Configuring after installation
When initially installed, BMC Atrium Single Sign-On is configured for immediate use. This default configuration uses the internal data store as an authentication source and User Store. This configuration is suitable for demonstrations, proof-of-concept deployments, testing, and other small deployment scenarios. However, for a large-scale system, you should configure the use of an external for authentication source, such as an LDAP server. If an external source of group and user attributes is need, then an external User Store should also be configured.
To set up a method for authentication
To set up the LDAP / Active Directory, Kerberos, Certificate / CAC, RSA SecurId, AR, and Internal LDAP authentication methods, you use the Realm Authentication panel on the BMC Realm.
The amadmin is the default administrator user for BMC Atrium Single Sign-on. You can use the amadmin user only for accessing BMC Atrium SSO Admin Console. However, you cannot logon to your authenticating BMC applications using the amadmin user.
- On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
- On the Main tab (default), select a User Profile type.
The User Profile applies to all authentication methods used for authentication.
- In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit.
- Provide the parameters for the method and Save.
- Set the flag for the authentication method.
The following image displays the available authentication methods:
SAMLv2 authenticationIn BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.
Predefined authentication module
To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure.
When you select the Internal LDAP authentication module, it is added directly to the authentication chain without invoking an editor. The module can't be edited (since it does not have parameters) but it can be moved in priority and the authentication flag for it can be changed.
The internal LDAP server is shown in User Stores panel with a name of embedded and type of Internal LDAP.
User Profile panel
The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic.
In the User Profile panel, select either Dynamic or Ignored.
- Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist
- Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication
- Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful
In addition, new chains can be created if a complex authentication chain is needed. For more information about authentication chains, see Managing authentication modules.
The order of authentication is changed by selecting an authentication method and clicking Up or Down.
Authentication chaining flags
Each module allows you to specify the criteria for authentication processing. If you are implementing only one authentication module instance, the flag must be set to Required. The criteria categories are Required, Requisite, Sufficient, and Optional. For most authentication chaining situations, all modules should use the Sufficient flag. For more information, see the definitions of the chaining flags in Managing authentication modules.
Where to go from here
The following topics provide information and instructions associated with configuration methods used with BMC Atrium Single Sign-On: