This documentation supports the 8.1 version of BMC Atrium Single Sign-On.

To view the latest version, select the version from the Product version menu.

BMC Atrium Single Sign-On using SAMLv2 deployment example

This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0 (SAMLv2) can be deployed.

Business value

This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single sign-on means that you only need to present credentials once for authentication, and you are subsequently automatically authenticated by every BMC product that is integrated into the system. This means that if you are looking at a report that has links to incident or change records, you can click on the link and go directly to the records without logging in again.

An additional important value is that with federated authentication the user logon credentials (for example, user name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The authentication is done on premise by the Identity Provider (IdP).

Federated authentication and SAML

SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identify Provider (IdP) and a web service.

SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy applications without having previously authenticated is redirected to your IdP. After authentication, the user is redirected back to the originally requested resource (BMC Remedy application).

Note

Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM form and record).

Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.

For more information about SAMLv2, see Using SAMLv2 for authentication.

Deployment architecture

This deployment example consists of the following components:

  • In the BMC environment:
    • BMC Remedy web applications supporting BMC Atrium Single Sign-On
    • BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application
    • BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the Apache Tomcat server
  • In your environment:
    • You use a browser to access BMC Remedy applications.
    • An authentication server is responsible for your users authentication, which is usually located on premise. This is the IdP component.

The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship (federation) so they can honor each other’s authentication information.

The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2 components. These interactions are listed in the sequential order that they occur.

BMC Atrium Single Sign-On and SAMLv2 components sequence diagram 

The following sequence diagram illustrates the flow of events and the interaction between components for single log off (SLO):

Single log off sequence diagram

Deployment model

The following diagram shows the components that are part of this deployment example:

  • A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are put in front of the application servers. Load balancers are used to distribute the workload and optimize application performance. Reverse proxies are used to distribute the workload, optimize application performance, and hide the existence and characteristics of internal servers.
  • BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
  • A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another VM but on two different Apache Tomcat servers.
  • BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management are deployed on two different VMs to avoid performance issues.
  • You deploy the browser and the SAMLv2 IdP server from your environment.

Deployment tasks

The following table lists the main steps involved in installing and configuring the deployed BMC Products with BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.

Note

Review the Deployment parameters list before starting the deployment tasks.

Step

Task

1.

Install BMC Atrium Single Sign-On.

2.

Install BMC Remedy AR System server.

3.

Install the BMC Remedy Mid Tier.

4.

(Optional) Configure your load balancer or reverse proxy.
Note: For more information, see Troubleshooting redirect URLs.

5.

Run the SSOARIntegration utility on the AR System server.

6.

Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier.

7.

Configure group mapping for the AR System and BMC Atrium Single Sign-On .

8.Configure the BMC Atrium Single Sign-On server for AR System
Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication. The AR data store is not needed for authentication in SAMLv2 deployment.

9.

Run a health check on the BMC Atrium Single Sign-On installation.

10.

Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote Identity Provider.

Note: Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agents configuration must be modified so the integrating product can function in the Federated Single Sign-On.

11.

(Optional) Integrate BMC Dashboards for Business Service Management and configure it.
Note: For more information, see the BMC Dashboards for Business Service Management Installation Guide at PDFs.

12.

(Optional) Integrate BMC Analytics for Business Service Management and configure it.
Note: For more information, see Installing.

13.

(Optional) Integrate BMC IT Business Management Suite.
Note: For more information, see Installing.

Deployment parameters

The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high availability (HA) are not deployed.

The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an Service Provider (SP) with a remote Identity Provider (IdP).

Important

BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers.

However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.

The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On authentication:

  • BMC Remedy AR System
  • BMC Remedy Mid Tier
  • BMC Atrium Single Sign-On
  • SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
  • BMC Dashboards for BSM
  • BMC Analytics for BSM

Product install/configuration

Parameters

Description

AR System installation

Planning spreadsheet

Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.

Mid Tier installation

Planning spreadsheet

Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.

Atrium SSO installation

FQDN of host name

The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com.

HTTP, HTTPS, Shutdown port numbers

If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.

Cookie domain

The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. For example, atsso_bmc_com.

Atrium SSO server password

The password for the BMC Atrium Single Sign-On server. Default: amadmin

AR System integration

AR Server Name

The AR server name. For example, arsystemserver.bmc.com

AR Server User

The AR server user. For example, Demo.

AR Server Password

The AR server password. For example, Demo.

AR Server Port

The AR server port. For example, 0.

Atrium SSO URL

URL for the BMC Atrium Single Sign-On server. For example, https://ssoserver.bmc.com:8443/atriumsso

SSO Admin Name

The BMC Single Sign-On administrator name. Default: amadmin.

SSO Admin Password

The BMC Single Sign-On administrator password.

truststore

(Optional) The truststore path.

truststore-password

(Optional) The truststore password.

force

(Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default: No

Mid Tier integration

AR Server Name

The AR Server name from the AR System integration. For example, arsystemserver.bmc.com.

AR Server User

The AR Server user from the AR System integration. For example, Demo.

AR Server Password

The AR Server password from the AR System integration. For example, Demo.

AR Server Port

The AR Server port from the AR System integration. For example, 0.

Container Type

Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBSPHEREV8, WEBLOGICV10, WEBLOGICV11

Web App URL

The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be sure the server name is provided with fully qualified domain name and port is also provided in the URL.
For example, http://midtierloadbalancer.bmc.com:8080/arsys

webserverhomedirectory

The webserver home directory. For example, C:\Program Files\Apache Software Foundation\Tomcat6.

JREInstallDirectory

Path to the JRE directory. For example, C:\Program Files\Java\jre7

MidtierHome

Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier

serverinstancename

The WebSphere instance name is required for the WebSphere server.

instanceconfigdirectory

The WebSphere configuration directory is required for the WebSphere server.

weblogicdomainhome

The BEA domain home is required for the WebLogic web application.

AR System external authentication group mapping for SSO

AR Group Name
LDAP Group Name

Administrator
BmcAdmins

Dashboards installation

Fully Qualified Host Name

Fully qualified host name of the BMC Atrium Single Sign-On server.

HTTP, HTTPS, Shutdown Port Number

Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.

Administrator login name and password

User name and password for the BMC Atrium Single Sign-On server administrator.

BMC Dashboards administrator Name and Password

User name and password of the BMC Dashboards for BSM administrator user. This user must exist in BMC Atrium Single Sign-On.

Analytics installation

Fully Qualified Host Name

Fully qualified host name of the BMC Atrium Single Sign-On server.

HTTP, HTTPS, Shutdown Port Number

Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.

Administrator login name and password

User name and password for the BMC Atrium Single Sign-On server administrator.

SAMLv2 authentication

Remote IdP metadata file

The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml.

BMC Remedy AR System agent Federated login URL & logout URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.

BMC Dashboards agent Federated login URL & logout URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.

BMC Analytics agent Federated login URL & logout URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.

Related topics

Using AR for authentication

Using SAMLv2 for authentication

Agent manager

Was this page helpful? Yes No Submitting... Thank you

Comments