Configuring Remedy SSO to authenticate users with SAMLv2
As a Remedy Single Sign-On (Remedy SSO) administrator, you can configure the Remedy SSO server to authenticate users through SAMLv2 authentication. SAML V2.0 is implemented by forming a Circle of Trust that comprises a service provider and an identity provider.
The service provider hosts and protects the services that the user accesses. Remedy SSO is configured as a service provider for BMC products. The identity provider authenticates users and provides details of the authentication information to the service provider.
The following image shows the tasks that you need to perform to configure the SAMLv2 authentication in Remedy SSO.
Before you begin
- Ensure that you have performed the Remedy SSO server configuration. For more information, see Configuring the Remedy SSO server.
- If you want to sign the SAML requests, in the Remedy SSO Admin console (General > Advanced > SAML Service Provider), enter details for the parameters Signing Certificate, Keystore File, Keystore Password, and Signing Key Alias. For more information, see Configuring the Remedy SSO server.
- If you want to sign the SAML metadata, on the Realm > Authentication tab, ensure that the Sign Request check box is selected. Additionally, on the General > Advanced tab, specify the Signing Key Alias.
- There is a rollover of signing keys at the identity provider end. When Azure Active Directory is used as an identity provider, such rollovers are more frequent. In order for Remedy SSO to automatically track the rollovers, ensure that you have the URL for the new signing key.
- If you want to decrypt the encrypted assertions in SAML responses, in the Remedy SSO Admin console (General > Advanced > SAML Service Provider), enter details for the Encryption Key Alias parameter. For more information, see Configuring the Remedy SSO server.
- Configure a realm for the authentication. For more information, see Configuring realms.
- Obtain the following information from the identity provider administrator:
- Identity provider entity ID
- Login URL of the identity provider
To configure SAMLv2 authentication
In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
In the Authentication Type field, click SAML.
- (Optional) Select the Enable AR authentication for bypass check box to enable a bypass URL to authenticate against AR System.
For more information, see Enabling AR authentication for bypassing other authentication methods. Enter the SAML details.
Field Description Identity Provider Import Dialog box for importing the identity provider metadata. You can provide a URL in the Import from URL field, or specify a local file in the Import from Local File field to import the data.
Use this dialog box when you perform initial configuration of SAMLv2 or when you want to manually update the identity provider metadata.
Federation metadata URL URL of the identity provider federation metadata.
Use this field to enable automatic rollover. Such rollovers are more frequent if you use Azure Active Directory as an identity provider.
Remedy SSO uses this URL to re-import the identity provider metadata automatically, including IdP Signing Certificate that can be updated.
IdP Entity ID Identity provider entity ID that is obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.
Examples:
http://adfs.local/adfs/services/trust
http://www.okta.com/exk4mi22tbfhiAnIn0h7Login URL Login URL of the identity provider that is obtained from an external identity provider such as AD FS or Okta.
Examples:
https://adfs.local/adfs/ls
https://dev-726770.oktapreview.com/app/bmcdev726770_oktaidp_1/exk4mi22tbfhiAnIn0h7/sso/samlLogout URL URL provided by the identity provider to which the user is redirected for SP initiated logout.
If you do not provide any value in this parameter, then the value in the Login URL field is used for both login and logout endpoints.
Logout Response URL URL provided by the identity provider to which the user is redirected for identity provider initiated logout. HTTP Binding Type HTTP binding for service provider initiated logout URL.
IdP Signing Certificate Signing certificate that is used by Remedy SSO to sign requests that are sent to the identity provider. User ID Attribute User ID attribute that is used to retrieve the user ID from the specified attribute in the SAML response. If it is not specified, the NameID will be used as the user ID. NameID Format Name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user.
The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote identity provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store.
Note: For linking user accounts from the service provider and the remote Identity provider together, after logging in, the persistent nameID format must be at the top of the list.
Auth Context Compare Options (exact, minimum, maximum, better) available for the auth context compare. Auth Context Authentication context that maps the SAMLv2-defined authentication context classes to the authentication level that is set for the user session for the service provider. Auth Issuer Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.
If the value is not specified, by default the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.
Assertion Time Skew Time offset between Remedy SSO and the identity provider. Assertion Time Format Time format used by assertions. Sign Request
Option to indicate whether the identity provider requires authentication request to be signed.
Force Authentication Option to select enforce authentication. Enable Single Logout Option to delete SAML IdP session on an application logout. If an end user logs out from the application, the user will be logged out from SAML IdP as well. Sign Metadata Option to indicate whether the identity provider requires SAML metadata to be signed.
Sign Response Setting to indicate whether Remedy SSO requires a signed response from the identity provider.
Remedy SSO validates the signature from the authentication response.
Compress Request Setting to indicate whether to compress the SAML message to save space in the URL. Service Provider View Metadata Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter. Template Authentication Request Template Template used for SAML authentication request. You can select Default or you can select Custom and edit the template if required. SP Metadata Template Service provider metadata template. You can select Default or you can select Custom and edit the template if required. After upgrade, the SP Metadata Template is not updated. So, ensure you manually update the metadata template after upgrade for using the new functionalities. For more information about updating the metadata template after upgrading, see Upgrading.
Bypass for reauth requests Setting to indicate that SAML must not be used for reauthentication requests in an authentication chain. - Click Save.
Configuring Active Directory Federation Services as a SAML identity provider
After you configure Remedy SSO as a service provider and Active Data Federation Services as the remote identity provider in the Remedy SSO Admin Console, perform the following steps to configure Active Data Federation Services to handle the SAML protocol:
Step No. | Action | Description |
---|---|---|
1. | To import SSL certificates to the identity provider |
|
2. | To configure a relying party trust | Remedy SSO is the relying party which depends on the identity provider to check the claims of the user. In this case, Active Directory Federation Services is the identity provider.
After you close the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list. |
3. | To modify the secure hash algorithm |
|
4. | To configure the claim rules for the relying party |
Notes:
|
5. | To import Active Directory Federation Services certificates to Remedy SSO |
|
Related videos
Click the images to view the videos.
Comments
Log in or register to comment.