BMC Helix Single Sign-On and SAML parameters
The Single Sign-On tab of Global Settings > System Variables page define specific parameters required to integrate BMC Client Management with
server and SAML server.
Helix Single Sign-On configuration parameters
As a BMC Client Management administrator, you must get the following settings from a administrator. The following parameters are required to configure with BMC Client Management:
Parameter | Description | |
|---|---|---|
| SSO Mode | Displays a list of modes for single sign-on, including Disabled, RSSO, and SAML. Select RSSO. | |
| Disable Client Management Authentication | Check this box to allow administrators to log in only through Single Sign-On and block BMC Client Management username/password authentication. Note: Super admins can still use credentials for troubleshooting. | |
| UI mode | Select how the SSO login page and any redirections appear. Select Popup, Redirect, or iFrame. | |
| Additional Frame Src | When you select iFrame as the UI mode, enter all HTTPS domains that the SSO mechanism accesses. The system adds these domains to the CORS HTTP headers. | |
Admin auto-create | Check this box to automatically create an administrator account in BMC Client Management when a Single Sign-On login succeeds for an admin who does not already exist. Important: Authentication fails if you do not check this option and BMC Client Management does not contain the authenticated user. | |
| Default Administrators Group | (Optional) Specify the group that receives auto-created administrators. | |
RSSO Server URL | Enter the URL for the server. The server URL must begin with https and have the same domain as the BMC Client Management master server. For example, use bcm.calbro.com and rsso.calbro.com. You can also select a URL from the RSSO Server URL list. Click Verify to verify the URL. | |
RSSO Realm ID | A realm is a virtual identity provider used to authenticate a domain. Contact your administrator for the Realm ID. | |
Product Identifier | Defines the identifier for BMC Client Management. The identifier must be unique for each application that provides authentication through server. | |
RSSO Token revalidation period | Enter the revalidation period in minutes. For more information, contact your administrator. | |
Certificate Authority Bundle | Configures the list of certificate authorities that BMC Client Management must trust when connecting to a server. | |
Server Certificate | Defines the server certificate to accept when connecting to the server. Click  to get a server certificate. | |
Cookie name | Enter the name of the cookie to prevent the CheckConfig web service from collecting it. | |
Disable case sensitiveness in RSSO login name | Sometimes a login name in and BMC Client Management can differ in case, for example, Demo and demo. You can disable case sensitivity checks on the login name supplied by so that it matches the login name recognized by BMC Client Management. Select the checkbox to disable case sensitivity checks on the login name. |
SAML configuration parameters
As a BMC Client Management administrator, you must get the following settings from an SAML administrator. The following parameters are required to configure SAML with BMC Client Management:
Parameter | Description |
|---|---|
| SSO Mode | Displays a list of modes for single sign-on, including Disabled, RSSO, and SAML. Select SAML. |
| Disable Client Management Authentication | Check this box to allow administrators to log in only through Single Sign-On and block BMC Client Management username/password authentication. Note: Super admins can still use credentials for troubleshooting. |
| UI mode | Select how the SSO login page and any redirections appear. Select Popup, Redirect, or iFrame. |
| Disable Client Management Authentication | Check this box to allow administrators to log in only through Single Sign-On and block BMC Client Management username/password authentication. Important: Super admins can still use credentials for troubleshooting. |
| Additional Frame Src | When you select iFrame as the UI mode, enter all HTTPS domains that the SSO mechanism accesses. The system adds these domains to the CORS HTTP headers. |
Admin auto-create | Check this box to automatically create an administrator account in BMC Client Management when a Single Sign-On login succeeds for an admin who does not already exist. Important: Authentication fails if you do not check this option and BMC Client Management does not contain the authenticated user. |
| Default Administrators Group | (Optional) Specify the group that receives auto-created administrators. |
BCM Master base URL | Enter the BMC Client Management master URL that the system uses for authentication through SAML. This is usually the external URL users access to reach the BMC Client Management master. |
Single Sign-On URL of the SAML IDP | It is the SAML Identity Provider’s Single Sign-On URL. The system automatically fills this field when you upload the SAML IDP metadata file. |
Single Logout URL of the SAML IDP | (Optional) The system automatically fills this field when you upload the SAML IDP metadata file. If you leave this blank, the system does not perform single logout, and logout happens only at the BMC Client Management level. |
After Logout redirection URL | (Optional) Enter the URL where the web console redirects users after an SAML single logout or after a local logout if no Single Logout URL is set. |
SAML Name ID format | The system automatically fills this field when you upload the SAML IDP metadata file. Tip: You can change the format with the values available in the combo box. |
Accepted Time Before (sec) | Specify how many seconds the timestamp in the SAML response can precede the BMC Client Management master server time. The system accepts the response if its timestamp is at least this value subtracted from the BCM master time. |
Accepted Time After (sec) | Specify the maximum number of seconds after the BMC Client Management master server time for the SAML response timestamp. The system accepts the response if the timestamp is no later than the BMC Client Management master time plus this value. |
SAML Requests Signature Certificate | (Optional) Provide the certificate that the system uses to sign SAML requests. Important: Make sure the certificate and its private key are available in bin/certs/other or through the configured PKCS#11 library. |
SAML Signature Digest | Specify the digest algorithm that the system uses when signing SAML requests. |
Log SAML Messages | Check this box to log all SAML messages in the general mtxagent.log file. |
First Name SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s first name to the value of the attribute in the SAML Single Sign-On response that matches this name. |
| Last Name SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s last name to the value of the attribute in the SAML Single Sign-On response that matches this name. |
Email SAML Attribute | (Optional) When you set this field, the system sets the BCM administrator’s email address to the value of the attribute in the SAML Single Sign-On response that matches this name. |
Office Phone SAML Attribute | (Optional) When you set this field, the system sets the BCM administrator’s office phone number to the value of the attribute in the SAML Single Sign-On response that matches this name. |
Home Phone SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s home phone number to the value of the attribute in the SAML Single Sign-On response that matches this name. |
Mobile Phone SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s mobile phone number to the value of the attribute in the SAML Single Sign-On response that matches this name. |
Title SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s title to the value of the attribute in the SAML Single Sign-On response that matches this name. |
Department SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s department to the value of the attribute in the SAML Single Sign-On response that matches this name. |
| Company SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s company to the value of the attribute in the SAML Single Sign-On response that matches this name. |
| Location SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s location to the value of the attribute in the SAML Single Sign-On response that matches this name. |
Employee ID SAML Attribute | (Optional) When you set this field, the system sets the BMC Client Management administrator’s employee ID to the value of the attribute in the SAML Single Sign-On response that matches this name. |
| SAML IDP Sign Certificate | The system automatically fills this field when you upload the SAML IDP metadata file. The IDP uses this trusted certificate to sign its SAML responses. |
| Set the SAML IDP Metadata | Click this button to upload a metadata file. |
| Get the SAML SP Metadata | Click this button to download the Service Provider Metadata file. |
For more information on configuring
server with BMC Client Management, see Integrating-with-BMC-Helix-Single-Sign-On.