. On the Trust Relationships tab, click Relying Party Trusts.

  3. Click Add Relying Party Trust.

  4. In the wizard, configure the following parameters:
    1. Select Import data about the relying party published online or on a local network.

    2. Copy the metadata web link that you received from Remedy SSO; for example: https://rssoexample.bmc.com:8443/rsso/getmetadata.jsp?tenantName=  <name of the corresponding tenant>.

      If you see a warning, you can ignore it. However, if you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the Remedy SSO administrator for more information. In case of specific network settings when the Active Data Federation Services and Remedy SSO servers are not able to connect using SSL protocol, this error message may be normal and can be ignored. In this case, you can import the service provider metadata into AD FS offline using an XML file.

    3. Click Next.

    4. Type rsso-sp for the display name, and click Next.

    5. Select AD FS 2.0profile, and click Next.

    6. Select Permit all users to access this relying party, and click Next.

    7. Clear the Open the Claims when this finishes check box.

    8. Click Close.

After you close the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list.


To modify the secure hash algorithm

  1. Right-click rsso-sp, and select properties
    The rsso-sp Properties dialog box appears.
  2. Click the Advanced tab, and select the secure hash algorithm, SHA-1.
  3. Click OK.

To configure the claim rules for the relying party

  1. From AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.
  2. To add a claim rule, click Add Rule.
    1. Select the Send Claims Using Custom Rule claim-rule template.
    2. Enter the Send Claims Using UPN claim-rule name. In this case, use the following script:

      c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue( Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "<idp-entity-id>", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<sp-entity-id>/<realm-id>" );


  • Service provider name qualifier is required only when you want to implement service provider initiated single log out.
  • The properties "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format" must be the same as the NameID format value in the Authentication tab of Remedy SSO. For example, a Transient Identifier such as urn:oasis:tc:SAM:2.0:nameid-format:transient.
  • The Fully Qualified Domain Name (FQDN) specified for the properties " http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier" must be the FQDN of the AD FS server.
  • The properties " http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier" must be the same as the service provider Entity ID value specified in Remedy SSO (General > Advanced > SAML Service Provider > SP Entity ID).

To import Active Directory Federation Services certificates to Remedy SSO

  1. Export the Active Directory Federation Services certificates as files:
    1. Open the AD FS 2.0 Management console.
    2. From the explorer panel, go to Service > Certificates.
    3. Double-click the certificate name.
    4. Select the Details tab.
    5. Click Copy to File and then click Next.
    6. Select Do not export the private key and then click Next.
    7. Select DER and then select the file to save it.
    8. Click Finish.
  2. Import the Active Directory Federation Services certificates into the Remedy SSO *.jks file with the KeyStore Explorer tool:
    1. Open the truststore file by using the KeyStore Explorer.
    2. Select Tools and click Import Trusted Certificate.
    3. Select the file and import it.
  3. Restart the Remedy SSO server.

Related videos

Click the images to view the videos.

Related topics

SAML 2.0 authentication

Transforming User ID to match Login ID

Troubleshooting authentication issues

Was this page helpful? Yes No Submitting... Thank you