Importing configuration from an identity provider and configuring the SAML authentication
After you have configured the advanced options for SAML authentication, import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your Remedy Single Sign-On server.
Watch this video (3:53) on how to configure SAML in the Remedy SSO Admin Console.
Before you begin
- The Import from URL or
- The SAML metadata file exported from the IdP.
To configure SAML authentication
Configure the SAML fields as required:
Field Description Identity Provider Import
Option to import the SAML metadata. Perform one of the following actions:
- Select Import from URL, and type the URL where the IdP SAML configuration is stored.
- Select Import from file, and upload the SAML configuration file from a local folder on your computer.
After you import SAML metadata, most of the fields on the Authentication page get populated with imported values.
Federation metadata URL
URL of the IdP federation metadata.
Use this URL to enable automatic rollover — Automatic certificate update on the Remedy SSO server after this certificate is updated on the SAML IdP side. Such rollovers are more frequent if you use Azure Active Directory as an identity provider.
If the IdP federation metadata URL is not specified, an administrator must renew the signing certificate manually.
IdP Entity ID
Entity ID obtained from an external IdP such as Active Directory Federation Services (AD FS) or Okta.
Login URL obtained from an external IdP such as AD FS or Okta.
URL provided by the IdP to which the user is redirected for service provider (SP) initiated logout.
If you do not provide any value for this parameter, the value specified in the Login URL field is used both for both login and logout.
Logout Response URL
URL provided by the IdP to which the user is redirected for IdP initiated logout.
HTTP Binding Type
HTTP binding for the SP initiated logout URL.
IdP Signing Certificate
Certificate used by Remedy SSO to decrypt requests.
(Optional) User ID Attribute Used to retrieve the user ID from the specified attribute in the SAML response. If a value is not specified, the NameID is used as the user ID. The value of this field depends on the SAML IdP configuration. NameID Format
Name identifier formats supported by a SP. SPs use name identifiers to pass information about users.
In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.
If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.
Note: For linking user accounts from the SP and the remote IdP together, after an end user logs in to the integrated BMC application through the SAML IdP, the persistent NameID format must be at the top of the list.
For more information about Name Format Identifiers, see paragraph 8.2 in .
Auth Context Compare
Options (exact, minimum, maximum, better) available for the Auth Context Compare.
For more information about Auth Context Compare options, see .
Authentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the SP.
Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the SP for this request.
If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.
Assertion Time Skew
Time offset between Remedy SSO and the IdP. The value must be specified in minutes.
Assertion Time Format
Time format used by assertions and depends on the defined patterns. For more information, see .
Option to indicate whether the IdP requires the authentication request to be signed.
To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, specify the Signing Key Alias.
Force Authentication Option to enforce authentication. Enable Single Logout Option to delete SAML IdP session on application logout. If an end user logs out from the application, the user is logged out from SAML IdP as well. Sign Metadata
Option to indicate whether the IdP requires SAML metadata to be signed.
You might need to sign the SAML metadata to follow security policies in your organization. When you configure a realm to sign SAML metadata, the Remedy SSO server gets the certificate and private key from keystore's alias and signs the metadata with this key.
Service Provider View Metadata
Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.
Template Authentication Request Template
Template used for a SAML authentication request.
You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the authentication request template is not updated. To be able to use the new functionality after upgrade, you must manually edit and update the template in the realm settings.
SP Metadata Template
SP metadata template.
You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the SP metadata template is not updated. To be able to use the new functionality after upgrade, you must manually update the metadata template. For more information about updating the metadata template after upgrading, see Upgrading.
Bypass for reauth requests Indicates that SAML must not be used for reauthentication requests in an authentication chain.
- Click Save.
To obtain the SP federation metadata
After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.
- In the left navigation panel of the Edit Realm page, click Authentication.
- Click View Metadata.
The metadata file opens in the browser.
- Copy the URL displayed in the browser window, and save it to a notepad.
The URL might look as follows:
You need this URL when you configure an IdP for SAML authentication.
Where to go from here