Importing configuration from an identity provider and configuring SAML
After you have configured the advanced options for SAML authentication, import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your BMC Helix Single Sign-On server.
Before you begin
- Import from SAML IdP metadata URL or metadata file imported from the IdP
To configure SAML authentication
- Configure the SAML fields as required:
Option to import the SAML metadata. Perform one of the following actions:
After you import SAML metadata, most of the fields on the Authentication page get populated with imported values.
|Federation metadata URL|
URL of the IdP federation metadata.
Use this URL to enable automatic rollover — Automatic certificate update on the BMC Helix SSO server after this certificate is updated on the SAML IdP side. Such rollovers are more frequent if you use Azure Active Directory as an identity provider.
If the IdP federation metadata URL is not specified, an administrator must renew the signing certificate manually.
|IdP Entity ID|
Identity provider entity ID obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.
Login URL obtained from an external IdP such as AD FS or Okta.
URL provided by the IdP to which the user is redirected for service provider (SP) initiated logout.
If you do not provide any value for this parameter, the value specified in the Login URL field is used both for both login and logout.
|Logout Response URL|
URL provided by the IdP to which the user is redirected for IdP initiated logout.
|HTTP Binding Type|
HTTP binding for the SP initiated logout URL.
|IdP Signing Certificate|
Signing certificate that BMC Helix SSO uses to sign requests that are sent to the IdP.
|(Optional) User ID Attribute||Used to retrieve the user ID from the specified attribute in the SAML response. If a value is not specified, the NameID is used as the user ID. The value of this field depends on the SAML IdP configuration.|
Name identifier formats supported by a SP. SPs use name identifiers to pass information about users.
In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.
If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.
Important: For linking user accounts from the SP and the remote IdP together, after an end user logs in to the integrated BMC application through the SAML IdP, the persistent NameID format must be at the top of the list.
For more information about Name Format Identifiers, see paragraph 8.2 in .
Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.
If the value is not specified, by default, the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.
|Auth Context Compare|
Options (exact, minimum, maximum, better) available for the Auth Context Compare.
For more information about Auth Context Compare options, see .
Authentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the SP.
Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the SP for this request.
If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.
|Assertion Time Skew|
Time offset between BMC Helix SSO and the IdP. The value must be specified in minutes.
|Assertion Time Format|
Time format used by assertions and depends on the defined patterns. For more information, see .
Option to indicate whether the IdP requires the authentication request to be signed.
To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, specify the Signing Key Alias.
|Force Authentication||Option to enforce authentication.|
|Enable Single Logout||Option to delete the SAML IdP session on application logout. If an end user logs out from the application, the user will be logged out from SAML IdP as well.|
Option to indicate whether the identity provider requires SAML metadata to be signed.
You might need to sign the SAML metadata to ensure that the security policies of your organization are followed. When you configure a realm for SAML signing metadata, the BMC Helix SSO server gets the certificate and private key from the keystore's alias, and signs the metadata with it.
Important: You can select the signing algorithm only if you select the Sign Request checkbox, the Sign Metadata checkbox or both.
Select one of the following signing algorithms containing a hash type function and key type:
Select an algorithm supported by your IdP.
BMC Helix SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.
|Authentication Request Template|
Template used for a SAML authentication request.
You can select Default or Custom and edit the template, if required. After BMC Helix SSO upgrade, the authentication request template is not updated. To be able to use the new functionality after upgrade, you must manually edit and update the template in the realm settings.
|SP Metadata Template|
SP metadata template.
You can select Default or Custom and edit the template, if required.
|Bypass for reauth requests||Setting to indicate that SAML must not be used for reauthentication requests in an authentication chain.|
|Use SessionNotOnOrAfter parameter for session time|
Option to define where the maximum time of an end user authentication session is configured.
By default, the maximum session time is specified by the value set in the Max Session Time field, configured in the General > Basic tab in the BMC Helix SSO Admin Console.
|Xpath 1.0 for group retrieval|
A field for entering an XPath query for extracting user groups from the SAML assertion.
The information about the user groups is stored in the authentication session attributes, and is retrieved from the response of the /token/groups REST API endpoint.
|Infinite session group|
Option to provide a group name of users with the infinite sessions experience.
For more information, see Configuring infinite user sessions.
|User ID Transformation|
Option to transform userID to match Login ID for the successful login procedure. It allows to modify userID by the predefined transformation commands or a custom expression.
For more information, see Transforming userID to match login ID.
Option to specify a custom value for the userID transformation.
For more information, see Transforming userID to match login ID.
Setting enables the BMC Helix SSO server to launch applications in iframes.
For more information, see Allowing BMC Helix SSO to open applications in iframes.
4. Click Save.
After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.
- In the left navigation panel of the Edit Realm page, click Authentication.
- Click View Metadata.
The metadata file opens in the browser.
- Copy the URL displayed in the browser window, and save it to a text editor.
The URL might look as follows:
You will need this URL when you configure the IdP for SAML authentication.
Where to go from here