Integrating with BMC Helix Single Sign-On

BMC Helix Single Sign-On is an authentication system that supports various authentication protocols such as LDAP and provides single sign-on for users of BMC products. For more information about BMC Helix Single Sign-On, including installation and configuration, see BMC Helix Single Sign-On Orientation.

Before you begin

As a BMC Client Management administrator who is integrating BMC Client Management with BMC Helix Single Sign-On, ensure that the following settings are met:

BMC Helix Single Sign-Onparameter details
- BMC Helix Single Sign-OnURL
- Certificate Authority
- Server Certificate

Mandatory settings

The minimum supported version of BMC Helix Single Sign-On is 9.1.01 and later.
The BMC Client Management master and the BMC Helix Single Sign-On server must be in the same domain. For example, if the BMC Client Management master server domain name is bcm.calbro.com, then the BMC Helix Single Sign-On domain name must be rsso.calbro.com.
On the RSSO server, the realm used must have the master server DNS alias as one of the application domains. Following the above example, we must add bcm.calbro.com.

The BMC Client Management master server must have a reservation in DNS and must be accessed using that DNS name; otherwise, the integration fails and the following message is displayed: Forbidden request! Goto URL is wrong.

Considerations for configuring certificates

Communication between BMC Client Management and BMC Helix Single Sign-On can take place only over secured protocol (HTTPS). To enable communication by using HTTPS, you must obtain the HTTPS certificate from the BMC Helix Single Sign-On server.

You can supply a CA bundle that is trusted by your organization, pin the certificate downloaded from BMC Helix Single Sign-On, or use both.

A pinned certificate is more secure than a CA bundle; however, pinned certificates require more frequent renewal. BMC recommends that you use both a pinned certificate and a trusted CA bundle to verify the identity of the BMC Helix Single Sign-On server.

BMC Helix Single Sign-On parameters

As a BMC Client Management administrator, you must get the following settings from a BMC Helix Single Sign-On and SAML administrator. For parameters required to configure BMC Helix Single Sign-On and SAML with BMC Client Management, see BMC Helix Single Sign-On parameters.

You must configure a certificate on the BMC Client Management console using one of the options for security purposes.

To configure BMC Client Management to integrate with BMC Helix Single Sign-On

As a BMC Client Management administrator, you need the required parameters to configure BMC Helix Single Sign-On in BMC Client Management.

To apply the BMC Helix Single Sign-On settings, perform the following steps:

In the BMC Client Management console, go to Global Settings > System Variables.
Select Single Sign On.
From the SSO Mode list, select RSSO, and enter the following parameter values:
1. UI mode
2. (For iFrame UI Mode) Additional Frame Src
3. RSSO Server URL
4. Realm ID
5. Product Identifier
6. RSSO Token revalidation period
7. Certificate Authority Bundle
8. Server Certificate
Click Verify.
Click Save Parameters.

Troubleshooting

Issue	Cause(s)	Resolution(s)
BMC Client Managementintegration with BMC Helix Single Sign-On not successful	Incorrect BMC Helix Single Sign-On parameters BMC Helix Single Sign-Onserver down	Contact BMC Helix Single Sign-On administrator
Cannot authenticate into BMC Client Management browser-based console	BMC Helix Single Sign-Onserver down Incorrect BMC Helix Single Sign-On credentials Incorrect configuration in BMC Client Management	Contact BMC Helix Single Sign-On administrator to ensure BMC Helix Single Sign-On server is up and running Contact BMC Client Management administrator to check whether BMC Helix Single Sign-On is correctly configured

Next step

Connect to the BMC Client Management browser-based console using BMC Helix Single Sign-On credentials