BMC Atrium Single Sign-On using SAMLv2 deployment example

This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0 (SAMLv2) can be deployed.

Business value

This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single sign-on means that you only need to present credentials once for authentication, and you are subsequently automatically authenticated by every BMC product that is integrated into the system. This means that if you are looking at a report that has links to incident or change records, you can click on the link and go directly to the records without logging in again.

An additional important value is that with federated authentication the user logon credentials (for example, user name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The authentication is done on premise by the Identity Provider (IdP).

Federated authentication and SAML

SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identify Provider (IdP) and a web service.

SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy applications without having previously authenticated is redirected to your IdP. After authentication, the user is redirected back to the originally requested resource (BMC Remedy application).

Note

Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM form and record).

Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.

For more information about SAMLv2, see Using SAMLv2 for authentication.

Deployment architecture

This deployment example consists of the following components:

In the BMC environment:
- BMC Remedy web applications supporting BMC Atrium Single Sign-On
- BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application
- BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the Apache Tomcat server
In your environment:
- You use a browser to access BMC Remedy applications.
- An authentication server is responsible for your users authentication, which is usually located on premise. This is the IdP component.

The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship (federation) so they can honor each other’s authentication information.

The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2 components. These interactions are listed in the sequential order that they occur.

BMC Atrium Single Sign-On and SAMLv2 components sequence diagram

The following sequence diagram illustrates the flow of events and the interaction between components for single log off (SLO):

Single log off sequence diagram

Deployment model

The following diagram shows the components that are part of this deployment example:

A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are put in front of the application servers. Load balancers are used to distribute the workload and optimize application performance. Reverse proxies are used to distribute the workload, optimize application performance, and hide the existence and characteristics of internal servers.
BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another VM but on two different Apache Tomcat servers.
BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management are deployed on two different VMs to avoid performance issues.
You deploy the browser and the SAMLv2 IdP server from your environment.

Deployment tasks

The following table lists the main steps involved in installing and configuring the deployed BMC Products with BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.

Note

Review the Deployment parameters list before starting the deployment tasks.

Step	Task
1.	Install BMC Atrium Single Sign-On.
2.	Install BMC Remedy AR System server.
3.	Install the BMC Remedy Mid Tier.
4.	(Optional) Configure your load balancer or reverse proxy. Note: For more information, see Troubleshooting redirect URLs.
5.	Run the SSOARIntegration utility on the AR System server.
6.	Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier.
7.	Configure group mapping for the AR System and BMC Atrium Single Sign-On .
8.	Configure the BMC Atrium Single Sign-On server for AR System Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication. The AR data store is not needed for authentication in SAMLv2 deployment.
9.	Run a health check on the BMC Atrium Single Sign-On installation.
10.	Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote Identity Provider. Note: Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agents configuration must be modified so the integrating product can function in the Federated Single Sign-On.
11.	(Optional) Integrate BMC Dashboards for Business Service Management and configure it. Note: For more information, see the BMC Dashboards for Business Service Management Installation Guide at PDFs.
12.	(Optional) Integrate BMC Analytics for Business Service Management and configure it. Note: For more information, see Installing.
13.	(Optional) Integrate BMC IT Business Management Suite. Note: For more information, see Installing.

Deployment parameters

The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high availability (HA) are not deployed.

The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an Service Provider (SP) with a remote Identity Provider (IdP).

Important

BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers.

However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.

The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On authentication:

BMC Remedy AR System
BMC Remedy Mid Tier
BMC Atrium Single Sign-On
SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
BMC Dashboards for BSM
BMC Analytics for BSM

Product install/configuration	Parameters	Description
AR System installation	Planning spreadsheet	Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.
Mid Tier installation	Planning spreadsheet	Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.
Atrium SSO installation	FQDN of host name	The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com.
	HTTP, HTTPS, Shutdown port numbers	If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.
	Cookie domain	The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. For example, atsso_bmc_com.
	Atrium SSO server password	The password for the BMC Atrium Single Sign-On server. Default: amadmin
AR System integration	AR Server Name	The AR server name. For example, arsystemserver.bmc.com
	AR Server User	The AR server user. For example, Demo.
	AR Server Password	The AR server password. For example, Demo.
	AR Server Port	The AR server port. For example, 0.
	Atrium SSO URL	URL for the BMC Atrium Single Sign-On server. For example, https://ssoserver.bmc.com:8443/atriumsso
	SSO Admin Name	The BMC Single Sign-On administrator name. Default: amadmin.
	SSO Admin Password	The BMC Single Sign-On administrator password.
	truststore	(Optional) The truststore path.
	truststore-password	(Optional) The truststore password.
	force	(Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default: No
Mid Tier integration	AR Server Name	The AR Server name from the AR System integration. For example, arsystemserver.bmc.com.
	AR Server User	The AR Server user from the AR System integration. For example, Demo.
	AR Server Password	The AR Server password from the AR System integration. For example, Demo.
	AR Server Port	The AR Server port from the AR System integration. For example, 0.
	Container Type	Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBSPHEREV8, WEBLOGICV10, WEBLOGICV11
	Web App URL	The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be sure the server name is provided with fully qualified domain name and port is also provided in the URL. For example, http://midtierloadbalancer.bmc.com:8080/arsys
	webserverhomedirectory	The webserver home directory. For example, C:\Program Files\Apache Software Foundation\Tomcat6.
	JREInstallDirectory	Path to the JRE directory. For example, C:\Program Files\Java\jre7
	MidtierHome	Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier
	serverinstancename	The WebSphere instance name is required for the WebSphere server.
	instanceconfigdirectory	The WebSphere configuration directory is required for the WebSphere server.
	weblogicdomainhome	The BEA domain home is required for the WebLogic web application.
AR System external authentication group mapping for SSO	AR Group Name LDAP Group Name	Administrator BmcAdmins
Dashboards installation	Fully Qualified Host Name	Fully qualified host name of the BMC Atrium Single Sign-On server.
	HTTP, HTTPS, Shutdown Port Number	Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.
	Administrator login name and password	User name and password for the BMC Atrium Single Sign-On server administrator.
	BMC Dashboards administrator Name and Password	User name and password of the BMC Dashboards for BSM administrator user. This user must exist in BMC Atrium Single Sign-On.
Analytics installation	Fully Qualified Host Name	Fully qualified host name of the BMC Atrium Single Sign-On server.
	HTTP, HTTPS, Shutdown Port Number	Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.
	Administrator login name and password	User name and password for the BMC Atrium Single Sign-On server administrator.
SAMLv2 authentication	Remote IdP metadata file	The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml.
	BMC Remedy AR System agent Federated login URL & logout URI	Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.
	BMC Dashboards agent Federated login URL & logout URI	Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.
	BMC Analytics agent Federated login URL & logout URI	Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.