Realm Editor
Use the tabs in the Realm Editor to set the user profile, manage the realm authentication modules, federate modules, and manage user stores, as well as manage users and user groups.
Main tab
The Main tab provides the following panels for specifying parameters:
User Profile
Federation
The Federation panel is used for managing the membership of Local Identity Provider (IdP) and Local Service Provider (SP) entities that belong in a Circle of Trust (COT). The name of the COT is derived from the name of the realm to allow a logical mapping into the OpenAM abstractions.
The IdP and SP entities created in the realm are automatically assigned membership in the single COT for the realm.
This panel allows you to add, edit, and federate realms. When you add a realm, you can specify the type of realm (for example, IdP or SP for SAMLv2 authentication).
User Stores
The User Stores panel allows you to manage user stores (add, delete, edit, and reorder).
The User Store Manager allows you to define external User Stores from which user attributes (email address, phone numbers, and so forth) and group memberships can be obtained. By default, the internal LDAPv3 data store is configured as a User Store for the BmcRealm. However, external LDAPv3 servers, BMC Remedy AR System servers, and even an RDBMS can be used (with a customer-provided JDBC driver).
The User Store Manager allows you to create new User Stores from existing types or existing Templates, edit existing user stores, and delete deprecated ones. Templates are based upon user stores types but include initial configuration values. An example of a template would be to provide meaningful default values for an Active Directory user store.
User tab
The User tab allows you to create new users, delete existing users, and edit the attributes and memberships of those users. By selecting a user, you can edit or delete the user.
When searching for a user, /* for each respective panel returns all of the names. A letter such as "m" returns all names with the letter "m" in the user. A short string such as "mc" returns names that have "mc" in the user (for example, McCormick).
Groups tab
The Groups tab allows you to create new groups, delete existing groups, and edit the attributes of the group. By selecting an group you can edit or delete the group.
When searching for a group, /* for each respective panel returns all of the names. A letter such as "d" returns all names with the letter "m". A short string such as "dm" returns names that have "dm" in the group name (for example, admin).
Security tab
The Security tab provides the following features:
Login Failure Lockout
The Login Failure Lockout feature enables the user to lock the account in order to maintain security of the account. The Login Failure Lockout feature provides the following options:
- Enable Login Lockout - To activate the lockout feature you need to select the Enable Login Lockout check box. The lockout mode is a memory lockout which can be cleared by restarting the BMC Atrium Single Sign-On server, or by disabling the Enable Login Lockout and re-enabling it again.
- Lockout Duration - Sets the interval (in minutes) that a user must wait after lockout before attempting to authenticate again. Entering a value greater than 0 enables memory lockout and disables physical lockout. Memory lockout locks the user's account in memory for specified number of minutes. The account is unlocked after the period has passed.
- Number of Login Attempts Before Lockout - Sets the number of incorrect attempts permitted for a user to log on to the account, within the interval set in Lockout Duration, before being locked out.
The administrator can clear all the users lockouts by disabling the lockout feature and setting the lockout duration to 0. Both operations are necessary. When the lockout feature is disabled, the duration should also be set to 0.
Note
To ensure that the administrator always has the access to the server, the account lockout feature is not applicable for the amAdmin account.
Valid Forwarding Domains
The Valid Forwarding Domains feature provides a limit to the domains that the BMC Atrium Single Sign-On server will forward to the browser after authentication. To enable this feature, you must provide at least one URL to the list of Valid Forwarding Domains. An empty list indicates that the feature is disabled.
To add a URL to the list of valid forwarding domains
- Insert the URL in the Trusted Domain field.
- Click Add.
- For the changes to take effect, restart the BMC Atrium Single Sign-on server.
Note
Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding Domains, such as:
If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has an error message and a link to log out of the BMC Atrium Single Sign-On server.
Comments
Log in or register to comment.