×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Out of support

 

This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.
BMC Atrium Single Sign-On 8.1 ... Using Navigating the interface

Realm Editor

Use the tabs in the Realm editor to set the user profile, manage the realm authentication modules, federate modules, and manage user stores, as well as manage users and user groups.

Main tab

The Main tab provides the following panels for specifying parameters:

User Profile panel

Unknown macro: {multi-excerpt}

The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic.

In the User Profile panel, select either Dynamic or Ignored.

  • Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist
  • Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication
  • Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful

Realm Authentication panel

Unknown macro: {multi-excerpt}

The Authentication panel allows you to create, edit, and delete authentication module instances and to establish an authentication chain. An authentication chain is a series of authentication modules through which the user must pass to authenticate. The chain can be constructed to allow complex processing of the modules.

For example, you can use authentication chaining to merge multiple LDAP servers into a single authentication unit. Chaining multiple LDAP modules together with a sufficient relationship ensures that each LDAP module is checked to authenticate the user. If any module successfully authenticates the user, the user is identified and given an SSO session.

The combination of modules in a chain uses the following flags per module:

  • Required — Identifies modules that are required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules.
  • Requisite — Identifies modules that are required to succeed. If authentication succeeds, authentication proceeds through the authentication chain of modules. If authentication fails, control immediately returns to the application (authentication does not proceed through the authentication chain of modules).
  • Sufficient — Identifies modules that are not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed through the authentication chain of modules). If authentication fails, authentication continues authentication does not proceed through the authentication chain of modules.
  • Optional — Identifies modules that are not required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules.

The Requisite and Sufficient flags are most commonly used. These flags allow the processing to stop when the authentication status of the user is known. The Required and Sufficient flags do not stop the processing but force each module to be evaluated.

The overall authentication succeeds only if all modules that are flagged with Required and Requisite succeed.

  • If a module that is flagged with Sufficient succeeds, only the Required and Requisite modules that precede that Sufficient module must have succeeded for the overall authentication to succeed.
  • If no Required or Requisite modules are configured for an application, then at least one Sufficient or Optional module must succeed.

Federation panel

The Federation panel is used for managing the membership of Local Identity Provider (IdP) and Local Service Provider (SP) entities that belong in a Circle of Trust (COT). The name of the COT is derived from the name of the realm to allow a logical mapping into the OpenAM abstractions.

The IdP and SP entities created in the realm are automatically be assigned membership in the single COT for the realm.

This panel allows you to add, edit, and federate realms. When you add a realm, you can specify the type of realm (for example, IdP or SP for SAMLv3 authentication).

User Stores panel

The User Stores panel allows you to manage user stores (add, delete, edit, and reorder).

The User Store Manager allows you to define external User Stores from which user attributes (email address, phone numbers, and so forth) and group memberships can be obtained. By default, the internal LDAPv3 data store is configured as a User Store for the BmcRealm. However, external LDAPv3 servers, BMC Remedy AR System servers, and even an RDBMS can be used (with a customer-provided JDBC driver).

The User Store Manager allows you to create new User Stores from existing types or existing Templates, edit existing user stores, and delete deprecated ones. Templates are based upon user stores types but include initial configuration values. An example of a template would be to provide meaningful default values for an Active Directory user store.

User tab

The User tab allows you to create new users, delete existing users, and edit the attributes and memberships of those users. By selecting a user you can edit or delete the user.

When searching for a user /* for each respective panel returns all of the names. A letter such as "m" returns all names with the letter "m" in the user. A short string such as "mc" returns names that have "mc" in the user (for example, McCormick).

Groups tab

The Groups tab allows you to create new groups, delete existing groups, and edit the attributes of the group. By selecting an group you can edit or delete the group.

When searching for a group /* for each respective panel returns all of the names. A letter such as "d" returns all names with the letter "m". A short string such as "dm" returns names that have "dm" in the group name (for example, admin).

Security tab

The Security tab provides the following features:

Login Failure Lockout

The Login Failure Lockout feature enables the user to lock the account in order to maintain security of the account. The Login Failure Lockout feature provides following options:

  • Enable Login Lockout - To activate the lockout feature you need to select the Enable Login Lockout check box. The lockout mode is a memory lockout which can be cleared by restarting the BMC Atrium Single Sign-On server, or by disabling the Enable Login Lockout and re-enabling it again.
  • Lockout Duration - Sets the interval (in minutes) that a user must wait after lockout before attempting to authenticate again. Entering a value greater than 0 enables memory lockout and disables physical lockout. Memory lockout locks the user's account in memory for specified number of minutes. The account is unlocked after the period has passed.
  • Number of Login Attempts Before Lockout - Sets the number of incorrect attempts permitted for a user to log on to the account, within the interval set in Lockout Duration, before being locked out

The administrator can clear all the users lockouts by disabling the lockout feature and setting the lockout duration to 0. Both operations are necessary. When the lockout feature is disabled, the duration should also be set to 0.

Note

To ensure that the administrator always has the access to the server, the account lockout feature is not applicable for the amAdmin account.

Valid Forwarding Domains

The Valid Forwarding Domains feature provides a limit to the domains that the BMC Atrium Single Sign-On server will forward to the browser after authentication. To enable this feature, you must provide at least one URL to the list of Valid Forwarding Domains. An empty list indicates that the feature is disabled.

To add a URL to the list of valid forwarding domains

  1. Insert the URL in the Trusted Domain field.
  2. Click Add.
  3. For the changes to take effect, restart the BMC Atrium Single Sign-on server.

Note

Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding Domains, such as:

https://sample.bmc.com:8080/test

If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has an error message and a link to log out of the BMC Atrium Single Sign-On server.

Editors available from Realm Editor

The following editors are used for creating and editing authentication module instances, SAML federation, and user stores.

User and Group editors

Authentication module instance editors

Federation editors

User store editors

Was this page helpful? Yes No Submitting... Thank you
Last modified by Poonam Morti on Nov 10, 2014
contributor-updated

Comments

Log in or register to comment.

Navigating the interface
User Editor
© Copyright 2013 - 2017 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.