Configuring the pre-authentication mechanism

Pre-authentication is an authentication mechanism provided by Remedy Single Sign-On (Remedy SSO) to enable an end user who has already been authenticated by an authentication provider to access BMC applications. For example, any OpenID Connect provider can be an option.

The authentication provider provides a JSON Web Token (JWT). The JWT contains the user principals and the authentication server signature which allows to verify the user.

To use pre-authentication, the Remedy SSO Administrator has to configure the appropriate realm for the pre-authentication type and specify the JWT attributes and the certificate which will be used to validate the authentication server signature under the user principals.

Pre-authentication flow

1. The end user passes authentication against some third-party authentication server and gets the JWT representing the authenticated person and signed by the authentication server.
2. To access the BMC application integrated with Remedy SSO, this JWT should be provided as a value for the special rsso_preauth HTTP request parameter.
3. Remedy SSO agent deployed on the application side forwards the unauthenticated request to the Remedy SSO server and passes the rsso_preauth parameter as well.
4. Remedy SSO server uses the appropriate realm certificate to verify that JWT has been issued by the trusted server and it is valid and after that extracts the user name using the configured JWT attribute.
5. Remedy SSO server then proceeds with the standard authentication flow - it authenticates the user, creates the session, sets the authentication cookie, and redirects the request back to the original application as usual.

To configure pre-authentication

1. Log in to the Remedy SSO Admin console.

2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.

3. IFrom the Authentication Type drop down list, select PREAUTH.

4. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR.
   For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR System authentication for bypass.

5. In the User ID field, enter the name of the JWT entry to be used for user identification.

   Note

   Since JWT is generated and provided by a third party system, the name of the claim containing the User ID is arbitrary. Consult the documentation of your third party product/application to find out the actual JWT's claim name containing the User ID value used for integration.

6. In the Certificate field, copy the certificate of the server which signs the JWT. The certificate must be in Privacy Enhanced Mail (PEM) format.

7. (Optional) To allow the originating application to open target application through Iframe, in the ALLOW-FROM Domain(s) field, enter the name of the originating application. You can specify the target server as follows:

   • * - wildcard. Allowed for all domains.
   • hostname - Allowed for specified domain, ignoring port.
   • hostname:port - Allowed for exact match host:port.

   • proto://hostname:port - Allowed for exact match host:port.

     For information about cross launching, see Enabling cross launch for applications integrated with different Remedy SSO servers.

8. Click Save.

   Note

   On the agent side, in the rsso-agent.properties configuration file, uncomment preauth-type=get so as to enable the agent to expect JWT.

Related topic

Configuring OAuth 2.0