BMC Helix SSO multitenancy
BMC Helix Single Sign-On supports multitenancy where a single application instance serves multiple tenants and guarantees data isolation between tenants. In a multitenant mode, each tenant has its own configuration with its own list of realms, BMC Helix SSO server settings, OAuth client, sessions, administrator users, and so on.
As a SaaS administrator, you might need to configure multiple tenants for BMC Helix SSO to isolate data within a single instance of BMC Helix SSO.
The following diagram illustrates the concept of multitenancy in BMC Helix SSO:
Tenants in this diagram represent configuration instances fully isolated from each other but physically saved on the same BMC Helix SSO server.
The SaaS tenant is a predefined tenant available on the BMC Helix SSO server. You cannot delete or modify the SaaS tenant. We do not recommend using the SaaS tenant for data segregation.
You can perform the following actions in the SaaS tenant:
Configure an OAuth client as multitenant client. For information about how to configure an OAuth client as multitenant, see Configuring OAuth 2.0. This feature is not supported in Helix deployment.
- Review records related to tenants management when the audit for administrator or end-user actions is enabled in BMC Helix SSO. For information about audit records, see Reviewing audit records.
- Configure the retention policy for administrator and end-user audit, see Configuring settings for BMC Helix SSO administrators.
- Set the system log level. For information about how to set the log level for the BMC Helix SSO server, see Configuring settings for the BMC Helix SSO server.
Tenant 1 and Tenant 2 are tenants of the same BMC Helix SSO server created by a SaaS administrator user. Tenant 1 administrator user can log in to the Admin Console of Tenant 1 and make changes to its configuration, and Tenant 2 administrator user can log in to the Admin Console of Tenant 2 and make changes to its configuration.
Only local user management options are available in the Admin Console of a tenant.
The SaaS administrator users can access the configuration of any tenant on the BMC Helix SSO server by switching to the Admin Console of a selected tenant.