This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Authentication chaining

BMC Atrium Single Sign-On uses Authentication Chain to specify the mode of authentication. A chain can be a single authentication module or a complex combination of multiple authentication modules. Chaining allows different modules to act as a single authority which validates credentials to authenticate a user.

For example, if two organizations merge to form a new, single organization, then the authentication system from each organization could be used as a module within a single chain. The features of such a chaining are as follows:

  • Users provide credentials to a single authority only.
  • The chain can be configured to check each of the modules until the user is authenticated.
  • This chaining creates the perception of a merged authority despite the reality of multiple, disparate systems that are actually employed.

Authentication chaining example

The following image provides an example for an authentication chain.

The overall status is successful if all of the Required or Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user. See Managing authentication modules.

In the above image, three servers are combined into a single authority. The details are as follows:

  1. Check with Kerberos (Required)
    • Pass: Proceed to next
    • Fail: Proceed to next
  2. Check with LDAP (Optional)
    • Pass: Proceed to next
    • Fail: Proceed to next
  3. Check with BMC Remedy AR System (Sufficient)
    • Pass: Stop processing and accept user
    • Fail: Proceed to next


When you create an authentication chain, the MIT Kerberos modules should be the first authentication module in the list.

With this configuration, the Kerberos server is presented the user credentials for authentication. If the authentication succeeds or fails, the credentials are passed to the LDAP server. If the user is either with or not within LDAP, the credentials are passed to the BMC Remedy AR System server. The Sufficient criteria is most ideal as it implements a simple workflow which stops if the user authentication is successful and proceeds to the next if the user authentication fails.

Each server is checked in the sequence specified until either the user passes and is considered successfully authenticated, or the user fails to authenticate and is rejected.

Examples of authentication chains 

  • Kerberos + Kerberos
  • Kerberos + AR
  • Kerberos + LDAP
  • Kerberos + AR + LDAP
  • Kerberos + SecurID + LDAP
  • Kerberos + CAC + LDAP


SAML V2 authentication module cannot be chained with any other authentication modules in a realm.

Related topics

Chaining different modules

Was this page helpful? Yes No Submitting... Thank you