Authentication integration

The authentication integration service allows ITSM customers to authenticate their BMC Helix environments by standard external authentication systems via the Security Assertion Markup Language (SAML) protocol, Open ID Connect flow, and LDAP Authentication. Please see Authentication options for a more detailed description of the available options. 

Upon receiving your BMC Helix Single Sign-On URL and credentials for each environment in the BMC Helix activation email, you may access the BMC Helix SSO console and begin performing the administrative activities below. Please note you will need to submit a Support Case to get new realms added if you have a requirement to configure multiple realms.  

• • Security Assertion Markup Language (SAML)
  • OpenID Connect Authentication Flow (OIDC)
  • Lightweight Directory Access Protocol (LDAP)
  • OAuth configuration
  • Transforming userID to match login ID

Security Assertion Markup Language (SAML)

Please configure your preferred external authentication with one of the following sources:

• Security Assertion Markup Language (SAML) V2.0 using Active Directory Federation Services (ADFS) 2.0 or 3.0
• SAML V2.0 using a third-party product (for example, Ping Identity, Shibboleth, and so on)

If you are an Microsoft Azure Active Directory customer, please follow these details to generate your IdP metadata file: 

• Service Provider Entity ID : <insert Helix service name>_<environment suffix>/<insert Helix service name>-<environment suffix>
• Reply URL (Assertion Consumer Service URL): https://<insert Helix service name>-rsso-<environment suffix>.onbmc.com/rsso/receiver/<insert Helix service name>-<environment suffix>
• For example the Service Provider Entity ID will be acme_dev/acme-dev and the Reply URL will be https://acme-rsso-dev.onbmc.com/rsso/receiver/acme-dev

Please refer to Importing configuration from an identity provider and configuring SAML and follow the configuration step-by-steps. 

OpenID Connect Authentication Flow (OIDC)

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol and provides a standardized way for users to authenticate with a trusted identity provider (IdP) through an ID token that asserts their identity. 

Please refer to Configuring OpenID Connect authentication and follow the configuration step-by-steps. 

Lightweight Directory Access Protocol (LDAP)

Please ensure you have completed the set up of your BMC Helix Client Gateway connectivity before starting configuration for your Lightweight Directory Access Protocol (LDAP) authentication. LDAP is a widely used method for managing and authenticating user credentials in a networked environment and enables the application to connect to an external directory service to authenticate users. 

Please refer to Configuring LDAP authentication and follow the configuration step-by-steps. 

OAuth configuration

As an administrator, you might need to configure OAuth 2.0 in any of the following cases:  

• You have applications that act as OAuth clients and interact with applications protected by BMC Helix SSO
• You have applications hosted on different top-level domains that are integrated with the same BMC Helix SSO server

Please refer to Configuring OAuth and follow the configuration step-by-steps.

Transforming userID to match login ID

Maintain a coherent and simplified authentication framework by mapping the login ID within your BMC Helix ITSM to the userID available from trusted identity provider (IdP). 

Please refer to Transforming userID to match login ID and follow the configuration step-by-steps.