Out of support

 

This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring after installation

When initially installed, BMC Atrium Single Sign-On is configured for immediate use. This default configuration uses the internal data store as an authentication source and User Store. This configuration is suitable for demonstrations, proof-of-concept deployments, testing, and other small deployment scenarios. However, for a large-scale system, you should configure the use of an external for authentication source, such as an LDAP server. If an external source of group and user attributes is need, then an external User Store should also be configured.

To set up a method for authentication

To set up the LDAP / Active Directory, Kerberos, Certificate / CAC, RSA SecurId, AR, and Internal LDAP authentication methods, you use the Realm Authentication panel on the BMC Realm.

Note

The amadmin is the default administrator user for BMC Atrium Single Sign-on. You can use the amadmin user only for accessing BMC Atrium SSO Admin Console. However, you cannot logon to your authenticating BMC applications using the amadmin user.

  1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
  2. On the Main tab (default), select a User Profile type.

    Note

    The User Profile applies to all authentication methods used for authentication.

  3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit.
  4. Provide the parameters for the method and Save.
  5. Set the flag for the authentication method.

The following image displays the available authentication methods:

SAMLv2 authentication

In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.

Predefined authentication module

To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure.

When you select the Internal LDAP authentication module, it is added directly to the authentication chain without invoking an editor. The module can't be edited (since it does not have parameters) but it can be moved in priority and the authentication flag for it can be changed.

The internal LDAP server is shown in User Stores panel with a name of embedded and type of Internal LDAP.

User Profile panel

The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic.

In the User Profile panel, select either Dynamic or Ignored.

  • Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist
  • Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication
  • Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful

Authentication chaining

In addition, new chains can be created if a complex authentication chain is needed. For more information about authentication chains, see Managing authentication modules.

The order of authentication is changed by selecting an authentication method and clicking Up or Down.

Authentication chaining flags

Each module allows you to specify the criteria for authentication processing. If you are implementing only one authentication module instance, the flag must be set to Required. The criteria categories are Required, Requisite, Sufficient, and Optional. For most authentication chaining situations, all modules should use the Sufficient flag. For more information, see the definitions of the chaining flags in Managing authentication modules.

Where to go from here

The following topics provide information and instructions associated with configuration methods used with BMC Atrium Single Sign-On:

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Ivan Pirishanchin

    User Profile settings documentation is not complete, I think.

    I've stumbled upon Authorization issues (not to be mistaken with Authentication) when changing between Dynamic and Ignored. Is there more information about the profile settings and how it interacts with Internal User and Group store?

    Apr 16, 2014 01:00
  2. Abhay Chokshi

    Hi Ivan,

    Thank you for your comment.

    I will check with the development team and try to add more information as soon as possible.

    -Abhay

    Apr 20, 2014 08:44
  3. Abhay Chokshi

    Hi Ivan,

    As per my discussion with the developer, the exact issue seem to be unclear. On way to reduce authorization issues can be:

    After changing the user profile from Dynamic to Ignored, remove the dynamically created profiles before adding a user store. 

    Please let me know if this helps.

    -Abhay

    Apr 24, 2014 12:34
  4. Ivan Pirishanchin

    Hi Abhay,

     

    Thanks for the help! However, I already know how to resolve the issue with authorization. My question was pointing to documentation aspect of the problem. Currently the user stores and the user profile settings are not explained in detail. In the documentation is mentioned that authorization is done within Remedy, but one can easily see that this is not always the case. Therefore I thought that perhaps there’s more information on the topic that could be included here.

     

    Kind Regards,

    Ivan

    Apr 24, 2014 02:23