Setting up authentication for the on-premises gateway

With BMC Helix Single Sign-On (SSO), BMC Helix Intelligent Integrations on-premises gateway users are required to present credentials to authenticate themselves. If both BMC Helix Intelligent Integrations and BMC Helix applications are deployed in your on-premises environment as part of the BMC Helix IT Operations Management on-premises entitlement, register the OAuth client to set up the authentication for the on-premises gateway.

Related topics

Deployment-scenarios



To set up the authentication for the on-premises gateway

  1. Create a tenant administrator account for BMC Helix SSO:
    1. Log on to the BMC Helix SSO Admin Console as a SaaS administrator.
    2. Click Tenant and from the list of tenants, select a tenant.
    3. Click the pin icon to switch to the BMC Helix SSO Admin Console of the selected tenant.
    4. On the navigation panel, click the Admin User tab.
      The list of administrator users is displayed.
    5. (Optional) Click Add Admin User.
      On the Add Admin User page enter the following information and click Save:
      • Login: Enter a name of the BMC Helix SSO administrator.
      • Password: Create a password for the tenant administrator account.
      • Confirm Password: Confirm the password for the tenant administrator account.
        The tenant administrator account is added and is available in List of Admin Users.
  2. Register the OAuth client:
    1. Log on to the BMC Helix SSO Admin Console as a tenant administrator by using the credentials you created in step1(f).
    2. Click OAuth2
    3. On the OAuth2 and OpenID Configuration page, click the Clients tab.
    4. Click Register Client.
    5. Enter a name for the OAuth client.
    6. Ensure that the Enabled check box is selected to enable the client for authorization. 
    7. Click Add Redirect URI, and then add the URI in the following format to which the authorization code is sent after an /authorize request succeeds. The client side must support the URI.
      https://<hostName>:<portNumber>/swpui/auth/code/callback
      In the URL:
      • Replace <hostName> with the fully-qualified domain name of the server where the on-premises gateway is installed.
      • Replace <portNumber> with a custom port if you are using a port other than the default of 443. 
    8. Select the openid (Scope used for OpenID connect) check box to enable the OAuth client to use the OpenID Connect protocol.

    9. Click Save.
      The following information is automatically generated when you register the client:

      Client ID

      Registers the client identifier issued to the client by BMC Helix SSO server during the registration process. You can view this information when you select the registered client.

      Client Secret

      Shows the client secret (private key) only after you click Save.
      The private key is used to sign the JWT, which contains the client authorization. This JWT is different from the one containing the end-user credentials that is used in the JWT assertion grant type.

    10. Save the Client ID and Client Secret values in a file somewhere because these values will not be displayed again.
    11. Log out of the BMC Helix SSO admin console.
  3. Add a realm and configure authentication for the realm:
    1. Log on to the BMC Helix SSO console as a SaaS administrator.
    2. Click the edit icon corresponding to the realm of the tenant.
    3. In Application Domain(s), enter the fully-qualified domain name of the server where the on-premises gateway is installed.
    4. Click Save.


Where to go from here

Deploy the on-premises gateway on Docker or Podman containers:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*