BMC Atrium Single Sign-On using SAMLv2 deployment example
This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single sign-on means that you only need to present credentials once for authentication, and you are subsequently automatically authenticated by every BMC product that is integrated into the system. This means that if you are looking at a report that has links to incident or change records, you can click on the link and go directly to the records without logging in again.
An additional important value is that with federated authentication the user logon credentials (for example, user name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The authentication is done on premise by the Identity Provider (IdP).
Note
IdP should be accessible to client browser for viewing the IdP login page.
The following information is discussed in this topic.
Federated authentication and SAML
SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identify Provider (IdP) and a web service.
SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy applications without having previously authenticated is redirected to your IdP. After authentication, the user is redirected back to the originally requested resource (BMC Remedy application).
Note
Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM form and record).
Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.
For more information about SAMLv2, see Using SAMLv2 for authentication.
Deployment architecture
This deployment example consists of the following components:
- In the BMC environment:
- BMC Remedy web applications supporting BMC Atrium Single Sign-On
- BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application
- BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the Apache Tomcat server
- In your environment:
- You use a browser to access BMC Remedy applications.
- An authentication server is responsible for your users authentication, which is usually located on premise. This is the IdP component.
The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship (federation) so they can honor each other’s authentication information.
The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2 components. These interactions are listed in the sequential order that they occur.
BMC Atrium Single Sign-On and SAMLv2 components sequence diagram
Click the following image to expand it.
Important
The following sequence diagram illustrates the flow of events and the interaction between components for single log off (SLO):
Single log off sequence diagram
Click the following image to expand it.
Deployment model
The following diagram shows the components that are part of this deployment example:
Click the following image to expand it.
Note
The icon shown in the deployment model represents a software component or module: 
.
- A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are put in front of the application servers. Load balancers are used to distribute the workload and optimize application performance. Reverse proxies are used to distribute the workload, optimize application performance, and hide the existence and characteristics of internal servers.
- BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
- A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another VM but on two different Apache Tomcat servers.
- BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management are deployed on two different VMs to avoid performance issues.
- You deploy the browser and the SAMLv2 IdP server from your environment.
Deployment tasks
The following table lists the main steps involved in installing and configuring the deployed BMC Products with BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
Note
Review the Deployment parameters list before starting the deployment tasks.
Step | Task |
|---|---|
1. | Install BMC Atrium Single Sign-On as a |
2. | |
3. | |
4. | (Optional) Configure your load balancer or reverse proxy. |
5. | Run the BMC Atrium Single Sign-On installer on the AR System server. |
6. | Configure group mapping for the AR System and BMC Atrium Single Sign-On. |
7. | Run the BMC Atrium Single Sign-On installer on the BMC Remedy Mid Tier. |
| 8. | Manage the AR System users and groups for authentication. Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAMLv2 for authentication. The AR data store is not needed for authentication in SAMLv2 deployment. |
9. | Run a health check on the BMC Atrium Single Sign-On installation. |
10. | Note: Your browser should be able to access the IdP server for authentication. |
11. | (Optional) Integrate BMC Dashboards for Business Service Management and configure it. |
12. | (Optional) Integrate BMC Analytics for Business Service Management and configure it. |
13. | (Optional) Integrate BMC IT Business Management Suite. |
Deployment parameters
The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high availability (HA) are not deployed.
The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an Service Provider (SP) with a remote Identity Provider (IdP).
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.
