Configuring after installation
When initially installed, BMC Atrium Single Sign-On is configured for immediate use. This default configuration uses the internal data store as an authentication source and User Store. This configuration is suitable for demonstrations, proof-of-concept deployments, testing, and other small deployment scenarios. However, for a large-scale system, you should configure the use of an external authentication source, such as an LDAP server. If an external source of group and user attributes is needed, then an external User Store should also be configured.
To set up a method for authentication
To set up the LDAP / Active Directory, Kerberos, Certificate / CAC, RSA SecurId, AR, and Internal LDAP authentication methods, you use the Realm Authentication panel on the BMC Realm.
- On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
On the Main tab (default), select a User Profile type.
The User Profile applies to all authentication methods used for authentication.
- In the Realm Authentication panel, select the type of transformation that you need for your user ID using the UserId Transformer drop-down list. By default, there are two transformation options available. You can add add more options using customized plug-ins. For information about creating customized plug-ins, see Configuring a new user ID transformation.
- TO UPPER - converts all the characters in the user ID to upper case
To lower - converts all the characters in the user ID to lower case
You can also select No Transform option, if you do not want to select any transformation for the user ID.
- In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit.
- Provide the parameters for the method and Save.
- Set the flag for the authentication method. The following external authentication methods are available:
- Verify the authentication using the following URL template: https://<fully.qualified.domain.name>:<port>/atriumsso/UI/Login?realm=<realm>.
For example, the open the URL using default realm:
Predefined authentication module
To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure.
When you select the Internal LDAP authentication module, it is added directly to the authentication chain without invoking an editor. The module cannot be edited (since it does not have parameters) but it can be moved in priority and the authentication flag for it can be changed.
The internal LDAP server is shown in User Stores panel with a name of embedded and type of Internal LDAP.
User Profile panel
The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic.
In the User Profile panel, select either Dynamic or Ignored.
- Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist.
- Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication.
- Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful.
In addition, new chains can be created if a complex authentication chain is needed. For more information about authentication chains, see Managing authentication modules.
The order of authentication is changed by selecting an authentication method and clicking Up or Down.
Authentication chaining flags
Each module allows you to specify the criteria for authentication processing. If you are implementing only one authentication module instance, the flag must be set to Required. The criteria categories are Required, Requisite, Sufficient, and Optional. For most authentication chaining situations, all modules should use the Sufficient flag. For more information, see the definitions of the chaining flags in Managing authentication modules.
Where to go from here
The following topics provide information and instructions associated with configuration methods used with BMC Atrium Single Sign-On:
- Using AR for authentication
- Using CAC for authentication
- Using Kerberos for authentication
- Using LDAP (Active Directory) for authentication
- Using RSA SecurID for authentication
- Using SAMLv2 for authentication
- Configuring FIPS-140 mode
- Configuring a new user ID transformation