This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.

Importing configuration from an identity provider and configuring the SAML authentication

After you have configured the advanced options for SAML authentication, import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your Remedy Single Sign-On server.

Video about configuring SAML

Watch this video (3:53) on how to configure SAML in the Remedy SSO Admin Console.

Before you begin

  • Create a realm for SAML authentication, and configure the general details for the realm. For more information, see Configuring general settings for a realm.
  • Obtain the following information from the IdP administrator:
    • The Import from URL or 
    • The SAML metadata file exported from the IdP.

To configure SAML authentication  

  1. Configure the SAML fields as required:

    Identity Provider

    Option to import the SAML metadata. Perform one of the following actions:

    • Select Import from URL, and type the URL where the IdP SAML configuration is stored.
    • Select Import from file, and upload the SAML configuration file from a local folder on your computer.

    After you import SAML metadata, most of the fields on the Authentication page get populated with imported values. 

    Federation metadata URL

    URL of the IdP federation metadata.

    Use this URL to enable automatic rollover — Automatic certificate update on the Remedy SSO server after this certificate is updated on the SAML IdP side. Such rollovers are more frequent if you use Azure Active Directory as an identity provider. 

    If the IdP federation metadata URL is not specified, an administrator must renew the signing certificate manually.

    IdP Entity ID

    Entity ID obtained from an external IdP such as Active Directory Federation Services (AD FS) or Okta.

    Example: http://adfs.local/adfs/services/trust

    Login URL

    Login URL obtained from an external IdP such as AD FS or Okta.

    Example: https://adfs.local/adfs/ls

    Logout URL

    URL provided by the IdP to which the user is redirected for service provider (SP) initiated logout.

    If you do not provide any value for this parameter, the value specified in the Login URL field is used both for both login and logout.

    Logout Response URL

    URL provided by the IdP to which the user is redirected for IdP initiated logout.

    HTTP Binding Type

    HTTP binding for the SP initiated logout URL.

    IdP Signing Certificate

    Certificate used by Remedy SSO to decrypt requests.

    (Optional) User ID AttributeUsed to retrieve the user ID from the specified attribute in the SAML response. If a value is not specified, the NameID is used as the user ID. The value of this field depends on the SAML IdP configuration.
    NameID Format

    Name identifier formats supported by a SP. SPs use name identifiers to pass information about users.

    In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.

    If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.

    Note: For linking user accounts from the SP and the remote IdP together, after an end user logs in to the integrated BMC application through the SAML IdP, the persistent NameID format must be at the top of the list.

    For more information about Name Format Identifiers, see paragraph 8.2 in Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Open link .

    Auth Context Compare

    Options (exact, minimum, maximum, better) available for the Auth Context Compare.

    For more information about Auth Context Compare options, see Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Open link .

    Auth Context

    Authentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the SP.

    Auth Issuer

    Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the SP for this request.

    If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.

    Assertion Time Skew

    Time offset between Remedy SSO and the IdP. The value must be specified in minutes.

    Assertion Time Format

    Time format used by assertions and depends on the defined patterns. For more information, see Patterns for Formatting and Parsing Open link .



    Sign Request

    Option to indicate whether the IdP requires the authentication request to be signed.

    To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, specify the Signing Key Alias.

    Force AuthenticationOption to enforce authentication.
    Enable Single LogoutOption to delete SAML IdP session on application logout. If an end user logs out from the application, the user is logged out from SAML IdP as well. 
    Sign Metadata

    Option to indicate whether the IdP requires SAML metadata to be signed.

    You might need to sign the SAML metadata to follow security policies in your organization. When you configure a realm to sign SAML metadata, the Remedy SSO server gets the certificate and private key from keystore's alias and signs the metadata with this key.

    Service Provider
    View Metadata

    Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.

    Authentication Request Template

    Template used for a SAML authentication request.

    You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the authentication request template is not updated. To be able to use the new functionality after upgrade, you must manually edit and update the template in the realm settings.

    SP Metadata Template

    SP metadata template. 

    You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the SP metadata template is not updated. To be able to use the new functionality after upgrade, you must manually update the metadata template. For more information about updating the metadata template after upgrading, see Upgrading.

    Bypass for reauth requestsIndicates that SAML must not be used for reauthentication requests in an authentication chain.
  2. Click Save.

To obtain the SP federation metadata

After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.  

  1. In the left navigation panel of the Edit Realm page, click Authentication.
  2. Click View Metadata.
    The metadata file opens in the browser.
  3. Copy the URL displayed in the browser window, and save it to a notepad.  
    The URL might look as follows: https://hostname:port/rsso/getmetadata.jsp?tenantName=saml
    You need this URL when you configure an IdP for SAML authentication.  

Was this page helpful? Yes No Submitting... Thank you


  1. Olga Kutetska

    There has been a question about SAML responses metadata. If you want to see an example of SAML response, consult online documentation. For example,

    Mar 16, 2020 01:18