This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.

Realms

This section covers the following information:


Remedy Single Sign-On(Remedy SSO) provides realms to support multitenancy, which is a default functionality of Remedy SSO. Each realm is identified by a unique realm identifier and contains one or more application domains. A realm is configured to be authenticated through one of the authentication methods that Remedy SSO supports. Multitenancy is supported by creating additional realms for different domains.

You can manage realms from the Admin console of Remedy SSO. For more information about managing realms, see Adding and configuring realms.

The following example describes how Remedy SSO realms work.

Suppose an organization has the following applications:

  • Helpdesk that is accessed by all users through the URL http://helpdesk.yourcompany.com
  • ITSM that is accessed only by the IT team through the URL http://itsm.yourcompany.com
  • BMC Digital Workplace that is accessed only by the IT team through the URL http://dwp.yourcompany.com

Notice that each application has a different domain. You can create two realms, helpdesk and itsm, and map the application domains and authentication methods to these realms as listed in the following table.

ApplicationAccessed byRealmDomainAuthentication method
http://helpdesk.yourcompany.com All usershelpdeskhelpdesk.yourcompanySAMLv2
http://itsm.yourcompany.comIT teamitsmitsm.yourcompany Kerberos
http://dwp.yourcompany.com
IT teamitsmdwp.yourcompany Kerberos

The preceding example implies that:

  • The helpdesk realm contains one domain, helpdesk.yourcompany, and this domain will authenticated by the SAMLv2 authentication method.
  • The itsm realm has two domains, itsm.yourcompany and dwp.yourcompany , and both domains will be authenticated by the Kerberos authentication method.

Authentication process in realms

Remedy SSO does not manage user or user groups in the system. The only exception is Local authentication that can be used to manage users and groups. Users are authenticated based on domains that they access.

When a BMC Remedy Mid Tier user clicks the link of a protected application, the Remedy SSO web agent that is deployed on the protected application intercepts this request. Based on the configuration data that is stored in the database for the domain of the protected application, the web agent identifies the realm to which this user belongs. The web agent then sends the realm and user information to the Remedy SSO web application. The Remedy SSO web application creates a record in the session data storage and identifies the authentication provider for the realm. Remedy SSO web application then redirects the user to the logon page of the authentication provider. For example, if the authentication provider for the realm is an Active Directory Federation Services (ADFS), Remedy SSO displays the ADFS logon page to the user.

Note

Remedy SSO provides the option of a default realm which appears with a special name "*" (asterisk). The difference between any realm and the default realm is that Remedy SSO uses the default realm for user authentication if it cannot identify another realm based on application domain taken from HTTP request. This is irrespective of the application domains configured for the realm.

The administrator can delete the default realm and it is recommended for security reasons. The administrator can recreate the default realm by giving it the '*' name. In case Remedy SSO cannot identify the realm and the default realm is also removed, an error message is generated.

The web agent maps the server host name that is used by the user to access a protected application to the full logon and logoff URLs. The logon URLs contain the information, such as domain name and authentication provider ID, required to separate different domains from one another.

In the above example, suppose a user clicks the link to access the Helpdesk application. The web agent deployed on the Helpdesk application identifies the realm based on the domain of the Helpdesk application, which is helpdesk. The web agent sends the user and the realm information to the Remedy SSO application. Based on the configurations made for the helpdesk realm, the Remedy SSO application identifies that the authentication provider for helpdesk realm is ADFS. The Remedy SSO application displays the ADFS logon page to the user.

Remedy SSO realm architecture

 The following image depicts a Remedy SSO realm architecture.

HSSO Architecture

For example, an end user accesses an application belonging to the helpdesk.yourcompany.com domain (Domain 1). The end user gets authenticated through Remedy SSO, via Realm 1 which is configured for any authentication method, for example SAML (Authentication 1), and allows authentication via helpdesk.yourcompany.com  (Domain 1).

This end user can access an application belonging to the itsm.yourcompany.com domain (Domain 2). The end user gets authenticated through Remedy SSO, via Realm 2 which is configured for any authentication method, for example AR (Authentication 2), and allows authentication via itsm.yourcompany.com (Domain 2).

Note

End users can simultaneously log in to applications that belong to the same realm.

An attempt to log in to applications from different realms will result in an error. To overcome this constraint, an end user can use different browsers for applications from different realms.

Realms for single and multitenancy

For single tenancy, use the default realm *. You can configure the default realm for the required authentication method.

Note

Default realm is a realm with a special name "*" (asterisk). The difference between any realm and the default realm is that Remedy SSO uses a default realm for user authentication if it cannot identify another realm based on application domain taken from HTTP request. This is irrespective of the application domains configured for the realm.

The administrator can delete the default realm and it is recommended for security reasons. The administrator can recreate the default realm by giving it the '*' name. In case Remedy SSO cannot identify the realm and the default realm is also removed, an error message is generated.

For multitenancy, create a unique realm for each tenant and add a comma-separated values of application domains for that realm.

Each value in the application domain is a host of an application URL for that tenant. For example, if the URL for the Mid Tier application is http://tenant1.midtier.company.com/arsys, the host will be tenant1.midtier.company.com.

Ensure that all applications of a tenant have a corresponding value in the application domain string. For example, consider that you created realm1 for a tenant that has two applications with the following URLs:

  • Mid Tier URL as http://tenant1.midtier.company.com/arsys
  • BMC Digital Workplace URL as http://tenant1.dwp.company.com/ux/dwpapp

In this scenario, for realm1, the application domain value will be a comma-separated string of tenant1.midtier.company.com and tenant1.dwp.company.com.

Was this page helpful? Yes No Submitting... Thank you

Comments