Skip to Content

Single sign-on session credentials

When an Authentication Service authenticates a user, it issues a session credential to the client application. The BMC Server Automation Console lets users choose to cache session credentials. The blcred utility always caches any session credential it obtains from the Authentication Service.

BMC Server Automation clients use session credentials to establish secure sessions with Application Servers and Network Shell proxy servers.

A session credential contains the following information:

  • BMC Server Automation user name
  • Protocol used to authenticate user: SRP, LDAP, SecurID, AD/Kerberos, or Domain Authentication
  • Service URL, which identifies the Authentication Service that issued the session credential, its host address, and its port.
  • Expiration time for session credential
  • Maximum lifetime for session credential
  • Client system's IP address
  • Authorized roles for user
  • Service URLs of BMC Server Automation services that the credential can be used to access, such as Application Services and Network Shell Proxy Services. Each of these URLs specifies the type of service, its host address, and its port.

Session credentials are digitally signed by the issuing Authentication Service. A BMC Server Automation service, upon being presented with a session credential, verifies the digital signature to ensure the credential's authenticity and integrity. SSO session credentials are cached in a file on the client host. BMC Server Automation relies on system access controls to restrict access to the session credential cache. The session credential cache file resides at a default location, but you can modify that location, as described in Setting override locations for client SSO files.

On both Windows and UNIX, the credential cache can hold a maximum of one session credential at any time. This restriction will be relaxed in a future release. File system access controls only allow the user for whom the credential was issued to access the credential cache.

Unlike other BMC Server Automation system components, the reports server does not cache the session credential on the client's system. Each time a user logs into the reports server from a browser, the user provides data required for authentication. The reports server relays this information to the Authentication Service and obtains a session credential for the user. The reports server can potentially hold the user's session credential even after the user's connection with the reports server terminates. This allows users to schedule recurring report jobs. BMC BladeLogic Decision Support for Server Automation can automatically renew the user's session credential without requiring the user to re-authenticate.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.2