BMC Helix SSO agent
The BMC Helix Single Sign-On agent is a component of the BMC Helix SSO system that intercepts user requests to applications integrated with BMC Helix SSO.
Each application integrated with BMC Helix SSO has a BMC Helix SSO agent installed on its server. For more information about the place of the BMC Helix SSO agent in the BMC Helix SSO architecture, see BMC Helix SSO architecture.
The BMC Helix SSO agent role in an authentication flow
The BMC Helix SSO agent, designed as a request filter, performs the following tasks:
- In an environment with one BMC Helix SSO server, the BMC Helix SSO agent intercepts user requests and then redirects these requests to the BMC Helix SSO server.
In an environment with multiple BMC Helix SSO servers, the BMC Helix SSO agent defines application domains based on the domains present in user requests, and then defines the right server for communication. For more information about an environment with multiple BMC Helix SSO servers, see Connecting the same BMC Helix SSO agent to different BMC Helix SSO servers.
On intercepting a user request to an application, the BMC Helix SSO agent verifies whether the user is already authenticated by searching for the authentication cookie in the request. Depending on the cookie availability, the BMC Helix SSO agent performs the following tasks:
- If the authentication cookie is available, the BMC Helix SSO agent validates it by making a service call to the BMC Helix SSO server. This validation is made on a regular basis, and the validation period can be scheduled to not impact the server performance.
- If the authentication cookie is unavailable, the BMC Helix SSO agent defines a domain parameter from the application URL, and then identifies a realm based on the application domain. After that, the user is redirected to the BMC Helix SSO server to pass authentication based on the realm settings.
If the validation is successful, the request is passed to the application. Otherwise, it is redirected to the BMC Helix SSO server for repeating the authentication process.