This documentation supports the 19.02 version of Remedy Single Sign-On.

To view an earlier version, select the version from the Product version menu.

Reauthentication

Some BMC applications are designed to provide an additional security level to some business critical functionality available to end users. This protection mechanism invokes a reauthentication request, and end users are asked to provide their credentials when they perform some action in the system, for example, approving a service request.

Remedy Single Sign-On handles authentication requests from applications integrated with them differently. Depending on how a realm is configured, Remedy Single Sign-On processes authentication requests in one of the following ways:

  • Enables automatic reauthentication—end users are not required to provide the user name and password at the time of reauthentication on the Remedy Single Sign-On login page. 
  • Enables manual reauthentication—end users are required to provide their credentials at the time of a reauthentication request.

Automatic reauthentication

End users are automatically authenticated at the time of a reauthentication request, only if a single authentication method is configured for a realm, and if this method is one of the following:

  • Kerberos
  • Certificate-based
  • Preauthentication
  • SAML—when configured not to display the login page for end users.

Manual reauthentication for a realm with a single authentication method

If you have one of the following authentication methods configured for a realm, the reauthentication is manual, and end users are required to provide their credentials on the login page at the time of the reauthentication request:

  • AR
  • LDAP
  • Local
  • OpenID Connect
  • SAML configured to display the login page for end users

For SAML and OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.
For AR, Local and LPAD IdPs, the Remedy Single Sign-On login page is displayed.

Manual reauthentication for a realm with a chain of authentication methods

If you have an authentication chain configured for a realm, you can enable manual reauthentication. The secondary authentication in the chain is invoked at the time of a reauthentication request, and end users are required to provide their credentials on the login page at the time of the reauthentication request.

The following diagram shows how reauthentication works for a realm with several authentication methods:

Reauthentication model

To configure manual reauthentication for a realm with several authentication methods, chain them in accordance with the principles described in the following table:

Authentication typeAuthentication methods supportedNotes
Primary authentication
  • SAML
  • Kerberous
  • Certificate-based
  • Preauthentication

SAML note:

If SAML IdP is configured not to display the login page to end users, then you must enable the Bypass for reauth requests setting in SAML configuration of the realm. For information about this setting, see Importing configuration from an identity provider and configuring SAML.

Preauthentication notes:

  • If the authentication request from application contains JWT, then end users are authenticated via Preauth, and the request is not redirected to the next IdP in the chain.
  • If the authentication request from application does not contain JWT, the request is redirected to the next IdP in the chain.
Secondary authentication
  • LDAP
  • AR
  • Local
  • OpenID Connect
For OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.


Was this page helpful? Yes No Submitting... Thank you

Comments