Configuring the pre-authentication mechanism
Pre-authentication is an authentication mechanism provided by Remedy Single Sign-On (Remedy SSO) to enable an end user who has already been authenticated by an authentication provider to access BMC applications. For example, any OpenID Connect provider can be an option.
The authentication provider provides a JSON Web Token (JWT). The JWT contains the user principals and the authentication server signature which allows to verify the user.
To use pre-authentication, the Remedy SSO Administrator has to configure the appropriate realm for the pre-authentication type and specify the JWT attributes and the certificate which will be used to validate the authentication server signature under the user principals.
- The end user passes authentication against some third-party authentication server and gets the JWT representing the authenticated person and signed by the authentication server.
- To access the BMC application integrated with Remedy SSO, this JWT should be provided as a value for the special
rsso_preauthHTTP request parameter.
- Remedy SSO agent deployed on the application side forwards the unauthenticated request to the Remedy SSO server and passes the
rsso_preauthparameter as well.
- Remedy SSO server uses the appropriate realm certificate to verify that JWT has been issued by the trusted server and it is valid and after that extracts the user name using the configured JWT attribute.
- Remedy SSO server then proceeds with the standard authentication flow - it authenticates the user, creates the session, sets the authentication cookie, and redirects the request back to the original application as usual.
To configure pre-authentication
- (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR.
For more information about enabling BMC Remedy AR System authentication for bypass, see .
In the User ID field, enter the name of the JWT entry to be used for user identification.
Since JWT is generated and provided by a third party system, the name of the claim containing the User ID is arbitrary. Consult the documentation of your third party product/application to find out the actual JWT's claim name containing the User ID value used for integration.
- In the Certificate field, copy the certificate of the server which signs the JWT. The certificate must be in Privacy Enhanced Mail (PEM) format.
(Optional) To allow the originating application to open target application through Iframe, in the ALLOW-FROM Domain(s) field, enter the name of the originating application. You can specify the target server as follows:
- * - wildcard. Allowed for all domains.
- hostname - Allowed for specified domain, ignoring port.
hostname:port - Allowed for exact match host:port.
proto://hostname:port is not supported and will work incorrectly.
For information about cross launching, see Enabling cross launch for applications integrated with different Remedy SSO servers.