Using SAMLv2 for authentication
Security Assertion Markup Language (SAMLv2) is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider (IdP) and a web service.
SAMLv2 is implemented by grouping a collection of entities to form a Circle of Trust. The Circle of Trust is composed of a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider authenticates the users and provides this information to the Service Provider. The Service Provider hosts services that the user accesses.
Configuring SAMLv2 video
Click the following BMC Atrium Single Sign-On 8.1 SAMLv2 configuration video for more information:
SAMLv2 configuration options
BMC Atrium Single Sign-On can be configured to perform as an SP or as an IdP. In addition, the user accounts can be federated in bulk.
- Configuring BMC Atrium Single Sign-On as an SP
- Configuring BMC Atrium Single Sign-On as an IdP
- Federating user accounts in bulk
In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.
Typical SAMLv2 deployment
In a typical SAMLv2 deployment scenario, the BMC Atrium Single Sign-On server is configured as an SP for BMC products. The BMC Atrium Single Sign-On SP is then added to a Circle of Trust which includes an IdP. The IdP provides the authentication services for the BMC Atrium Single Sign-On system.
In addition, the IdP caches authentication information within the browser. This information allows the IdP to automatically re-authenticate a user without the user re-entering their credentials. For more information about automatic logon behavior, see Logon and logoff issues.
BMC Atrium Single Sign-On SAMLv2 implementation is limited to:
- SAML 2.0 browser-based transient Federation and Federated SSO
- Browser-based HTTP GET and POST binding mechanisms of the SAML 2.0 protocol
Typical SAMLv2 deployment architecture
The following illustration shows BMC Atrium Single Sign-On configured as an SP. BMC products are integrated with BMC Atrium Single Sign-On which, in turn, hosts the SP for the Circle of Trust. For the IdP, any SAMLv2 IdP can be used. In addition, a second BMC Atrium Single Sign-On server can be configured to host an IdP.
BMC Atrium Single Sign-On server configured as an SP