Use the tabs in the Realm Editor to set the user profile, manage the realm authentication modules, federate modules, and manage user stores, as well as manage users and user groups.
The Main tab provides the following panels for specifying parameters:
The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic.
In the User Profile panel, select either Dynamic or Ignored.
- Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist.
- Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication.
- Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful.
The Authentication panel allows you to create, edit, and delete authentication module instances and to establish an authentication chain. An authentication chain is a series of authentication modules through which the user must pass to authenticate. The chain can be constructed to allow complex processing of the modules.
For example, you can use authentication chaining to merge multiple LDAP servers into a single authentication unit. Chaining multiple LDAP modules together with a sufficient relationship ensures that each LDAP module is checked to authenticate the user. If any module successfully authenticates the user, the user is identified and given an SSO session.
The combination of modules in a chain uses the following flags per module:
- Required — Identifies modules that are required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules.
- Requisite — Identifies modules that are required to succeed. If authentication succeeds, authentication proceeds through the authentication chain of modules. If authentication fails, control immediately returns to the application (authentication does not proceed through the authentication chain of modules).
- Sufficient — Identifies modules that are not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed through the authentication chain of modules). If authentication fails, authentication continues and authentication does not proceed through the authentication chain of modules.
- Optional — Identifies modules that are not required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules.
The Requisite and Sufficient flags are most commonly used. These flags allow the processing to stop when the authentication status of the user is known. The Required and Sufficient flags do not stop the processing but force each module to be evaluated.
The overall authentication succeeds only if all modules that are flagged with Required and Requisite succeed.
- If a module that is flagged with Sufficient succeeds, only the Required and Requisite modules that precede that Sufficient module must have succeeded for the overall authentication to succeed.
- If no Required or Requisite modules are configured for an application, then at least one Sufficient or Optional module must succeed.
The Realm Authentication panel also allows you to select the type of transformation that you need for your user ID. For example, if your user ID is of the format AbCxYz, and you would want to view all the characters in lower case or upper case, you can use the UserId Transformer drop-down list on the Realm Authentication panel. When the user logs on to Atrium SSO, the user ID is displayed as ABCXYZ or abcxyz in the application. You do not need to restart the server after changing or applying the transformation. Although, the existing authentications will not be modified. By default, there are two transformation options available.
You can add add more options using customized plug-ins. For information about creating customized plug-ins, see Configuring a new user ID transformation.
- TO UPPER - converts all the characters in the user ID to upper case
To lower - converts all the characters in the user ID to lower case
You can also select No Transform option, if you do not want to select any transformation for the user ID.
Note that the transformations are applied after authentication is successful, not before authentication. Whatever user types in the login form are passed to ID server without any changes.
The Federation panel is used for managing the membership of Local Identity Provider (IdP) and Local Service Provider (SP) entities that belong in a Circle of Trust (COT). The name of the COT is derived from the name of the realm to allow a logical mapping into the OpenAM abstractions.
The IdP and SP entities created in the realm are automatically assigned membership in the single COT for the realm.
This panel allows you to add, edit, and federate realms. When you add a realm, you can specify the type of realm (for example, IdP or SP for SAMLv2 authentication).
The User Stores panel allows you to manage user stores (add, delete, edit, and reorder).
The User Store Manager allows you to define external User Stores from which user attributes (email address, phone numbers, and so forth) and group memberships can be obtained. By default, the internal LDAPv3 data store is configured as a User Store for the BmcRealm. However, external LDAPv3 servers, BMC Remedy AR System servers, and even an RDBMS can be used (with a customer-provided JDBC driver).
The User Store Manager allows you to create new User Stores from existing types or existing Templates, edit existing user stores, and delete deprecated ones. Templates are based upon user stores types but include initial configuration values. An example of a template would be to provide meaningful default values for an Active Directory user store.
The User tab allows you to create new users, delete existing users, and edit the attributes and memberships of those users. By selecting a user, you can edit or delete the user.
When searching for a user, /* for each respective panel returns all of the names. A letter such as "m" returns all names with the letter "m" in the user. A short string such as "mc" returns names that have "mc" in the user (for example, McCormick).
The Groups tab allows you to create new groups, delete existing groups, and edit the attributes of the group. By selecting an group you can edit or delete the group.
When searching for a group, /* for each respective panel returns all of the names. A letter such as "d" returns all names with the letter "m". A short string such as "dm" returns names that have "dm" in the group name (for example, admin).
The Security tab provides the following features:
Login Failure Lockout
The Login Failure Lockout feature enables the user to lock the account in order to maintain security of the account. The Login Failure Lockout feature provides the following options:
- Enable Login Lockout - To activate the lockout feature you need to select the Enable Login Lockout check box. The lockout mode is a memory lockout which can be cleared by restarting the BMC Atrium Single Sign-On server, or by disabling the Enable Login Lockout and re-enabling it again.
- Lockout Duration - Sets the interval (in minutes) that a user must wait after lockout before attempting to authenticate again. Entering a value greater than 0 enables memory lockout and disables physical lockout. Memory lockout locks the user's account in memory for specified number of minutes. The account is unlocked after the period has passed.
- Number of Login Attempts Before Lockout - Sets the number of incorrect attempts permitted for a user to log on to the account, within the interval set in Lockout Duration, before being locked out.
The administrator can clear all the users lockouts by disabling the lockout feature and setting the lockout duration to 0. Both operations are necessary. When the lockout feature is disabled, the duration should also be set to 0.
To ensure that the administrator always has the access to the server, the account lockout feature is not applicable for the amAdmin account.
Valid Forwarding Domains
The Valid Forwarding Domains feature provides a limit to the domains that the BMC Atrium Single Sign-On server will forward to the browser after authentication. To enable this feature, you must provide at least one URL to the list of Valid Forwarding Domains. An empty list indicates that the feature is disabled.
To add a URL to the list of valid forwarding domains
- Insert the URL in the Trusted Domain field.
- Click Add.
- For the changes to take effect, restart the BMC Atrium Single Sign-on server.
Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding Domains, such as:
If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has an error message and a link to log out of the BMC Atrium Single Sign-On server.
Editors available from Realm Editor
User and Group editors
Authentication module instance editors
- Local Service Provider (SP) Editor
- Create Identity Provider
- Remote Identity Provider (IdP) Editor
- Local Identity Provider (IdP) Editor
- Create Remote Service Provider
- Remote Service Provider (SP) Editor