Login and logout experience for end users
When you implement a single sign-on system, the normal authentication behavior is altered for end users. If an end user who is already logged in to an application, opens a second application in a browser window, the user is automatically logged on.
Single sign-on experience is enabled for applications that are registered within a single realm on the BMC Helix Single Sign-On server.
Login
Based on how a realm is configured for authentication, when a user attempts to log in to an application integrated with BMC Helix SSO, the following events are triggered:
| Event | Configuration |
|---|---|
BMC Helix SSO login page is displayed | When a realm on the BMC Helix SSO server is configured for one of the following authentication types:
|
| Login page of the Identity Provider (IdP) is displayed | When a realm on the BMC Helix SSO server is configured for one of the following authentication types:
|
| No login page is displayed | When a realm on the BMC Helix SSO server is configured for one of the following authentication types:
|
After the end user enters valid credentials, the BMC Helix SSO server authenticates the end user according to the configured authentication mechanism and redirects the request to an integrated application. The BMC Helix SSO agent verifies that the user is authenticated, and then allows the user to access the integrated application.
If the end user tries to access the same application or any other integrated application from another browser tab or window, the BMC Helix SSO agent checks for an existing user session to determine whether or not the user is already logged on. If the user is already logged on, as in this case, the application UI is displayed without the user being prompted for credentials.
If the user session does not exist yet, or the user is not already logged on, BMC Helix SSO does the normal token check (from a cookie) and redirects the user to the login page.
Hiding copyright message on the login page
BMC Helix SSO login page contains copyright information that can be hidden if necessary. For more information about tenants, see Setting up tenants.
To hide a copyright message:
- Navigate to the Tenants tab and select a tenant.
- Click the editing icon.
- On the Tenants page, select the Hide copyright checkbox. By default, the checkbox is cleared.
- Click Save.
Saved changes will also hide a copyright message on the local registration, change password, and consent pages.
Logout
When an end user clicks the logout URL in the integrated application, the BMC Helix SSO agent sends a request to the BMC Helix SSO server.
Based on how a realm is configured, end users have the following logout experience:
| Realm configuration | Logout experience |
|---|---|
| Single logout is disabled | A reference counter on the user token table in the web application increments or decrements the application count when the user logs in or logs out from an application. The reference counter is implemented by applications that are logged in to by using the BMC Helix SSO token. When an end user logs out from an application, but the application count is greater than 0, it means the user is still logged in to one or more applications. In this case, the system does not prompt the user for credentials when the user logs in to another application again. When an end user logs out from an application, and the application count is 0, it means the user is logged out from BMC Helix SSO. The user will be prompted for credentials on accessing applications. |
| Single logout is enabled | When an end user clicks the logout URL for one application, the user is automatically logged out from BMC Helix SSO. Important: If you plan to enable UI idle timeout for your tenant, make sure that single logout is enabled for a realm. |
Comments
Log in or register to comment.