This documentation supports the 9.1 version of Remedy Single Sign-On.

To view the latest version, select the version from the Product version menu.

Integrating IdP with Remedy SSO for SAML IdP initiated login

Starting from version 9.1.02, Remedy Single Sign-On (Remedy SSO) supports SAML Identity Provider (IdP) initiated login.

To activate the IdP initiated login, perform the following steps:

  1. Configure SAMLv2 authentication on Remedy SSO server. For more information on configuring SAMLv2 authentication, see SAMLv2 authentication process
  2. Configure Relying Party Trust on the IdP.
  3. Configure claim rules. For more information, see Configuring claim rules.
  4. Configure Remedy SSO to provide the service URL.

Configuring Relying Party Trust on the IdP

This is second step that you must perform to support the IdP initiated login. Consider AD FS as the IdP.

Before you begin

  • Ensure that the required certificates are imported in the AD FS Trusted Root Certificate Authorities folder. For more information, see Importing certificates.
  • Ensure that you have the following information:
InformationDescription
Relying Party Trust URL

URL of the Relying Party Trust, which is the Remedy SSO server. Use  the following format.

https://<rssoServer>:<port>/rsso/receiver/<rssoRealmValue>?RelayState=<appURL>

where,

  • rssoServer: URL of the Remedy SSO server.
  • port: Port of the Remedy SSO server.
  • rssoRealmValue: Realm name of the protected service that user selects.
  • appURL: URL of the protected service.

If you have only the default realm on the Remedy SSO server, use the following format:

https://<rssoServer>:<port>/rsso/receiver/?RelayState=<appURL>

Display nameName of the Relying Party Trust that IdP displays in the menu for users.
NotesAppropriate description for the Relying Party Trust.
Token encryption certificateCertificate that IdP uses to encrypt the claims that are sent to the relying party trust. Encryption certificate is required only if you need the response from the Relying Party Trust to be encrypted
Relying party trust identifierIdentifier for Relying Party Trust that is same as the Relying Party Trust URL.

To configure AD FS

  1. Open the AD FS console.
  2. Click Trust Relationships to expand the folder.
  3. Right-click the Relying Party Trusts folder and select Add Relying Party Trust.
  4. On Add Relying Party Trust Wizard, click Start.
  5. On the Select Data Source page, click Enter data about the relying party manually and click Next.
  6. On the Specify Display Name page, enter Display Name and Notes for the relying party trust and click Next.
  7. On the Choose Profile page, click AD FS profile and click Next.
  8. On the Configure Certificate page do not import any certificate and click Next.
  9. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol check box and enter the Relying Party Trust URL in the Relying party SAML 2.0 SSO service URL field.
  10. Click Next.
  11. On the Configure Identifiers page, enter relying party trust identifier in the Relying party trust identifier field and click Add.
  12. Click Next.
  13. On the Configure Multi-factor Authentication Now page, select the I do not want to configure multi-factor authentication settings for the relying party trust at this time check box and click Next.
  14. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party.
  15. On the Ready To Add Trust page, click the Advanced tab.
  16.  In the Secure hash algorithm box click SHA-1 and click Next.

    Note

    If you cannot select the secure hash algorithm in this step, from the Relying Party Trusts list, right click the relying party trust that you just created and select Properties option from the menu. Click the Advanced tab and verify that the secure hash algorithm is selected as SHA-1.

  17. Select the check box for opening the Edit Claim Rules dialog box when you close the wizard and click Close. For more information about claim rules, see Configuring claim rules.

Configuring claim rules

This is the third step that you must perform to support the IdP initiated login.

Configure the claim rules for the relying party.

  1. On AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.
  2. To add the claim rule, click Add Rule.
    1. Select the claim-rule template Send Claims Using Custom Rule.
    2. Enter the claim-rule name Send Claims Using UPN. In this case, use the following script:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
     => issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer, 
Value = c.Value, 
ValueType = c.ValueType,
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "<idp-entity-id>",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<sp-entity-id>/<realm-id>"
     );

Note

  • sp name qualifier is required only when you want to implement SP initiated Single log out.
  • The properties "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format " must be the same as the NameID format value in the Authentication tab of Remedy SSO. For example, a Transient Identifier such as urn:oasis:tc:SAM:2.0:nameid-format:transient.
  • The FQDN specified for the properties " http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier " must be the FQDN of the AD FS server.
  • The properties "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier " must be the same as the SP Entity Id value specified in Remedy SSO (General > Advanced > SAML Service Provider > SP Entity ID).

Related topic

IdP initiated login and logout process

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Jerker Billberg

    In your URL example above, you refer to appURL, what is that ? appURL: URL of the protected service. https://:/rsso/receiver/?RelayState= We are setting up a POC using a IDP without ADFS. Please be as specific as possible. Thanks.

    Mar 20, 2018 12:45
    1. Kamalakannan Srinivasan

      Hi Jerker,

      Thank you for your comment. I will discuss with the technical team and keep you informed.

      Regards,
      Kamal

      Mar 20, 2018 01:40
    1. Kamalakannan Srinivasan

      Hi Jerker,

      Thank you for your comment. The appURL is the URL of the integrated application such as MyIT.

      Regards,
      Kamal

      Mar 23, 2018 03:49
  2. Conrad Pereira

    Hi, We are unable to see the steps related to: a. Configure claim rules. b. Configure Remedy SSO to provide the service URL.

    Please provide the information. Thanks.

    Sep 13, 2018 07:13
    1. Vrishali namdev Galinde

      Hello Conrad,

      I have added a link for Configuring claim rules. To configure RSSO for providing service URL, see Remedy SSO server general configuration.


      Regards,

      Vrishali

      Sep 18, 2018 02:50