×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Unsupported content

 

This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.
Remedy Single Sign-On 19.02 ... Getting started Single sign-on authentication methods

Reauthentication

Some BMC applications are designed to provide an additional security level to some business critical functionality available to end users. This protection mechanism invokes a reauthentication request, and end users are asked to provide their credentials when they perform some action in the system, for example, approving a service request.

Remedy Single Sign-On handles authentication requests from applications integrated with them differently. Depending on how a realm is configured, Remedy Single Sign-On processes authentication requests in one of the following ways:

  • Enables automatic reauthentication—end users are not required to provide the user name and password at the time of reauthentication on the Remedy Single Sign-On login page. 
  • Enables manual reauthentication—end users are required to provide their credentials at the time of a reauthentication request.
Related topics

Single sign-on authentication methods

Authentication chaining

Realms

Enabling authentication chaining mode

Automatic reauthentication

End users are automatically authenticated at the time of a reauthentication request, only if a single authentication method is configured for a realm, and if this method is one of the following:

  • Kerberos
  • Certificate-based
  • Preauthentication
  • SAML—when configured not to display the login page for end users.

Manual reauthentication for a realm with a single authentication method

If you have one of the following authentication methods configured for a realm, the reauthentication is manual, and end users are required to provide their credentials on the login page at the time of the reauthentication request:

  • AR
  • LDAP
  • Local
  • OpenID Connect
  • SAML configured to display the login page for end users

For SAML and OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.
For AR, Local and LPAD IdPs, the Remedy Single Sign-On login page is displayed.

Manual reauthentication for a realm with a chain of authentication methods

If you have an authentication chain configured for a realm, you can enable manual reauthentication. The secondary authentication in the chain is invoked at the time of a reauthentication request, and end users are required to provide their credentials on the login page at the time of the reauthentication request.

The following diagram shows how reauthentication works for a realm with several authentication methods:

Reauthentication model

To configure manual reauthentication for a realm with several authentication methods, chain them in accordance with the principles described in the following table:

Authentication typeAuthentication methods supportedNotes
Primary authentication
  • SAML
  • Kerberous
  • Certificate-based
  • Preauthentication

SAML note:

If SAML IdP is configured not to display the login page to end users, then you must enable the Bypass for reauth requests setting in SAML configuration of the realm. For information about this setting, see Importing configuration from an identity provider and configuring SAML.

Preauthentication notes:

  • If the authentication request from application contains JWT, then end users are authenticated via Preauth, and the request is not redirected to the next IdP in the chain.
  • If the authentication request from application does not contain JWT, the request is redirected to the next IdP in the chain.
Secondary authentication
  • LDAP
  • AR
  • Local
  • OpenID Connect
For OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Olha Horbachuk on Sep 07, 2020
double_authentication key_concepts authentication concept high_availability sso rsso remedy_single_sign_on single_sign_on rsso_double_authentication diagram reference

Comments

Log in or register to comment.

Authentication chaining
Kerberos authentication
© Copyright 1991 – 2019 BMC Software, Inc.
© Copyright 1991 – 2019 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.