This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.

Importing configuration from an identity provider and configuring the SAML authentication

After you have configured the advanced options for SAML authentication, you can import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your  Remedy Single Sign-On server.

Before you begin

  • Create a realm for SAML authentication, and configure the general details for the realm. For more information, see Configuring general settings for a realm.
  • Obtain the following information from the IdP administrator:
    • The Import from URL or 
    • The SAML metadata file imported from the IdP.

To import SAML metadata of the identity provider

  1. Click Import, and select one of the following options to import the SAML metadata:
    • Select Import from URL, and type the URL where the IdP SAML configuration is stored.
    • Select Import from file, and upload the SAML configuration file from a local folder on your computer.
  2. Click Import.
    After you import SAML metadata, most of the fields on the Authentication page get populated with imported values. 

To configure SAML authentication   

  1. Review the imported configuration fields, and configure the rest of the SAML fields as required:

     FieldDescription
    Identity Provider
    Federation metadata URL

    URL of the IdP's federation metadata. The URL must go to the valid (not expired) signing certificate of the IdP.

    Remedy SSO verifies whether a signing key exists at this URL. If a signing key exists, Remedy SSO uses this information for authentication.

    Note: There is a rollover of signing keys at the IdP end. Such rollovers are more frequent if Azure Active Directory is used as an IdP. For Remedy SSO to automatically track the rollovers, you must import SAML metadata of the IdP, and in the Import from URL specify the value used as the federation metadata URL.

    IdP Entity ID

    Entity ID obtained from an external IdP such as Active Directory Federation Services (AD FS) or Okta.

    Examples:
    http://adfs.local/adfs/services/trust
    http://www.okta.com/exk4mi22tbfhiAnIn0h7

    Login URL

    Login URL obtained from an external IdP such as AD FS or Okta.

    Examples:
    https://adfs.local/adfs/ls
    https://dev-726770.oktapreview.com/app/bmcdev726770_oktaidp_1/exk4mi22tbfhiAnIn0h7/sso/saml

    Logout URL

    URL provided by the IdP to which the user is redirected for SP initiated logout.

    If you do not provide any value for this parameter, the value specified in the Login URL field is used both for login and logout.

    Logout Response URLURL provided by the IdP to which the user is redirected for IdP initiated logout.
    HTTP Binding Type

    HTTP binding for the SP initiated logout URL.

    IdP Signing Certificate

    Used by Remedy SSO to decrypt requests.

    User ID AttributeUsed to retrieve the user ID from the specified attribute in the SAML response. If it is not specified, the NameID will be used as the user ID.
    NameID Format

    Name identifier formats supported by a service provider. Service providers use name identifiers to pass information about users.

    In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.

    If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.

    A persistent identifier is saved to a particular user's data store entry as a two-attributes value.

    A transient identifier is temporary and no data will be written to the user's persistent data store.

    Note: For linking user accounts from the service provider and the remote IdP together, after logging in, the persistent NameID format must be at the top of the list.

    Auth Context CompareOptions (exact, minimum, maximum, better) available for the auth context compare.
    Auth ContextAuthentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the service provider.
    Auth Issuer

    Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.

    If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.

    Assertion Time Skew

    Time offset between Remedy SSO and the IdP.

    Assertion Time FormatTime format used by assertions.

    Sign Request

    Option to indicate whether the IdP requires authentication request to be signed.

    To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, and specify the Signing Key Alias.

    Force AuthenticationOption to enforce authentication.
    Enable Single LogoutOption to delete SAML IdP session on application logout. If an end user logs out from the application, the user is logged out from SAML IdP as well. 
    Sign Metadata

    Option to indicate whether the IdP requires SAML metadata to be signed.

    You might need to sign the SAML metadata to follow security policies in your organization. When you configure a realm to sign SAML metadata, the Remedy SSO server gets the certificate and private key from keystore's alias and signs the metadata with this key.

    Service Provider
    View Metadata

    Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.

    Template
    Authentication Request TemplateTemplate used for SAML authentication request. You can select Default or Custom and edit the template, if required.
    SP Metadata Template

    Service provider metadata template. You can select Default or Custom and edit the template, if required. After upgrade, the SP metadata template is not updated. To be able to use new functionality after upgrade, you must manually update the metadata template. For more information about updating the metadata template after upgrading, see Upgrading.

    Bypass for reauth requestsIndicates that SAML must not be used for reauthentication requests in an authentication chain.
  2. Click Save.

To obtain the SP Federation metadata

After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.  

  1. In the left navigation panel of the Edit Realm page, click Authentication.
  2. Click View Metadata.
    The metadata file opens in the browser.
  3. Copy the URL displayed in the browser window, and save it to a notepad.  
    The URL might look as follows: https://clm-aus-567567.bmc.com:9443/rsso/getmetadata.jsp?tenantName=saml
    You will need this URL when you configure the IdP for SAML authentication.  

Demonstration video

Watch this video (3:53) on how to configure SAML in Remedy SSO.  This video covers the SAML configurations that are performed from the Remedy Single Sign-On console.

 https://www.youtube.com/watch?v=UATasTrfliU?rel=0



Where to go from here

Configuring Active Directory Federation Services as a SAML identity provider

Was this page helpful? Yes No Submitting... Thank you

Comments