Configuring user authentication for the Presentation Server in Remedy SSO
After you create or edit and configure the tenant details in Remedy SSO, you must configure the user authentication type. Remedy SSO can be configured to provide one of the following authentication types for the TrueSight Presentation Server:
From the TrueSight console, you can only view the user information. You must perform all modifications to the user information in Remedy SSO. You can do that by cross-launching to Remedy SSO from the TrueSight console.
Before you begin
- You must have installed Remedy SSO.
- You must have
- You must have configured tenants to be used with the TrueSight Presentation Server.
Local User Management authentication
Local Users Management authentication is a simple light-weight user store which is not supposed to be a corporate-wide authentication provider. It is not designed as a high performance authentication provider to support group policies, password expiration, and so on. It allows creating realm specific user stores which can be used for different purposes. For example, in multi-tenant environments, it can be used to configure admin privileges for different tenants using different user accounts belonging to appropriate realms.
Typical use cases for Local User Management authentication:
- when using local users for applications requiring several user accounts
- when corporate identity providers are not available
- for testing purposes
You should consider other authentication types in case you are designing corporate-wide authentication for a high workload.
All local users and groups created after the release of 9.1 SP2 and prior to upgrading to 9.1 SP3 are not assigned to any realm. After the upgrade of Remedy Single Sign-On to 9.1 SP3, a new empty realm is created and all existing local users are moved into it. The administrator can remove local users from this realm and recreate them for the necessary realm if needed.
The Remedy SSO server provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Support for LDAP also includes using external Active Directory (AD) servers for authentication. The Active Directory authentication must be configured for the enterprise environment.
- The TrueSight REST API calls are not supported for SAML users.
- Service Provider (SP) and Identity Provider (IdP) initiated SAML logins are supported.
You can configure the Remedy Single Sign-On (Remedy SSO) server to authenticate users through SAMLv2 authentication. SAML V2.0 is implemented by forming a Circle of Trust that comprises a Service Provider (SP) and an Identity Provider (IdP).
The SP hosts and protects the services that the user accesses. Remedy SSO is configured as an SP for BMC products. The IdP authenticates users and provides details of the authentication information to the SP.
Kerberos is a trusted third-party authentication service that is used to provide authentication service for all client and server applications by using secret-key cryptography. The clients and servers are collectively referred to as principals. Kerberos uses a database that contains the private keys of clients and servers. The private keys are used to authenticate different clients and servers on a network. Kerberos also generates temporary session keys that are shared between a client and a server to communicate with each other. All communications between a client and server are then encrypted with the temporary session key.
Before configuring the Kerberos authentication, you must create a Service Account in Active Directory and Add an SPN mapping to authenticate the service. A given SPN can be registered on only one account.
Certificate-based authentication uses the Digital Certificate to identify the users or system resources before granting access. Ensure that the following conditions are met before configuring the certificate-based authentication:
- Client has a valid Public Key Certificate
- SSL support is configured for the server
- Client authentication is configured on the server
- OpenID authentication is supported only with TrueSight Presentation Server version 11.3.02 and later.
- The TrueSight REST API calls are not supported for OAuth users.
OpenID Connect (OIDC) authentication method is built on top of the OAuth 2.0 protocol. Clients use OIDC to check the identity of users. The identification is based on the authentication done at the authorization server.
The following sequence of actions explain the OIDC workflow:
- The registered client (Remedy SSO) sends the authorization request to the OIDC provider.
- The OIDC authenticates an end user and redirects the authorization code to Remedy SSO.
- Remedy SSO sends a request with the authorization code to get the access token from the OIDC.
- With the access token, Remedy SSO requests the information about the end user.
- OIDC provides information about the end user to Remedy SSO.
- Remedy SSO creates a user session.
This section provides the following information for configuring authentication types in Remedy SSO:
- Setting up Local User Management authentication in Remedy SSO
- Setting up LDAP or Active Directory users in Remedy SSO
- Setting up SAMLv2 authentication in Remedy SSO
- Setting up Kerberos authentication in Remedy SSO
- Setting up Certificate-based authentication in Remedy SSO
- Setting up OpenID authentication in Remedy SSO