This documentation supports the 22.3 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

To view an earlier version, select the version from the Product version menu.

Login and logout experience for end users

When you implement a single sign-on system, the normal authentication behavior is altered for end users. If an end user who is already logged in to an application, opens a second application in a browser window, the user is automatically logged on.

Single sign-on experience is enabled for applications that are registered within a single realm on the BMC Helix Single Sign-On server.  

Login

Based on how a realm is configured for authentication, when a user attempts to log in to an application integrated with BMC Helix SSO, the following events are triggered:

EventConfiguration

BMC Helix SSO login page is displayed

When a realm on the BMC Helix SSO server is configured for one of the following authentication types:

  • AR
  • Local
  • LDAP
Login page of the Identity Provider (IdP) is displayed

When a realm on the BMC Helix SSO server is configured for one of the following authentication types:

  • SAML
  • OpenID Connect
No login page is displayed

When a realm on the BMC Helix SSO server is configured for one of the following authentication types:

  • Cert
  • Kerberos
  • Preauth

After the end user enters valid credentials, the BMC Helix SSO server authenticates the end user according to the configured authentication mechanism and redirects the request to an integrated application. The BMC Helix SSO agent verifies that the user is authenticated, and then allows the user to access the integrated application.

If the end user tries to access the same application or any other integrated application from another browser tab or window, the BMC Helix SSO agent checks for an existing user session to determine whether or not the user is already logged on. If the user is already logged on, as in this case, the application UI is displayed without the user being prompted for credentials.

If the user session does not exist yet, or the user is not already logged on, BMC Helix SSO does the normal token check (from a cookie) and redirects the user to the login page.

Hiding copyright message on the login page

BMC Helix SSO login page contains copyright information that can be hidden if necessary. For more information about tenants, see Setting up tenants.

To hide a copyright message:

  1. Navigate to the Tenants tab and select a tenant.
  2. Click the editing icon.
  3. On the Tenants page, select the Hide copyright checkbox. By default, the checkbox is cleared.
  4. Click Save.

Saved changes will also hide a copyright message on the local registration, change password, and consent pages.

Logout

When an end user clicks the logout URL in the integrated application, the BMC Helix SSO agent sends a request to the BMC Helix SSO server. 

Based on how a realm is configured, end users have the following logout experience: 

Realm configurationLogout experience
Single logout is disabled

A reference counter on the user token table in the web application increments or decrements the application count when the user logs in or logs out from an application. The reference counter is implemented by applications that are logged in to by using the BMC Helix SSO token.

When an end user logs out from an application, but the application count is greater than 0, it means the user is still logged in to one or more applications. In this case, the system does not prompt the user for credentials when the user logs in to another application again.

When an end user logs out from an application, and the application count is 0, it means the user is logged out from BMC Helix SSO. The user will be prompted for credentials on accessing applications.

Single logout is enabled

When an end user clicks the logout URL for one application, the user is automatically logged out from BMC Helix SSO.


Was this page helpful? Yes No Submitting... Thank you

Comments