The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On authentication:
- BMC Remedy AR System
- BMC Remedy Mid Tier
- BMC Atrium Single Sign-On
- SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
- BMC Dashboards for BSM
- BMC Analytics for BSM
Product install/configuration | Parameters | Description |
|---|---|---|
AR System installation | Planning spreadsheet | Complete the Planning Spreadsheet on BMC Remedy AR System 8.1. |
Mid Tier installation | Planning spreadsheet | Complete the Planning Spreadsheet on BMC Remedy AR System 8.1. |
Atrium SSO installation | FQDN of host name | The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com. |
HTTP, HTTPS, Shutdown port numbers | If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. | |
Cookie domain | The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. For example, atsso_bmc_com. | |
Atrium SSO server password | The password for the BMC Atrium Single Sign-On server. Default: amadmin | |
AR System integration | AR Server Name | The AR server name. For example, arsystemserver.bmc.com |
AR Server User | The AR server user. For example, Demo. | |
AR Server Password | The AR server password. For example, Demo. | |
AR Server Port | The AR server port. For example, 0. | |
Atrium SSO URL | URL for the BMC Atrium Single Sign-On server. For example, https://ssoserver.bmc.com:8443/atriumsso | |
SSO Admin Name | The BMC Single Sign-On administrator name. Default: amadmin. | |
SSO Admin Password | The BMC Single Sign-On administrator password. | |
truststore | (Optional) The truststore path. | |
truststore-password | (Optional) The truststore password. | |
force | (Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default: No | |
Mid Tier integration | AR Server Name | The AR Server name from the AR System integration. For example, arsystemserver.bmc.com. |
AR Server User | The AR Server user from the AR System integration. For example, Demo. | |
AR Server Password | The AR Server password from the AR System integration. For example, Demo. | |
AR Server Port | The AR Server port from the AR System integration. For example, 0. | |
Container Type | Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBSPHEREV8, WEBLOGICV10, WEBLOGICV11 | |
Web App URL | The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be sure the server name is provided with fully qualified domain name and port is also provided in the URL. | |
webserverhomedirectory | The webserver home directory. For example, C:\Program Files\Apache Software Foundation\Tomcat6. | |
JREInstallDirectory | Path to the JRE directory. For example, C:\Program Files\Java\jre7 | |
MidtierHome | Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier | |
serverinstancename | The WebSphere instance name is required for the WebSphere server. | |
instanceconfigdirectory | The WebSphere configuration directory is required for the WebSphere server. | |
weblogicdomainhome | The BEA domain home is required for the WebLogic web application. | |
AR System external authentication group mapping for SSO | AR Group Name | Administrator |
Dashboards installation | Fully Qualified Host Name | Fully qualified host name of the BMC Atrium Single Sign-On server. |
HTTP, HTTPS, Shutdown Port Number | Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. | |
Administrator login name and password | User name and password for the BMC Atrium Single Sign-On server administrator. | |
BMC Dashboards administrator Name and Password | User name and password of the BMC Dashboards for BSM administrator user. This user must exist in BMC Atrium Single Sign-On. | |
Analytics installation | Fully Qualified Host Name | Fully qualified host name of the BMC Atrium Single Sign-On server. |
HTTP, HTTPS, Shutdown Port Number | Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. | |
Administrator login name and password | User name and password for the BMC Atrium Single Sign-On server administrator. | |
SAMLv2 authentication | Remote IdP metadata file | The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml. |
BMC Remedy AR System agent Federated login URL & logout URI | Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. | |
BMC Dashboards agent Federated login URL & logout URI | Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. | |
BMC Analytics agent Federated login URL & logout URI | Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. |
Comments
Network/Firewall information for SAML deployment should be made available in the document so that we can decide if it is suitable or feasible for us. IdP should be reachable to client browser in order to present the login page. Secondly, where network connectivity is not expected, please mention that also such as IdP to/from SSO Server connectivity is not required.
Hi Radhika,
I have added the information as per your second and third comment. However, for the firewall information, it is basic understanding and cannot be covered in the scope of this topic.
Thanks!
- Abhay
Hi,
Somewhere here or in BMC communities I read that Kerberos has some limitations as opposed to SAML. If my memory servers me right, Kerberos is not recommended when High Availability SSO cluster is configured and many applications are integrated, i.e. ARS, MyIT, SmartIT, Dashboards, Analytics.
Could you please validate if there is indeed such (or any other) limitations? Is there a way to compare Pros-n-Cons between Kerberos and SAML authentication modes? The first that comes to my mind is that with SAML you don't need to setup browsers, i.e. it is client independent, while with Kerberos you need to support native windows authentication in the browser and very often you need to do it with Domain Policy (add URLs to local intraned or Trusted sites).
Thanks!
Hi Ivan,
Thank you for your comment. I will discuss with the relevant SME and keep you posted.
Regards,
Kamal
Hi Ivan,
Thank you for your comment. Though I will be discussing with the concerned SME to get a clarification for your comment, the response could be delayed.
Hence you may want to post your comment in BMC Communities too for clarification(s).
Regards,
Kamal
Hi Ivan,
The Subject Matter Expert (SME) has got back stating that there are no limitations to using Kerberos. You may want to refer the following topics for using Kerberos:
Comparison of Kerberos and SAML is a generic question and hence you may want to refer appropriate forums for a response.
Regards,
Kamal
Log in or register to comment.