SAML 2.0 authentication
You can use SAML 2.0 to authenticate users. SAML 2.0 is implemented by forming a Circle of Trust that comprises a Service Provider (SP) and an Identity Provider (IdP).
The SP hosts and protects services that end users access. Remedy Single Sign-On is configured as an SP for BMC products. The IdP authenticates users and provides details of the authentication information to the SP.
You can configure SAML 2.0 to support the following authentication flows:
SP initiated logon flow
The following table provides the SP initiated authentication flow:
|1||An end user accesses the protected application from a mobile device or through a web browser.|
Remedy SSO agent redirects the end user to Remedy SSO server.
Remedy SSO sends a request to IdP to authenticate the end user.
|4||The IdP presents a login page to the end user for authentication.|
|5||The end user enters valid credentials.|
|6.||The IdP performs user authentication.|
The IdP generates an authentication response and sends it back to Remedy SSO server.
Remedy SSO server processes the authentication response, validates it, and extracts the assertion that carries user data.
Remedy SSO creates a session for the user.
|10.||The end user is able to access the application.|
SP initiated logoff flow
When an end user logs out from an application that is integrated with Remedy SSO, the end user gets logged out from applications of all service provider sites that have a single sign-on session. To enable the single logout feature, you must configure the SAML 2.0 authentication.
The following table provides the sequence of events that occur for the SP initiated SAML 2.0 single logout.
An end user initiated a logout from an application that is integrated with Remedy SSO and that has a single sign-on session.
Remedy SSO sends a logout request to the Identity Provider (IdP).
The IdP sends the logout response to Remedy SSO.
Remedy SSO logs out the user by deleting the application session and authentication cookies.
Remedy SSO redirects the browser to a URL specified in the After Logout URL field configured for the realm.
In an IdP initiated login, a user gains access to the IdP site first and then clicks on one of the services provided by the remote Service Provider (SP). After the user selects the required service, the IdP initiates the authentication workflow.
IdP initiated login has the following advantages:
- In an SP initiated login, users need to use different links to gain access to different services provided by a service provider. Hence they might need to bookmark all links. The advantage of using IdP initiated login over SP initiated login is that end users need to use only one link, that is the IdP link, to gain access to any service provided by a service provider. For example, if the IdP is AD FS 2.0, the user might enter the URL to gain access to the IdP site.
- Users get the same single sign-on experience for gaining access to BMC products and the third-party products as they click the same IdP link to gain access to these products.
The following table provides the sequence of events that occur for the IdP initiated login.
|1||An end user enters an IdP link in a browser.|
|2||A browser sends the request to the IdP.|
|3||The IdP requests for user credentials if the user does not have an existing local security context.|
|4||The end user enters the credentials and logs into the IdP server.|
|5||The IdP creates a local security context for the user and displays a list of services that are offered by the SP.|
|6||The end user clicks the link of the required service.|
The IdP invokes its Single Sign-On service that creates a SAML assertion and places this assertion in the response message of an HTML form.
The IdP sends the HTML form to the browser.
The browser sends the HTML form to the Assertion Consumer Service of Remedy SSO server.
The Assertion Consumer Service validates the digital signature on the SAML assertion. After validation, the Assertion Consumer Service extracts the response message from the HTML form to create a local logon security context of the user on the Remedy SSO server.
The Remedy SSO server retrieves the service URL from the HTML form and sends an HTTP redirect response to the browser to access the service.
Remedy SSO agent of the service verifies the access check for the user. If the user has the correct authorization, the Remedy SSO agent returns the service to the browser.
In the IdP initiated single logout (SLO), if a user logs out from any of the applications belonging to a single login session, the user gets logged out from all applications, BMC and third-party, that belong to the same session. IdP initiated SLO is triggered when the user clicks a logout option from the IdP logout page.
- End users have the same logout experience for both BMC and third-party products. To log out from the IdP and all applications provided by different SPs that share the common single sign-on session, end users click the same link on the IdP site.
- When end users log out from the IdP, they get logged out from all other logged in applications including Remedy SSO. After logging out, if an end user tries to gain access to any of the applications, the end user is authenticated again.
To enable the SLO feature, ensure that you provide the single logout service information in the SP metadata. For more information about the single logout service, see SAMLv2 authentication process.
|1||An end user clicks the logout link on the IdP logout page.|
|2||The IdP determines all applications that belong to that session.|
|3||The IdP builds a digitally signed SAML log out request that represents the security context of the user and places this assertion in an HTML form as an SAML request.|
The IdP uses the HTTP redirect binding to send the log out request to all service providers including Remedy SSO.
Remedy SSO performs the following tasks:
|6||The IdP redirects the client browser to the IdP final logout URL.|