Configuring user authentication for the Presentation Server in Remedy SSO
After you create or edit and configure the tenant details in Remedy SSO, you must configure the user authentication type. Remedy SSO can be configured to provide one of the following authentication types for the TrueSight Presentation Server:
From the TrueSight console, you can only view the user information. You must perform all modifications to the user information in Remedy SSO. You can do that by cross-launching to Remedy SSO from the TrueSight console.
Before you begin
- You must have installed Remedy SSO.
- You must have
- You must have configured tenants to be used with the TrueSight Presentation Server.
Local User Management authentication
The Remedy SSO server provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Support for LDAP also includes using external Active Directory (AD) servers for authentication. The Active Directory authentication must be configured for the enterprise environment.
- The TrueSight REST API calls are not supported for SAML users.
- Service Provider (SP) and Identity Provider (IdP) initiated SAML logins are supported.
Kerberos is a trusted third-party authentication service that is used to provide authentication service for all client and server applications by using secret-key cryptography. The clients and servers are collectively referred to as principals. Kerberos uses a database that contains the private keys of clients and servers. The private keys are used to authenticate different clients and servers on a network. Kerberos also generates temporary session keys that are shared between a client and a server to communicate with each other. All communications between a client and server are then encrypted with the temporary session key.
Before configuring the Kerberos authentication, you must create a Service Account in Active Directory and Add an SPN mapping to authenticate the service. A given SPN can be registered on only one account.
Certificate-based authentication uses the Digital Certificate to identify the users or system resources before granting access. Ensure that the following conditions are met before configuring the certificate-based authentication:
- Client has a valid Public Key Certificate
- SSL support is configured for the server
- Client authentication is configured on the server
- OpenID authentication is supported only with TrueSight Presentation Server version 11.3.02 and later.
- The TrueSight REST API calls are not supported for OAuth users.
OpenID Connect (OIDC) authentication method is built on top of the OAuth 2.0 protocol. Clients use OIDC to check the identity of users. The identification is based on the authentication done at the authorization server.
The following sequence of actions explain the OIDC workflow:
- The registered client (Remedy SSO) sends the authorization request to the OIDC provider.
- The OIDC authenticates an end user and redirects the authorization code to Remedy SSO.
- Remedy SSO sends a request with the authorization code to get the access token from the OIDC.
- With the access token, Remedy SSO requests the information about the end user.
- OIDC provides information about the end user to Remedy SSO.
- Remedy SSO creates a user session.
This section provides the following information for configuring authentication types in Remedy SSO:
- Setting up Local User Management authentication in Remedy SSO
- Setting up LDAP or Active Directory users in Remedy SSO
- Setting up SAMLv2 authentication in Remedy SSO
- Setting up Kerberos authentication in Remedy SSO
- Setting up Certificate-based authentication in Remedy SSO
- Setting up OpenID authentication in Remedy SSO