This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring BMC Atrium Single Sign-On as an IdP

If you configure the BMC Atrium Single Sign-On server as an Identity Provider (IdP), do not use this server as the integration server for BMC products. Instead, a separate BMC Atrium Single Sign-On server should be configured as a Service Provider (SP) and used as the integration host.

Important

Do not integrate BMC products into a BMC Atrium Single Sign-On server which is configured as an Identity Provider.

Importing a Circle of Trust certificate (X509 certificate)

Before creating the IdP, a X509 certificate is needed for signing communications between the IdP and SP of the SAML Circle of Trust (COT). When you want to add a certificate in an existing COT, the certificate must be imported into the keystore. A default certificate is created and stored in the keystore during the installation with the alias name of test. This certificate can be used without creating and importing a new certificate. For more information, see Managing certificates in BMC Atrium Single Sign-On.

To import the Circle of Trust certificate

When BMC Atrium Single Sign-On is configured as an IdP, the Circle of Trust certificate must be imported into a keystore for the server to use.

  1. Navigate to the keystore location, and replace the test certificate with your generated certificate.

    Note

    The default Circle of Trust keystore location and name is <installationDirectory>/tomcat/cot.jks. This keystore must be of the type, JKS (not PKCS12 or any other type). The default password for the keystore and certificates is changeit.

  2. If the password for the keystore was changed, update the default .keypass and .storepass configuration files with the encrypted form of the new password.
    The configuration files are located in the same <installationDirectory>/tomcat/ directory as the Circle of Trust keystore.
  3. Stop and restart the Tomcat server.

    Note

    The new certificate is not available to use for creating an IdP until the Tomcat server is stopped and restarted.

To encrypt the password for storage in the files

  1. Enter the following URL into the browser:
    https://<host>:<port>/atriumsso/encode.jsp

    In this case:
    • host is the FQDN of the BMC Atrium Single Sign-On host.
    • port is the port number that BMC Atrium Single Sign-On is using for secure communication.
  2. Enter a new password.
  3. To encrypt the value, click Encode.
  4. Copy the encrypted password into the configuration files.
  5. Stop and restart the BMC Atrium Single Sign-On server.

Creating a local IdP

Note

If you are modifying the local IdP configuration using the Local IdP Editor, you must also modify your configuration on the SP server. For example, if you have configured BMC Atrium Single Sign-On server as a Service Provider and another BMC Atrium Single Sign-On server as an Identity Provider, and you modify your IdP server settings, you must also reconfigure setting on your Remote IdP Editor by either making the change manually or re-importing the metadata on the SP server. Also, if you have changed your settings on the Remote IdP Editor on the SP server, you must reconfigure the IdP server by either making the changes manually or re-importing the SP metadata.

The Local Identity Provider (IdP) Editor has the following options:

Unknown macro: {multi-excerpt-include}

To create a local IdP

  1. On the BMC Atrium SSO Admin Console, select the realm that you want to edit.
  2. On the Federation tab, click Add.
  3. Select Local Identity Provider (IdP).
  4. Enter the values for fields on the Local IdP editor.
  5. Click Save.

Note

If there are issues with keystore configuration, an error message is displayed.

The fields on the local IdP editor are as follows:

Services tab

Field

Parameter

Description

Name

 

Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.

View SAMLv2 Metadata Click this option to view metadata XML for the configured IdP.  When you click View SAMLv2 Metadata, a new page opens, displaying the metadata.

MetaAlias

 

The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.

Binding

 

Select the SAMLv2 binding. This option determines the way in which SAML messages are sent and received between the IdP and the SP. The two bindings differ in the method used to exchange SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Signing/Encryption tab

Field

Parameter

Description

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify that whether the messages have not been altered in transit and that it originated with the IdP.

Select the certificate that you want to use for signing the SAML messages. Click View to see the certificate details.

 

Authentication, Logout Request, Logout Response, Assertions, Manager Name ID Request, Manager Name ID Response, and Artifact Resolve

Select the relevant signing parameter from the options. These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have been signed by the SP.

Encrypt Elements

Encryption Certificate Alias

Select the Encryption Certificate Alias from the list. The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

 

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down list.

 

Name ID

Select the Name ID check box if you want to encrypt the Name ID instead of plain text.

Logging tab

Field

Parameter

Description

Logging

Logging Level

The logging level options are: Off, Info and All.

Click View to see the logging information in web page.

Assertion Processing tab

Field

Parameter

Description

Attribute Mapping

Name In Assertion

Local Attribute Name

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute Name from the drop down that the attribute is going to map to, and click Add to put the new mapping into the table.

Assertion Time

Not-Before Skew (seconds)

In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message.

 

Effective Time (seconds)

Amount of time that an assertion is valid counting from the assertion's issue time.

Creating a remote SP

  1. On the BMC Atrium SSO Admin Console, select the realm that you want to edit.
  2. On the Federation panel, click Add.
  3. Select Remote Service Provider (SP).
  4. Add a URL for the remote SP and upload the SP metadata to the Create Service Provider (SP) window. For more information about parameters, see Create Remote Service Provider.
  5. Click Save
  6. On the Federation panel, select the remote IdP.
  7. Click Edit.
  8. Provide the remote SP parameters.
  9. Click Save.

Remote SP Editor parameters

The Remote Service Provider (SP) Editor has the following options:

Unknown macro: {multi-excerpt-include}

The fields on the Remote SP editor are:

Services tab

Field

Parameter

Description

Name

 

Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.

View SAMLv2 Metadata Click this option to view metadata XML for the configured SP.  When you click View SAMLv2 Metadata, a new page opens, displaying the metadata.

MetaAlias

 

The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.

Binding

 

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

SOAP Basic Authentication

Name
Password
Confirm Password

SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing these endpoints must provide these user name and password values.

Signing/Encryption tab

Field

Parameter

Description

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.

 

Authentication Request, Logout Request, Logout Response, Assertions, Manager Name ID Request, Manager Name ID Response, Artifact Response, and Post Response

These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have been signed by the SP.

Encrypt Elements

Encryption Certificate Alias

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

 

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

 

Assertion, Attribute, Name ID

Select the check boxes if you want to encrypt the Assertion, Attribute, or Name ID parameters instead of using plain text.

Note: When you are using BMC Atrium Single Sign-On as an IdP for SAMLv2 authentication using encryption, you must select the relevant check box: Assertion, Attribute or Name ID. You must use the same encryption for the Local SP as well.

Authentication Request

Field

Parameter

Description

Name ID Formats 

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user.

The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store.

Note:

For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the persistent nameID format must be on the top of the list.

Assertion Processing

Field

Parameter

Description

Artifact Encoding

 

The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP and is usually related to binding method. From the drop down menu, select URI or FORM.

Attribute Mapping

SAML Attribute

Atrium SSO Attribute

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.

(Optional) Federate your user accounts in bulk

For information about using bulk federation, see Federating user accounts in bulk.

Where to go from here

  • For information about managing users, user groups, and authentication modules, see Administering.
  • For information about troubleshooting SAMLv2 authentication, see Troubleshooting SAMLv2.
Was this page helpful? Yes No Submitting... Thank you

Comments