Configuring BMC Atrium Single Sign-On as an IdP
If you configure the BMC Atrium Single Sign-On server as an Identity Provider (IdP), do not use the server as the integration server for BMC products. Instead, a separate BMC Atrium Single Sign-On server should be configured as a Service Provider (SP) and used as the integration host.
Important
Do not integrate BMC products into a BMC Atrium Single Sign-On server when it is configured as an Identity Provider.
Verify that a X509 certificate is imported into the keystore
Before creating the IdP, a X509 certificate is needed for signing communications between the IdP and SP of the SAML Circle of Trust (COT). When joining an already existing COT, the certificate for the COT must be imported into the keystore.. A default certificate is created and stored in the keystore during the installation with the alias name of test. This certificate can be used without creating and importing a new certificate.
To import the Circle of Trust certificate
When BMC Atrium Single Sign-On is configured as an IdP, the Circle of Trust certificate must be imported into a keystore for the server to use.
Navigate to the keystore location, and replace the test certificate with your generated certificate.
Note
The default Circle of Trust keystore location and name is <installationDirectory>/tomcat/cot.jks. This keystore must be of the type, JKS (not PKCS12 or any other type). The default password for the keystore and certificates is changeit.
- If the password for the keystore was changed, update the default .keypass and .storepass configuration files with the encrypted form of the new password.
The configuration files are located in the same <installationDirectory>/tomcat/ directory as the Circle of Trust keystore. Stop and restart the Tomcat server.
Note
The new certificate is not available to use for creating an IdP until the Tomcat server is stopped and restarted.
To encrypt the passwords for storage in the files
- Enter the following URL into the browser:
https://:/atriumsso/encode.jsp
In this case:- host is the FQDN of the BMC Atrium Single Sign-On host.
- port is the port number that BMC Atrium Single Sign-On is using for secure communication.
- Enter a new password.
- To encrypt the value, click Encode.
- Copy the encrypted password into the configuration files.
- Stop and restart the BMC Atrium Single Sign-On server.
Create a local IdP
The Local Identity Provider (IdP) Editor has the following options:
To create a local IdP
- On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
- On the Federation tab, click Add.
- Select Local Identity Provider (IdP).
- Provide the local IdP information.
- Click Save.
Note
If there are issues with keystore configuration, an error message is displayed.
<[^>]+?>","")" class="contextID">
Field |
Parameter |
Description |
|---|---|---|
Name |
|
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name. |
Binding |
|
This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post. |
Sign Messages |
Signing Certificate Alias |
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP. |
|
Authentication, Logout Request, Logout Response, Manager Name ID Request, Manager Name ID Response, and Artifact Resolve |
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have been signed by the SP. |
Encrypt Elements |
Encryption Certificate Alias |
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages. |
|
Encryption Algorithm |
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu. |
|
Name ID |
Specifies whether to encrypt the Name ID or leave it in plain text. |
Assertion Time |
Not-Before Skew (seconds) |
In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message. |
|
Effective Time (seconds) |
Amount of time that an assertion is valid counting from the assertion's issue time. |
Attribute Mapping |
|
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute Name from the drop down that the attribute is going to map to, and click Add to put the new mapping into the table. |
Create a remote SP
- On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
- On the Federation panel, click Add.
- Select Remote Service Provider (SP).
- Create a name for the remote IdP and upload the IdP metadata on the Create Service Provider (SP) pop-up.
Parameters
Description
Name
Name for the remote SP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation. For information about providing SP metadata from another Atrium Single Sign-On server, see Providing SP metadata from another Atrium Single Sign-On server
File Upload
Select File Upload to upload a file that contains the remote SP metadata.
Providing SP metadata from another Atrium Single Sign-On server
For accessing SP metadata, the following URL syntax is used:
https://<host>:<port>/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=<entityid>In the case:
- host is the FQDN of the server hosting the SP.
- port is the port used for secure communications of the server hosting the SP.
- entityid is the name of the SP hosted by the server.
For example:https://sp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=https://sp:8443/atriumsso
- Click Save
- On the Federation panel, select the remote IdP.
- Click Edit.
- Provide the remote SP parameters.
- Click Save.
Remote SP Editor parameters
The Remote Service Provider (SP) Editor has the following options:
Field | Parameter | Description |
|---|---|---|
Name |
| Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name. |
MetaAlias |
| The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration. |
Binding |
| This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post. |
Artificact Encoding |
| The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP and is usually related to binding method. From the drop down menu, select URI or FORM. |
Sign Messages | Signing Certificate Alias | The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP. |
| Authentication Request, Logout Request, Logout Response, Manager Name ID, Artifact Resolve, and Post Resolve | These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have been signed by the SP. |
Encrypt Elements | Encryption Certificate Alias | The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages. |
| Encryption Algorithm | The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu. |
| Assertion, Attribute, Name ID | Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text. |
SOAP Basic Authentication |
| SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing these endpoints must provide these user name and password values. |
Attribute Mapping |
| Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table. |
(Optional) Federate your user accounts in bulk
For information about using bulk federation, see Federating user accounts in bulk.
Where to go from here
- For information about managing users, user groups, and authentication modules, see Administering.
- For information about troubleshooting SAMLv2 authentication, see Troubleshooting SAMLv2.
Comments
Log in or register to comment.