This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.

Realms


Remedy Single Sign-On (Remedy SSO) provides realms to support multitenancy for integrated applications and split applications availability. Each realm is identified by a unique identifier and contains one or more application domains.

As a Remedy SSO administrator, you manage realms from the Remedy SSO Admin console. You can configure a single authentication method for a realm, or a chain of multiple authentication methods to enable authentication fallback or reauthentication mechanisms. 

Role of realms in the authentication process in Remedy SSO

In Remedy SSO, a realm associates application domains of the integrated Remedy SSO applications with an identity provider, and a realm also defines an authentication method to be used to protect integrated applications. End users accessing applications integrated with Remedy SSO are authenticated based on domains they can access.

The following diagram shows the role of realms in an authentication flow:

HSSO Architecture

  1. In a browser window, an end user enters an application URL to access an application integrated with Remedy SSO.
  2. The Remedy SSO agent intercepts the login request, validates it, and then sends it to the Remedy SSO server.
  3. Based on information extracted from the application URL, the Remedy SSO server defines a correct realm for the authentication flow. For more information about this process, see Identifying a realm by application domains.
  4. Remedy SSO server allows authentication according to the authentication method specified for the realm. 
  5. Depending on the authentication method, the user is redirected to the login page or is automatically authenticated by Remedy SSO. For information about the login options, see Login and logout experience for end users.
  6. When the end user is successfully authenticated on the Remedy SSO login page, the end user is automatically redirected to the application.

Identifying a realm by application domains

Realm identification is based on the application URL used for accessing an end user application.

For example, an end user uses the application.domain.com URL to access an application. To authenticate the user, Remedy SSO needs to identify the realm by checking the following mappings in all realms available on the Remedy SSO server: 

  • application
  • application.domain
  • application.domain.com

When a realm with a matching application domain is found, this realm is used for authentication.

If you have several realms with the same matching application domain parts, realm selection becomes unpredictable. To avoid authentication errors, application domain mapping must be unique across all realms on the Remedy SSO.

Usage example: Configuring realms for application domains

Suppose an organization has the following applications:

  • Helpdesk—accessed by all users through the URL http://helpdesk.yourcompany.com
  • ITSM—accessed only by the IT team through the URL http://itsm.yourcompany.com
  • BMC Digital Workplace—accessed only by the IT team through the URL http://dwp.yourcompany.com 

You can create helpdesk and itsm realms and map the application domains and authentication methods to these realms described in the following table:

ApplicationAccessed byRealmApplication domainAuthentication methodDescription
http://helpdesk.yourcompany.com/ All usershelpdeskhelpdesk.yourcompanySAML 2.0

The helpdesk realm contains one helpdesk.yourcompany application domain, and it is authenticated by the SAML 2.0 authentication method.

http://itsm.yourcompany.com/IT teamitsmitsm.yourcompany Kerberos

The itsm realm has two application domains: itsm.yourcompany and dwp.yourcompany. Both application domains are authenticated by the Kerberos authentication method.

http://dwp.yourcompany.com/
IT teamitsmdwp.yourcompany Kerberos

When an end user accesses the Helpdesk application belonging to the helpdesk.yourcompany.com application domain (Domain 1 in the diagram), the end user gets authenticated through Remedy SSO, via helpdesk realm (see Realm 1 in the diagram) which is configured for SAML authentication method (Authentication 1 in the diagram), and allows authentication via helpdesk.yourcompany.com (Domain 1 in the diagram).

This end user can access the ITSM application belonging to the itsm.yourcompany.com application domain (Domain 2 in the diagram). The end user gets authenticated through Remedy SSO, via itsm realm (see Realm 2 in the diagram) which is configured for Kerberos authentication method (Authentication 2 in the diagram), and allows authentication via itsm.yourcompany.com (Domain 2 in the diagram).

Was this page helpful? Yes No Submitting... Thank you

Comments