This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Managing the AR System users and groups for authentication

The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the AR Data Store to retrieve group information and other user attributes from the AR System server.

When you enable authentication chaining mode, all authentication methods in the chain are attempted in the specified order until either the authentication succeeds or all the methods in the chain fail.

Note

If you plan to use an authentication method other than or in addition to the AR module, see the applicable authentication method in Configuring after installation. For example, Using Kerberos for authentication or Using SAMLv2 for authentication.

Configure the AR module for AR System

 Click here to expand: Steps (6)

  1. On the SSO Server, navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console and log on.
  2. Click Edit BMC Realm to open the Realm Editor.
  3. Set User Profile to Dynamic.
  4. On the Realm Authentication panel, click Add.
  5. Click AR.
    1. Enter the AR parameters.
    2. Click Save.
  6. On the Realm Authentication panel, set the process order of the authentication chain:
    1. For the AR module, under Flag, select Sufficient.
    2. Select the AR module.
    3. Click Up so that AR is first in the list.
    4. Set Internal LDAP to Optional.

      Sufficient means that, with multiple authentication modules, if you are successfully authenticated with the first module, the remaining modules are skipped. But if the login fails, authentication moves to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list means that if you are authenticated with the AR System server, you are successfully authenticated by BMC Atrium Single Sign-On and you proceed to the Mid Tier.

      Note

      With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite > Sufficient > Optional.
      If you set both realms to Required, then you would need both authentications to establish the session.
      For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.

AR parameters

Parameters

Description

Server Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).

Server Port Number

(Required) AR Server Port Number is the location where the AR System server is listening.

Note: Enter a value of 0 if the AR System server is using port mapping.

Default Authentication String

This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the credentials provided by the user along with this authentication string.

Allow AR Guests

If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.

Note

When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.

Configure AR user stores for AR System

 Click here to expand: Steps (4)

  1. On the User Stores panel, click Add.
  2. Select AR User Store.
  3. Enter the AR User Store parameters.
  4. Click Save.

AR User Store parameters

<[^>]+?>","")"/>

<[^>]+?>","")" class="contextID">

Section

Parameter

Description

Name


Label for the AR user store.

AR Server Host

Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.

 

Port

(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.

Administrative Access

Name

(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges.
Empty or blank passwords for this internal user are not supported with a new user store.

 

Authentication

Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.

 

Password and Confirm Password

Password for the AR System administrative user of the AR Server user store account (for example, admin).

Connection Pool

Linger Time (seconds)

(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed.

 

Pool size

(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.

Managing the AR System users and groups

 Click here to expand: Steps (8)

BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups.

Note

When you configure the AR User Store for the AR System, all your AR System users and groups are already listed.

From the User page, the administrator can create, delete, and manage group memberships.

BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide authorization and authentication of users. If a BMC product does not use the group memberships of the BMC Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to privileges mapping.

To access the User page

Navigate to the following location:

  1. Open the Realm Editor.
  2. Click the Users tab.

New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system.

Note

If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash ( \ ) must precede the special character. For example, Baldwin\,bob.

When creating a new user, each field that is marked with an asterisk is a required field.

To add a new user

  1. In the Realm Editor, click the Users tab.
    Current AR System users created in your AR System server are already listed.
  2. Click Add to open the User Editor.
  3. In the User Id field, enter a unique identifier for the new user.
    This value is used as the user ID when the user logs in.
  4. Specify the user's status.
    The default is Active.
  5. Add the name attributes.
    • The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product.
    • You must assign an initial password of at least 8 characters when creating the account. After the password is created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL:
      https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm
  6. Click the Groups tab.
  7. From the list of available groups, add the user to group membership (for example, BmcAdmins).
  8. Click Save.

To access the Group page

BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches.

Note

Care should be exercised when assigning the BmcSearchAdmin group because these elevated privileges allow greater access to BMC Atrium Single Sign-On than is normally allowed.

Navigate to the following location:

  1. Open the Realm Editor.
  2. Click the Groups tab.

To create a new group

Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of their installation. However, a situation might arise in which a group might need to be created or re-created.

  1. In the Realm Editor, click the Groups tab.
    Current AR System groups created in your AR System server are already listed.
  2. Click Add to open the Group Editor.
  3. Enter a new, unique name for the group.
  4. Add available users to the new group.
  5. Click Save.

Related topics

Was this page helpful? Yes No Submitting... Thank you

Comments