Enabling Multifactor Authentication (MFA) support for console users using Remedy SSO
Prerequisites
Ensure the following prerequisites are met:
You have installed the Remedy SSO server. This step is performed by the Remedy SSO administrator. For more information, see Installing Remedy SSO.
You have configured the Remedy SSO server for SAML authentication type. This step is performed by the Remedy SSO administrator. For more information, see Configuring Remedy SSO server as a SAML service provider.
You have Configured the OAuth native client for TrueSight Server Automation in the Remedy SSO Server. This step is performed by the Remedy SSO Administrator. The OAuth client enables TrueSight Server Automation to authenticate itself with Remedy SSO by using a JSON Web Token (JWT) assertion issued by a third-party Identity Provider (IdP). For more information, see Configuring OAuth Client.
- Users existing in the Identity Provider (IdP) server, such as Microsoft Authenticator, are also present in TrueSight Server Automation, with the Allow Remedy Single Sign-on Authentication option selected for the corresponding user. For more information, see Synchronizing users between the Identity Provider (IdP) server and .
Synchronizing users between the Identity Provider (IdP) server and TrueSight Server Automation
You can synchronize the users using one of the following methods:
If your Identity Provider (IdP) server is configured with the LDAP server, you can synchronize TrueSight Server Automation users with the users from the LDAP server using the following BLCLI command:
blcli RBACRole syncUsers <roleName> <authenticationType>For example, to syncronize the RSSOSyncUser role and enable Remedy Single Sign-on Authentication (RSSO) authentication:
blcli RBACRole syncUsers RSSOSyncUser RSSOThis step is performed by the TrueSight Server Automation administrator. For more information, see RBACRole - syncUsers.
If your Identity Provider (IdP) server isn't configured with the LDAP server, you can manually create users in TrueSight Server Automation and enable the Allow Remedy Single Sign-on Authentication option. For manually creating users, see Creating-users. After creating the users, you have two options to enable the Allow Remedy Single Sign-on Authentication option. You can either manually enable it by selecting the checkbox when you click the user, or enable it by using the setRemedySsoAuthenticationEnabled BLCLI command. This step will be performed by the RBAC administrator. For more information, see Enabling or disabling the Remedy Single Sign-on Authentication (RSSO) authentication.
As a RBAC Administrator, when managing the roles and permissions for the users, you will notice that the Allow Remedy Single Sign-on Authentication option is selected for the users who will be utilizing the RSSO authentication. Refer the following screenshot for clarification:
Configuring the Remedy SSO details in the Application Server
To ensure smooth communication between the Application Server and the Remedy SSO server, you need to store the configuration details of the Remedy SSO server in the Application Server. This step is performed by the TrueSight Server Administrator. Ensure that you configure the new BLASAdmin parameters, ClientId and ClientSecret, along with the other necessary parameters. For more information, see Configuring the Remedy Single Sign-On authentication.
Enabling or disabling the Remedy Single Sign-on Authentication (RSSO) authentication
To enable or disable Remedy Single Sign-on Authentication (RSSO) authentication for existing users, use the following BLCLI command:
For example, to disable Remedy SSO authentication for a user account named Mike.
For more information, see RBACUser - setRemedySsoAuthenticationEnabled.
Where to go from here
Now that you know how to enable Multifactor Authentication (MFA) support for console users, you can move on to Using-Multifactor-Authentication-MFA-from-the-TrueSight-Server-Automation-Console.