This documentation supports the 9.1 version of Remedy Single Sign-On.

To view the latest version, select the version from the Product version menu.

Configuring OpenID Connect authentication

You can configure the Remedy Single Sign-On (Remedy SSO) server to authenticate users through OpenID Connect authentication. OpenID Connect is built on top of the OAuth 2.0 protocol. Clients use OpenID Connect to check the identity of users. The identification is based on the authentication done at the authorization server.

OpenID Connect involves the following process:

  1. The registered client (Remedy SSO) sends the authorization request to the OpenID Provider (OP).
  2. The OP authenticates the end user and redirects the authorization code to Remedy SSO.
  3. Remedy SSO sends a request with the authorization code to get the access token from the OP.
  4. With the access token, Remedy SSO requests the information about the end user.
  5. OP provides information about the end user to Remedy SSO.
  6. Remedy SSO creates a user session.

To configure OpenID Connect authentication

  1. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR.
    For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR authentication for bypass.
  2. Enter the OIDC details.
    For more information on parameters, see OIDC authentication parameters.

OIDC authentication parameters

 FieldDescription
Authorization URLReturns an authorization code.
Token URLExchanges previously received authorization code with access token.
UserInfo URLRelates to the user who has currently logged in and is attained by using the access token.
ScopeReturns different details about logged in user.
Client ID

Registers the client application on the OpenID provider side.

Client Secret

Identifies the client application.

When Remedy SSO server is registered as a client on the OIDC provider site, the OIDC provider generates and provides the client ID and client secret values.

RSSO Callback UrlEnables a response from the OpenID provider.
User ID field nameIdentifies the user, which will be used by Remedy SSO.
Prompt

Prompts the user for necessary action. Select one of the following options from the drop down list:

  • none: The authorization server must not display any authentication or consent user interface pages. An error is returned if an end user is not already authenticated or if the client does not have a pre-configured consent for the requested claims or does not fulfill other conditions for processing the request. The error code will typically be one of the following codes -  login_required, interaction_required, account_selection_required, consent_required, invalid_request_uri, invalid_request_object, request_not_supported, request_uri_not_supported, registration_not_supported. This can be used as a method to check for existing authentication and/or consent.
  • login: The authorization server should prompt the end user for reauthentication. If it cannot reauthenticate the end user, it must return an error, typically login_required.
  • consent: The authorization server should prompt the end user for consent before returning information to the client. If it cannot obtain the consent, it must return an error, typically consent_required.
  • select_account: The authorization server should prompt the end user to select a user account. This enables an end user who has multiple accounts at the authorization server to select from the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the end user, it must return an error, typically account_selection_required.
Was this page helpful? Yes No Submitting... Thank you

Comments