Authentication profiles

To facilitate single sign-on, BMC Server Automation clients use authentication profiles, which are collections of information that a BMC Server Automation client application needs to log into the BMC Server Automation Authentication Service. An authentication profile identifies the following:

• Application Server host name
• Listening port for the Authentication Service hosted by the Application Server
• Authentication protocol: SRP, LDAP, SecurID, PKI, AD/Kerberos, or Domain Authentication
• Information specific to individual authentication protocols, such as the distinguished name template for LDAP

A user can define multiple authentication profiles. For example, an organization might employ three instances of BMC Server Automation — one for Operations, one for QA, and one for Development. If a user wants to connect to all three from the same client application, he or she would need three different authentication profiles, each pointing to a different instance of BMC Server Automation. In another example, if a user plans to log into the Application Server using various authentication mechanisms, he or she would need an authentication profile for each mechanism.

For BMC BladeLogic Decision Support for Server Automation, users do not define authentication profiles. Instead, when logging on, users simply specify an authentication type. Each reports server always accesses the same Authentication Service, so a user does not have to specify an Application Server or listening port.

Using authentication profiles

When a user launches a BMC Server Automation client application (except BMC BladeLogic Decision Support for Server Automation), he or she must specify an authentication profile. The client application looks in its cache of session credentials to determine if it holds a current credential that was acquired under the conditions defined by the authentication profile. Each authentication profile specifies an Application Server hosting an Authentication Service, the port used to access the Authentication Service, and an authentication mechanism. If a cached session credential includes information matching these specifications, the client application establishes a connection to the service listed in the session credential. If the client application does not possess an appropriate session credential, the BMC Server Automation Console prompts the user to log into the Authentication Service identified by the specified authentication profile. In Network Shell or BLCLI, establishment of the client/server session is aborted if the session credential cache does not contain a session credential matching the requirements specified in the authentication profile. The BLCLI or Network Shell user can use the BMC Server Automation Console or the blcred utility to obtain and cache the appropriate SSO session credential.

The BMC Server Automation Console provides a dialog box that allows users to add or delete authentication profiles as well as select an authentication profile for the purpose of logging in. The blcred utility also can be used to add or delete authentication profiles. The BMC Server Automation command line applications provide various options for identifying an authentication profile by name. The following table summarizes these options. Note that BMC BladeLogic Decision Support for Server Automation does not require authentication profiles so it is not listed in the table.

For more information about setting up authentication profiles for the BMC Server Automation Console, see the Setting-up-an-authentication-profile. For more information about using blcred, see Using the blcred utility. For more information about using environment variables, see Environment-variables.

Authentication profiles are stored in a single XML file. Within that file, each authentication profile must have a unique name. The XML file resides at a default location, but you can modify that location, as described in Setting-override-locations-for-client-SSO-files.