Setting up OpenID authentication in Remedy SSO

You can configure the Remedy Single Sign-On (Remedy SSO) server to authenticate TrueSight Presentation Server users using an OpenID authentication mechanism.

The following topics help you to perform the OpenID configuration tasks in Remedy SSO and create an authorization profile in the TrueSight console :

Before you begin

• You must have installed and configured the Remedy SSO to work with the Presentation Server and its component products. For details, see  Planning to deploy Remedy SSO   and   Installing Remedy Single Sign-On.
• (Applicable only to Presentation Server versions configured with Atrium SSO)  You must migrate the internal user data from Atrium SSO to Remedy SSO. For details, see  Migrating internal user data from Atrium SSO to Remedy SSO.
• You must have configured tenants to be used with the Presentation Server. For details, see  Configuring tenants for the Presentation Server in Remedy SSO.
• You must have set the Remedy SSO general settings. For details, see  Set up the Remedy SSO server.
• Configure a realm for the authentication. For more information on realm configuration, see  Adding and configuring realms in Remedy SSO.
• Ensure that you have procured the details of your OAuth provider. To know how to configure an OAuth provider, see the example Configuring an OAuth provider using Google OAuth.

Configuring OpenID in Remedy SSO

To configure the OpenID authentication

1. In the left navigation pane of the Add Realm or Edit Realm page, click Authentication.

2. In the Authentication Type field, click OIDC.

3. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see  Enabling AR authentication for bypassing other authentication methods.

4. (Optional) Click Enable Chaining Mode and perform the following steps to enable authentication chaining. For more information about the authentications that you can chain with OIDC, see  Authentication fallback  and  Enabling authentication chaining mode.
   1. Click Add Authentication.
   2. Select the required authentication type and enter the authentication details.
   3. Repeat steps a through b to add more authentications for the realm.

5. To import OpenID Connect Provider information, click Import.

6. Complete the OIDC Discovery URL field, and click Import. The following fields get prepopulated: 

   Field	Description
   Authorization URL	Returns an authorization code.
   Token URL	Exchanges previously received authorization code with an access token.
   UserInfo URL	Relates to the user who has currently logged in and is attained by using the access token.
   Scope	Returns different details about logged in user.
   Client ID	Registers the client application on the OpenID provider side.
   Client Secret	Identifies the client application. When Remedy SSO server is registered as a client on the OIDC provider site, the OIDC provider generates and provides the client ID and client secret values.
   RSSO server URL	URL of the Remedy SSO server.
   RSSO callback URL	Enables a response from the OIDC provider.
   User ID field name	Identifies the user which will be used by Remedy SSO.

7. Configure the remaining fields on the Authentication tab:

   Field	Description
   Prompt	Prompts the user for a required action. Select one of the following options from the drop down list: none: The authorization server must not display any authentication or consent user interface pages. An error is returned if an end user is not already authenticated or if the client does not have a pre-configured consent for the requested claims or does not fulfill other conditions for processing the request. The error code will typically be one of the following codes -  login_required, interaction_required, account_selection_required, consent_required, invalid_request_uri, invalid_request_object, request_not_supported, request_uri_not_supported, registration_not_supported. This can be used as a method to check for existing authentication and/or consent. login: The authorization server should prompt the end user for reauthentication. If it cannot reauthenticate the end user, it must return an error, typically login_required. consent: The authorization server should prompt the end user for consent before returning information to the client. If it cannot obtain the consent, it must return an error, typically consent_required. select_account: The authorization server should prompt the end user to select a user account. This enables an end user who has multiple accounts at the authorization server to select from the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the end user, it must return an error, typically account_selection_required.
   User ID Transformation	During the login procedure, Remedy Single Sign-On checks that the login ID provided by an end-user matches the user ID available in the user store of an identity provider (IdP). In many use cases, the login ID and the user ID do not match, and end-users cannot log in by using their login credentials.  To transform the user ID as a required for an authentication method, Remedy Single Sign-On provides user ID transformation options. Select one of the following transformation options from the drop-down list:  None: Displays the entered userID without any transformation. RemoveBMCDomain: Displays the userID without the suffix. RemoveDomain: Displays the userID without the prefix <domain>. Example: companyname\userid is transformed to userID. RemoveEmailDomain: Displays userID without the suffix@<anyemaildomain>. ToLowerCase: Displays userID after converting it to lower case. Example: UserID is transformed to userid. ToUpperCase: Displays userID after converting it to upper case. Example: userid is transformed to USERID.

8. Click Add Authentication.
9. In the Authentication Type field, click LOCAL.
10. Enter the LOCAL details. For more information on parameters, see LOCAL authentication parameters.
11. Create users and user groups for the LOCAL authentication. 
    The users in LOCAL should be exactly same as the OAuth users.

12. Associate users to the user groups.
    

13. Click Save.

Configuring an OAuth provider using Google OAuth

Do the following:

1. Log in to Google project, go to Credentials > Create Credentials > OAuth Client ID.
   
   
   

2. Select Web Application application type, and click Create.

3. Save the Client ID and Secret information of the credentials in a notepad. You will need these details later.

4. Provide the name for your OAuth 2.0 client.

5. Provide the URIs for the Authorised JavaScript origins, and Authorised redirect URIs as shown in the following example: 

   • Authorised JavaScript origins: https://<rsso_host_FQDN>:<rsso_port>

   • Authorised redirect URIs: https://<rsso_host_FQDN>:<rsso_port>/rsso/redirect
     

6. Select the OAuth consent screen tab to view the scope and branding information. 

   In this step, you can decide whether to grant your application the requested access. The consent window that shows the name of your application and the Google API services that it is requesting permission to access with the authorization credentials and a summary of the scopes of access to be granted. You can consent to grant access to one or more scopes requested by your application or refuse the request.

7. Log in to the Remedy Single Sign-On server using the Admin user, select the Realm tab.

8. Create a new realm or edit the existing one. 

9. Under the Authentication tab, select OIDC, and click on Import to get the OIDC provider information. 

10. Open the following URL: 

    https://accounts.google.com/.well-known/openid-configuration

    The page will have the pre-populated URL information. For the remaining fields, set the values as explained below:

    • Scope: Provide the email

    • Client ID & secret information: Use the information saved from Step 3.

    • User ID field name: sub

    • Prompt: Retain the default value

    • User ID transformation: None

11. Click Save.

12. For the successful TrueSight Operations Management authorization login, you will need OIDC user group information. 

13. If you have created new realm and not using default (*) realm, create authorization profile for new realm with appropriate user group and roles mapping.

14. Log in to TrueSight console using the Google ID and validate.