BMC Atrium Single Sign-On using SAMLv2 deployment example
This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0 (SAMLv2) can be deployed.
Business value
This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single sign-on means that you only need to present credentials once for authentication, and you are subsequently automatically authenticated by every BMC product that is integrated into the system. This means that if you are looking at a report that has links to incident or change records, you can click on the link and go directly to the records without logging in again.
An additional important value is that with federated authentication the user logon credentials (for example, user name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The authentication is done on premise by the Identity Provider (IdP).
Federated authentication and SAML
SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identify Provider (IdP) and a web service.
SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy applications without having previously authenticated is redirected to your IdP. After authentication, the user is redirected back to the originally requested resource (BMC Remedy application).
Note
Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM form and record).
Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.
For more information about SAMLv2, see Using SAMLv2 for authentication.
Deployment architecture
This deployment example consists of the following components:
- In the BMC environment:
- BMC Remedy web applications supporting BMC Atrium Single Sign-On
- BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application
- BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the Apache Tomcat server
- In your environment:
- You use a browser to access BMC Remedy applications.
- An authentication server is responsible for your users authentication, which is usually located on premise. This is the IdP component.
The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship (federation) so they can honor each other’s authentication information.
The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2 components. These interactions are listed in the sequential order that they occur.
BMC Atrium Single Sign-On and SAMLv2 components sequence diagram
The following sequence diagram illustrates the flow of events and the interaction between components for single log off (SLO):
Single log off sequence diagram
Deployment model
The following diagram shows the components that are part of this deployment example:
- A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are put in front of the application servers. Load balancers are used to distribute the workload and optimize application performance. Reverse proxies are used to distribute the workload, optimize application performance, and hide the existence and characteristics of internal servers.
- BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
- A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another VM but on two different Apache Tomcat servers.
- BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management are deployed on two different VMs to avoid performance issues.
- You deploy the browser and the SAMLv2 IdP server from your environment.
Deployment tasks
The following table lists the main steps involved in installing and configuring the deployed BMC Products with BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
Note
Review the Deployment parameters list before starting the deployment tasks.
Step | Task |
---|---|
1. | |
2. | |
3. | |
4. | (Optional) Configure your load balancer or reverse proxy. |
5. | |
6. | Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier. |
7. | Configure group mapping for the AR System and BMC Atrium Single Sign-On . |
8. | Configure the BMC Atrium Single Sign-On server for AR System Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication. The AR data store is not needed for authentication in SAMLv2 deployment. |
9. | Run a health check on the BMC Atrium Single Sign-On installation. |
10. | Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote Identity Provider. |
11. | (Optional) Integrate BMC Dashboards for Business Service Management and configure it. |
12. | (Optional) Integrate BMC Analytics for Business Service Management and configure it. |
13. | (Optional) Integrate BMC IT Business Management Suite. |
Deployment parameters
The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high availability (HA) are not deployed.
The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an Service Provider (SP) with a remote Identity Provider (IdP).
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.
The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On authentication:
- BMC Remedy AR System
- BMC Remedy Mid Tier
- BMC Atrium Single Sign-On
- SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
- BMC Dashboards for BSM
- BMC Analytics for BSM
Product install/configuration | Parameters | Description |
---|---|---|
AR System installation | Planning spreadsheet | Complete the Planning Spreadsheet on BMC Remedy AR System 8.1. |
Mid Tier installation | Planning spreadsheet | Complete the Planning Spreadsheet on BMC Remedy AR System 8.1. |
Atrium SSO installation | FQDN of host name | The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com. |
HTTP, HTTPS, Shutdown port numbers | If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. | |
Cookie domain | The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. For example, atsso_bmc_com. | |
Atrium SSO server password | The password for the BMC Atrium Single Sign-On server. Default: amadmin | |
AR System integration | AR Server Name | The AR server name. For example, arsystemserver.bmc.com |
AR Server User | The AR server user. For example, Demo. | |
AR Server Password | The AR server password. For example, Demo. | |
AR Server Port | The AR server port. For example, 0. | |
Atrium SSO URL | URL for the BMC Atrium Single Sign-On server. For example, https://ssoserver.bmc.com:8443/atriumsso | |
SSO Admin Name | The BMC Single Sign-On administrator name. Default: amadmin. | |
SSO Admin Password | The BMC Single Sign-On administrator password. | |
truststore | (Optional) The truststore path. | |
truststore-password | (Optional) The truststore password. | |
force | (Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default: No | |
Mid Tier integration | AR Server Name | The AR Server name from the AR System integration. For example, arsystemserver.bmc.com. |
AR Server User | The AR Server user from the AR System integration. For example, Demo. | |
AR Server Password | The AR Server password from the AR System integration. For example, Demo. | |
AR Server Port | The AR Server port from the AR System integration. For example, 0. | |
Container Type | Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBSPHEREV8, WEBLOGICV10, WEBLOGICV11 | |
Web App URL | The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be sure the server name is provided with fully qualified domain name and port is also provided in the URL. | |
webserverhomedirectory | The webserver home directory. For example, C:\Program Files\Apache Software Foundation\Tomcat6. | |
JREInstallDirectory | Path to the JRE directory. For example, C:\Program Files\Java\jre7 | |
MidtierHome | Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier | |
serverinstancename | The WebSphere instance name is required for the WebSphere server. | |
instanceconfigdirectory | The WebSphere configuration directory is required for the WebSphere server. | |
weblogicdomainhome | The BEA domain home is required for the WebLogic web application. | |
AR System external authentication group mapping for SSO | AR Group Name | Administrator |
Dashboards installation | Fully Qualified Host Name | Fully qualified host name of the BMC Atrium Single Sign-On server. |
HTTP, HTTPS, Shutdown Port Number | Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. | |
Administrator login name and password | User name and password for the BMC Atrium Single Sign-On server administrator. | |
BMC Dashboards administrator Name and Password | User name and password of the BMC Dashboards for BSM administrator user. This user must exist in BMC Atrium Single Sign-On. | |
Analytics installation | Fully Qualified Host Name | Fully qualified host name of the BMC Atrium Single Sign-On server. |
HTTP, HTTPS, Shutdown Port Number | Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. | |
Administrator login name and password | User name and password for the BMC Atrium Single Sign-On server administrator. | |
SAMLv2 authentication | Remote IdP metadata file | The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml. |
BMC Remedy AR System agent Federated login URL & logout URI | Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. | |
BMC Dashboards agent Federated login URL & logout URI | Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. | |
BMC Analytics agent Federated login URL & logout URI | Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. |
Comments
Log in or register to comment.