Implementing Remedy Single Sign-On authentication

TrueSight Server Automation supports integration with Remedy Single Sign-On to enable single sign-on authentication when using the REST APIs. When you authenticate with the Remedy Single Sign-On Server, you can access the TrueSight Server Automation resources using the REST API calls without providing the user credentials again. This topic provides information about how to enable and use Remedy Single Sign-On authentication.

This authentication works as follows:

rsso_authentication.png

See the following topics:

Prerequisites 

  • Create a user in the TrueSight Server Automation console and enable Remedy Single Sign-On authentication. For more information, see Creating-users.
  • Make sure that TLSv1.2 is configured on the Application Server. If you are upgrading TrueSight Server Automation, manually change the TLS setting to TLSv 1.2 for the EnabledTlsContextProtocol property in the appserver-options.properties file, and restart the Application Server. For more information, see Configuring-the-TLS-protocol.

  • If you want to use the HTTPS connection for Remedy Single Sign-On, obtain the Remedy Single Sign-On certificate. For more information, see Implementing private certificates in the Remedy Single Sign-On Server.

  • Copy the Remedy Single Sign-On certificate to <TSSA_installation_dir>/br/deployments.

Configuring the Remedy Single Sign-On authentication 

Do the following:

  1. Log in to the system where TrueSight Server Automation is installed.
    • (Windows) Log in as an administrator.
    • (Linux) Log in as a root user.
  2. On the nsh prompt, run the following commands:
    1. blasadmin
    2. show RemedySsoAuth all

  3. Specify values for these parameters:

    Parameter

    Description

    Blasadmin command examples

    IsEnabled

    Set to true to enable Remedy Single Sign-On authentication. By default, this authentication is disabled.

    set RemedySsoAuth IsEnabled true

    RemedySsoServerURL

    Specify the URL of the server that hosts the Remedy Single Sign-On Server.

    set RemedySsoAuth RemedySsoServerUrl http://<host_name>:<port>/rsso/

    NEW IN 23.4.01 ClientId

    Important

    Only applicable to TSSA Console.

    Provide the client ID generated on the Remedy SSO server during OAuth client creation.

    set RemedySsoAuth ClientId <RemedySSOClientID>

    NEW IN 23.4.01 ClientSecret

    Important

    Only applicable to TSSA Console.

    Provide the client Secret generated on the Remedy SSO server during OAuth client creation.

    set RemedySsoAuth ClientSecret <RemedySSOClientSecret>

    If the Remedy Single Sign-On is configured to use the HTTPS connection, specify values for the following additional parameters:

    TrustStorePassword

    Specify the truststore password for the Remedy Single Sign-On server certificate validation.

    set RemedySsoAuth TruststorePassword  <trustore_password> 

    TrustStorePathname

    Specify the keystore path for the Remedy Single Sign-On server certificate validation.

    set RemedySsoAuth TrustStorePathname <TSSA_installation_dir>/br/deployments

    TrustStoreType

    Specify the truststore type to be used for the Remedy Single Sign-On server certificate validation.

    set RemedySsoAuth TrustStoreType JKS
  4. Exit blasadmin.
  5. Restart the Application Server.

Using the Remedy Single Sign-On authentication 

Do the following:

  1. Log in to the system where TrueSight Server Automation is installed.
    • (Windows) Log in as an administrator.
    • (Linux) Log in as a root user.

  2. Make a call to the Remedy Single Sign-On Server to obtain a token.

    Token generation example

    1. Run the following command:

      curl -X POST "https://<host_name>/rsso/api/v1.0/token" -H  "accept: application/json"
      -H  "Content-Type: application/json" -d "{  \"username\": \"rssoUser\",  \"password\": \"password\",
        \"      realm\": \"*\" }" --insecure

      Example output:

      {
      "rsso_token": "VND_RSSO_V2.eyJpYXQiOjE2MTA2NzY2MTQ2OTcsInNydiI6Imh0dHBzOixyzxtLXB1bi10NHdib3YuYm
      1jLmNvbTo4NDQzL3Jzc24i6CJybG0iOiIqIiwidG9rZW5JZCI6Il9iZWE1OWZiNy1kZWM1LTQxODMtODVkMS02NDE3ZDE2MjY2NmMifQ=="
      }

    2. Decode this output (string after VND_RSSO_V2.) in the base64 format. For example, run the following command on a Linux system:

      echo eyJpYXQiOjE2MTA2NzY2MTQ2OTcsInNydiI6Imh0dHBzOixyzxtLXB1bi10NHdib3YuYm
      1jLmNvbTo4NDQzL3Jzc24i6CJybG0iOiIqIiwidG9rZW5JZCI6Il9iZWE1OWZiNy1kZWM1LTQxODMtODVkMS02NDE3ZDE2MjY2NmMifQ====
      | base64 -d

      For more information about encoding and decoding base64 , see Base64 encode and decode.https://www.base64decode.org/Example result:

      {
      "iat": 1610676614697,
      "srv": "https://:/rsso",
      "rlm": "*",
      "tokenId": "_bee55fb7-dec5-4184-85d1-6317d162666c"
      }
  3. Use the Remedy Single Sign-On token that you obtained in the previous step for the subsequent API calls.

  4. For example, make the following call to the GET:/v1/servers API to get a list of all servers:

    curl -X GET "https://<host_name>/bsa-rest/v1/servers" -H "accept: application/json" -H "Authorization: Bearer <token>="

For information about using the Swagger UI, see Trying-out-the-REST-APIs.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*