×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Unsupported content

 

This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.
Remedy Single Sign-On 19.05 ... Administering Configuring Remedy SSO for authentication Configuring authentication Configuring SAML 2.0 authentication

Configuring Active Directory Federation Services as a SAML identity provider

After you configure Remedy SSO as a service provider and Active Data Federation Services (AD FS) as the remote identity provider (IdP) in Remedy SSO Admin Console, configure SAML for AD FS.

Related topics

Importing configuration from an identity provider and configuring the SAML authentication

Before you begin

Task 1: To import service provider certificates to the AD FS identity provider

  1. To export the SSL certificate of the Tomcat on which Remedy SSO is deployed, perform the following steps:

    1. Open Remedy SSO URL, and click the padlock symbol in the address line of the browser.

    2. In the Certificate window, click the Details tab.

    3. Click Copy to File.

    4. In the Certificate Export Wizard, click Next.

    5. Select "DER encoded binary X.509 (.CER)", and click Next.

    6. Provide a name for the file and include the path in the file name.

      Note

      The Common Name (CN) attribute of this certificate must be the same as the FQDN of Remedy SSO server.

  2. To import certificates to the AD FS server, perform the following steps:

    1. From the Run dialog box, type mmc to open Microsoft Management Console (mmc).
    2. Open the File menu and click Add/Remove Snap-in.
    3. From the list of available snap-ins, select Certificates, and click Add.
      The Certificates snap-in dialog box is displayed.
    4. Select My User Account, and click Finish and OK.
    5. From the explorer panel, select Personal > Certificates.
    6. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
    7. Follow the wizard steps and import the following certificates:
      • SSL certificate of the Tomcat on which Remedy SSO is deployed
      • (Optional) If required, the service provider certificate signed by Remedy SSO.
      To check whether the certificates are successfully imported, from the explorer panel, select Trusted Root Certification Authorities > Certificates, and search for the imported certificates.

Task 2: To configure a relying party trust

Remedy SSO is the relying party which depends on the IdP to check the claims of the user. In this case, AD FS is the IdP.

  1. On the AD FS server, open the AD FS 2.0 Management application.

  2. On the Trust Relationships tab, select Relying Party Trusts and right-click it.

  3. Select Add Relying Party Trust Wizard.
  4. Click Start.

  5. Select Import data about the relying party published online or on a local network radio button.

    Note

    If AD FS and Remedy SSO servers cannot connect via SSL because of some specific network settings, you might see a warning. This error message might be normal and you can ignore it. In this case, you can import the service provider metadata XML to the AD FS in the offline mode.

    If you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the Remedy SSO administrator for more information.

  6. In the Federation metadata address field, enter the link copied from the Remedy SSO Admin Console (click View Metadata and copy the URL).

  7. Click Next.

  8. In the Display Name field, type any value, for example rsso-sp, and then click Next.

  9. On the Choose Issuance Authorization Rules step, click Permit all users to access this relying party, and click Next.
  10. Do not change the default selections, and click Next.
  11. Clear the Open the Claims when this finishes check box.
  12. Click Close.

After you close the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list.

Task 3: To modify the secure hash algorithm

  1. Right-click on the relying third party trust that you have just created.
  2. Click the Advanced tab.

  3. In the Secure hash algorithm box list, select SHA-1 and click OK.

Task 4: To configure the claim rules for the relying party

  1. From AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.
  2. To add a claim rule, click Add Rule.
    1. Select the Send Claims Using Custom Rule claim-rule template.

    2. Enter the Send Claims Using UPN claim-rule name. In this case, use the following script:

      c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
     => issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer, 
Value = c.Value, 
ValueType = c.ValueType,
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = 
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = 
"<idp-entity-id>",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = 
"<sp-entity-id>/<realm-id>"
     );

Notes

Task 5: To import AD FS certificates to Remedy SSO

  1. To export the AD FS certificates as files, perform the following steps:
    1. Open the AD FS 2.0 Management console.
    2. From the explorer panel, navigate to Service > Certificates.
    3. Double-click the certificate name.
    4. Double-click the Details tab.
    5. Click Copy to File and then click Next.
    6. Select Do not export the private key and then click Next.
    7. Select DER and then select the file to save it.
    8. Click Finish.
    9. Perform steps c-h for all the other certificates.
  2. To import the AD FS certificates into Remedy SSO *.jks file with the third-party tool KeyStore Explorer (https://keystore-explorer.org/), perform the following steps:
    1. Open the truststore file by using the KeyStore Explorer.
    2. Select Tools and click Import Trusted Certificate.
    3. Select the file and import it.

  3. Restart the Remedy SSO server.

Demonstration videos

Watch these videos to understand how to configure AD FS as a SAML IdP provider.

 https://www.youtube.com/watch?v=HcW-u-V9yvo?rel=0



 https://www.youtube.com/watch?v=FsIxJOeursU?rel=0



Was this page helpful? Yes No Submitting... Thank you
Last modified by Olha Horbachuk on Dec 24, 2021
configuration administering videos

Comments

Log in or register to comment.

Importing configuration from an identity provider and configuring the SAML authentication
Enabling AR authentication for bypassing other authentication methods
© Copyright 1991 – 2019 BMC Software, Inc.
© Copyright 1991 – 2019 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.