Authentication options

Your BMC Helix service entitles you to use the BMC Helix Single Sign-On (BMC Helix SSO) application. BMC Helix SSO is provisioned by default with your service. For BMC Helix SSO product-specific documentation, see BMC Helix Single Sign-On overview.

BMC Helix SSO is an authentication system for a multi software environment that enables users to present credentials for authentication only once. After BMC Helix SSO authenticates the user, the user can gain access to any other configured application with automatic authentication without providing the credentials again.

This section describes the authentication options that are supported by the BMC Helix services and includes the following information:

These options range from the intrinsic, basic authentication of the AR System platform to advanced, single sign-on capability. Authentication options can also be chained, which allows combinations of these approaches to match your specific requirements.

Related topics

Single sign-on authentication methods

Configuring SAML 2.0 authentication

Configuring LDAP authentication

Reauthentication

OpenID Connect authentication

Summary of options

The following authentication options are available for BMC Helix services:

  • Federated authentication - BMC supports OpenID Connect 1.0 and SAML 2.0 authentication for all products. BMC SaaS Operations can assist in the configuration of OpenID Connect 1.0 or SAML 2.0 based on your request. See Authentication-integration for details.
  • Standard AR authentication (BMC Helix ITSM and Digital Workplace services only) - the customer may configure users to use in-app authentication by configuring login IDs and passwords for each user. Specific user permissions may be required for different products. This method is not recommended for an enterprise deployment although it is used prior to the setup of a permanent authentication implementation.

  • LDAP pass-through authentication - this method uses common LDAP pass-through for all products. Multiple LDAP sources can be configured in the system if needed. Configuration of the LDAP pass-through authentication is usually covered by your onboarding team under a separate statement of work. 

    Important

    • BMC's preferred method of authentication is the federated authentication option via OpenID Connect 1.0. This option aligns with typical SaaS-based authentication mechanisms seen in the industry.
    • Kerberos is not supported for BMC Helix services.
    • BMC Helix Single Sign-On acts as an authentication broker and relies on the Identity Provider on customers side, and offers not only two-factor and multi-factor authentication but also device-based conditional access, time-based conditional access, etc.
    • If your application is integrated with the BMC Helix SSO server that is configured to use the OpenID Connect protocol to authenticate users accessing an application, then for the end users to pass the authentication flow, multi-factor authentication must be enabled and configured on the OpenID Connect Identity Provider.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*