This section contains information about enhancements in Remedy Single Sign-On (Remedy SSO) version 19.02.
BMC Remedy Single Sign-On enhancements
The following sections provide information about the enhancements in the 19.02 release.
Kerberos authentication for a pre-defined IP range
You can now authenticate requests coming from a set of pre-defined IP addresses by using the Kerberos authentication. For this, a Remedy SSO administrator must provide a range of IP addresses using the Remedy SSO Admin Console. When a user tries to login through a realm, the Remedy SSO server checks the IP of the user with the IP addresses configured in the Remedy SSO Admin Console. If the IP address of the user exists in the configured range of IP addresses, the Remedy SSO server sends the user to log in through this IdP. However, if the IP address of the user is not configured, it skips the IdP and moves on to the next IdP in the authentication chain. For more information about on configuring the range of IP addresses, see Configuring Kerberos authentication.
Enabling signed SAML metadata for security
To ensure that the security policies of your organization are followed, you can now sign the SAML metadata. For this, a new Sign Metadata field is added on the Remedy SSO Admin Console. When the SAML realm is configured for signing metadata, the Remedy SSO server gets the certificate and private key from keystore based on the specified alias and signs the metadata with it.
For more information on enabling the signing metadata, see Configuring Remedy SSO to authenticate users with SAMLv2.
Ability to configure Remedy SSO agent and Remedy SSO server for applications hosted on different domains
In earlier versions, only the applications hosted on the same domain were authenticated using the same Remedy SSO server. From version 19.02, applications hosted on different domains can use the same Remedy SSO server for authentication. For this, the Remedy SSO agent and server must act as an OpenID Client and OpenID provider respectively to protect an application through the authentication process. For more information about configuring the Remedy SSO agent for supporting applications hosted on different domains, see Configuring Remedy SSO agent.
Ability to secure the cookie by providing access only to the issuing domain
You can now set the cookie domain value to the domain on which the Remedy SSO server is installed, and not restrict it to the network domain (parent domain) of the computer on which you are installing the Remedy SSO server domain. This ensures that the cookie is not accessible to any less trusted applications. You can set this cookie domain value either during installation, or through the Remedy SSO Admin Console. For more information, see Security planning and Configuring general settings for Remedy SSO server.
Data Transfer tool installed by default
From version 19.02, the Data Transfer tool is installed by default by the Remedy SSO installer with the Remedy SSO server. The tool gets installed in the BMC Software\RemedySSO\tools folder. For more information about data transfer tool, see Exporting and Importing Remedy SSO configuration.
What else changed in this release
In this release, note the following significant changes in the product behavior:
|Update||Product behavior in versions earlier than 19.02||Product behavior in version 19.02|
Importing the configurations using the Data Transfer tool.
In Remedy SSO version 18.11, while importing a realm from an exported file, if you provide a realm name that does not exist, then no error message was displayed.
While importing a realm from an exported file, if you provide a realm name that does not exist, then the following error message is displayed:
|Added support for applications hosted on different domains.||Only the applications that are hosted on the same domain as the Remedy SSO server were authenticated using Remedy SSO.||Applications hosted on different domains can be authenticated by using the same Remedy SSO server.|
|Removed the restriction of setting the value of the cookie domain to the parent domain.||The Remedy SSO administrator could set the value of the cookie domain only to the parent domain.||The Remedy SSO administrator can now set the value of the cookie domain to the issuing domain.|