Remedy Single Sign-On (Remedy SSO) provides realms to support multitenancy for integrated applications and split applications availability. Each realm is identified by a unique identifier and contains one or more application domains.
As a Remedy SSO administrator, you manage realms from the Remedy SSO Admin console. You can configure a single authentication method for a realm, or a chain of multiple authentication methods to enable authentication fallback or reauthentication mechanisms.
Role of realms in the authentication process in Remedy SSO
In Remedy SSO, a realm associates application domains of the integrated Remedy SSO applications with an identity provider, and a realm also defines an authentication method to be used to protect integrated applications. End users accessing applications integrated with Remedy SSO are authenticated based on domains they can access.
The following diagram shows the role of realms in an authentication flow:
- In a browser window, an end user enters an application URL to access an application integrated with Remedy SSO.
- The Remedy SSO agent intercepts the login request, validates it, and then sends it to the Remedy SSO server.
- Based on information extracted from the application URL, the Remedy SSO server defines a correct realm for the authentication flow. For more information about this process, see Identifying a realm by application domains.
- Remedy SSO server allows authentication according to the authentication method specified for the realm.
- Depending on the authentication method, the user is redirected to the login page or is automatically authenticated by Remedy SSO. For information about the login options, see Logon and logoff experience for end users.
- When the end user is successfully authenticated on the Remedy SSO login page, the end user is automatically redirected to the application.
Identifying a realm by application domains
Realm identification is based on the application URL used for accessing an end user application.
For example, an end user uses the application.domain.com URL to access an application. To authenticate the user, Remedy SSO needs to identify the realm by checking the following mappings in all realms available on the Remedy SSO server:
When a realm with a matching application domain is found, this realm is used for authentication.
If you have several realms with the same matching application domain parts, realm selection becomes unpredictable. To avoid authentication errors, application domain mapping must be unique across all realms on the Remedy SSO.
Usage example: Configuring realms for application domains
Suppose an organization has the following applications:
- Helpdesk—accessed by all users through the URL http://helpdesk.yourcompany.com
- ITSM—accessed only by the IT team through the URL http://itsm.yourcompany.com
- BMC Helix Digital Workplace—accessed only by the IT team through the URL http://dwp.yourcompany.com
You can create helpdesk and itsm realms and map the application domains and authentication methods to these realms described in the following table:
|Application||Accessed by||Realm||Application domain||Authentication method||Description|
|http://helpdesk.yourcompany.com/||All users||helpdesk||helpdesk.yourcompany||SAML 2.0|
The helpdesk realm contains one helpdesk.yourcompany application domain, and it is authenticated by the SAML 2.0 authentication method.
The itsm realm has two application domains: itsm.yourcompany and dwp.yourcompany. Both application domains are authenticated by the Kerberos authentication method.
When an end user accesses the Helpdesk application belonging to the helpdesk.yourcompany.com application domain (Domain 1 in the diagram), the end user gets authenticated through Remedy SSO, via helpdesk realm (see Realm 1 in the diagram) which is configured for SAML authentication method (Authentication 1 in the diagram), and allows authentication via helpdesk.yourcompany.com (Domain 1 in the diagram).
This end user can access the ITSM application belonging to the itsm.yourcompany.com application domain (Domain 2 in the diagram). The end user gets authenticated through Remedy SSO, via itsm realm (see Realm 2 in the diagram) which is configured for Kerberos authentication method (Authentication 2 in the diagram), and allows authentication via itsm.yourcompany.com (Domain 2 in the diagram).
Log in or register to comment.