Setting up tenants

As a SaaS administrator, to enable the single sign-on experience for a customer company, you must first create a tenant on the BMC Helix Single Sign-On server, and then proceed with the onboarding tasks for this tenant.

Default tenant

The SAAS TENANT is the default tenant, which is available on the BMC Helix SSO server. Only a SaaS administrator has access to this tenant. 

The SAAS TENANT has a predefined name and host, which you cannot modify. You cannot disable this tenant. You can only modify the default description.

To create a tenant

  1. Log in to the BMC Helix SSO server as a SaaS administrator. 
  2. On the navigation panel, click Tenant
  3. Click Add Tenant.
  4. To add a tenant, complete the following fields:
    • Name 
    • Hostname—Specify the hostname to access an individual tenant by using the following format:
    • (Optional) Description
    • (Optional) Self-service configuration
      Note: The tenant name and tenant host name must be unique.  
  5. To enable the tenant, select the Enabled check box.
  6. Click Save.

To enable features for a tenant

Use feature flags to enable specific functionalities for a tenant.

  1. Edit or create a tenant for which you want to update the feature flags.
  2. Select the check boxes with the functionalities to be enabled for a tenant.

    Local User Management "Confirm Registration"Helps local users to set their own password.Managing local users and passwords
    Local User Management "Forgot Password"Helps local users to reset a forgotten, lost, or compromised password.Configuring Local authentication
    Disable email template sanitizingHelps to check and modify the email template input in the Forgot Password functionality.Configuring Local authentication
    Webhooks on authentication response

    Helps to notify an external service about user authentication in BMC Helix SSO by using webhooks.

    Notifying an external service about user authentication by using a webhook
    UserID transformation to convert AR alias to loginHelps to specify a custom UserID to match the login ID.Transforming userID to match login ID
    Path-specific session cookie

    Helps to limit the scope of the cookie to the /rsso path on the BMC Helix SSO server.

    Security planning
    Use tenant token timeouts for multi-tenant clientsHelps to apply the same access and refresh timeout values that are defined for the particular tenant level for multi-tenant clients.Configuring OAuth 2.0
    Hide copyrightHelps administrators to hide the BMC copyright message on the login page of the integrated BMC application.Login and logout experience for end users
    Multiple certificates in SP Metadata

    Helps administrators to use two aliases for signing and encryption certificates in SAML Metadata. After you enable this feature, update the SP Metadata Template to include secondary certificate(s).

    Important: If you use Active Data Federation Services as an IdP, only one encryption key is supported.

    Importing configuration from an identity provider and configuring SAML

    Configuring the BMC Helix SSO server as a SAML service provider

    UI idle timeout

    Enables user logout from a BMC application integrated with BMC Helix SSO due to inactivity in the UI based on defined criteria.

    Enabling idle timeout for integrated BMC applications

    Check TCP connection

    Enables the Check TCP connection feature in the Service tab of a tenant. Helps administrators to troubleshoot failed connections between BMC Helix SSO and other applications. The Host, Port, and Type fields are required. In the Type field (available with version 23.1.01 and later), select a Transmission Control Protocol (TCP) connection type established between the BMC Helix SSO server and an integrated BMC application:

    • Plain — Non-TLS connection.
    • Encrypted insecure — TLS connection without certificate verification.
    • Encrypted secure — TLS connection with certificate verification.

    After you add values to these fields, click Send. A command line shows whether a connection is successful.

    Troubleshooting integration issues

    CSP Headers

    Enables adding custom Content Security Policy (CSP) headers to an HTTP response from the OAuth 2.0 authorization endpoint. CSP headers prevent issues with access to integrated BMC applications through a multi-domain flow. When the CSP Headers setting is turned on, an administrator can add predefined headers, their values, and optionally specify origin headers. 

    Configuring OAuth 2.0

    All these features are disabled by default.

  3. Click Save.
    The changes are applied automatically for a tenant.

To switch to the Admin Console view of a tenant  

  1. On the List of Tenants page, select a tenant.
  2. Click the pin button.

    An information message is displayed above the navigation panel stating which tenant you have selected:

    The Tenant field on the navigation panel displays the name of the tenant you have switched to.   

Where to go from here

After you have created a tenant, create administrators for this tenant. For information about how to create a tenant administrator, see Setting up BMC Helix SSO administrator accounts.

Was this page helpful? Yes No Submitting... Thank you