Out of support This documentation supports the 8.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Managing authentication chains

Authentication chain manipulation in BMC Atrium Single Sign-On occurs on the Authentication Chaining page.

To navigate to the Authentication Chaining page

Navigate to Access Control > BmcRealm link> Authentication > Authentication Chaining link

To create a new authentication chain

  1. Navigate to the Authentication Chaining page, Access Control > BmcRealm link> Authentication > Authentication Chaining link
  2. Click New.
     This action launches a new page as shown in the following figure:
  3. Type the name for this new chain into the Name field
  4. Click OK.
  5. On the properties page, configure the module instance for the new chain.
     The chain's properties page launches after the new chain is created. To manipulate modules within the chain, edit the chain.

To edit a chain

On the chain properties page, the Modules table allows you to add, remove, and reorder the modules, as well as select the criteria used to affect the flow of processing and to determine the overall authentication status of the chain.

  1. Navigate to the Authentication Chaining page, Access Control > BmcRealm link> Authentication > Authentication Chaining link
  2. Select the Authentication Chaining link.
  3. Select the link of the authentication chain that you want to edit.
     Alternatively, after creating a new chain, the properties page for the chain is automatically displayed.
  4. Click Save.

Note

Currently, BMC Atrium Single Sign-On does not use the Successful Login URL field. BMC recommends that these fields be left blank to prevent negative impact to the BMC Atrium Single Sign-On server.

To check the authentication chain that is being used

Before deleting a chain, verify that BmcRealm is not actively using the chain for authentication.

  1. Navigate to the BMCRealm Authentication page, Access Control > BmcRealm link > Authentication
  2. Verify the name of the chain that is displayed in Organization Authentication Configuration field.
     This is the chain that is currently being used.

  3. If the chain that you want to delete is being used, change the Organization Authentication Configuration field to a different chain. 

    Note

    If the chain is in use when it is deleted, an alternate chain is randomly selected.

To delete a chain

  1. Navigate to the BMCRealm Authentication page, Access Control > BmcRealm link > Authentication
  2. Select the Authentication Chaining link.
  3. Select the check box of the chain you want to delete.
  4. Click Delete.

To add a new module instance to the chain

  1. Navigate to the Authentication Chaining page, Access Control > BmcRealm link> Authentication > Authentication Chaining link
  2. Click Add.
     A new row is appended to the module instances table configured with default values.
  3. In the Instance column, click the drop down menu to change the default module value.
  • Alternatively, in the Criteria column, click the drop down menu to change the default module value.

The criteria for a module alters the authentication status of the chain. The criteria categories are Required, Requisite, Sufficient, and Optional.

  • Required: This module must authenticate the user. Regardless of pass or fail, processing of the chain continues.
  • Requisite: This module must authenticate the user. When authentication fails, processing of the chain aborts.
  • Sufficient: This module might authenticate the user. If authentication passes, processing of the chain stops, otherwise processing continues.
  • Optional: This module might authenticate the user. Processing continues regardless of success or failure.

The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user.

The fields within the Options columns are used to pass extra configuration items to the authentication module when used within the chain, such as enabling debug logging. BMC Atrium Single Sign-On does not currently use this feature. Refer to the applicable OpenSSO documents for further information.

To delete a module instance from a chain

  1. Navigate to the Authentication Chaining page, Access Control > BmcRealm link> Authentication > Authentication Chaining link
  2. Select the name of the chain that you want to remove.
  3. On the chain's property page, select the check box of each module instance that you want to remove.
  4. Click Remove to delete the module instance from the chain.

To change a module instance within a chain

  1. Navigate to the Authentication Chaining page, Access Control > BmcRealm link> Authentication > Authentication Chaining link
  2. In either the Instance or Criteria column, click the drop down menu to select a new value.
  3. Click Save.

To reorder the modules in a chain

Instead performing numerous add and remove operations on the module table to switch the order that the module instances are processed, use the Reorder option.

  1. Navigate to the Authentication Chaining page, Access Control > BmcRealm link> Authentication > Authentication Chaining link
  2. Select the name of the chain that you want to alter.
  3. Click Reorder.
  4. Select the Module Instance that you want to move.
  5. Select on Move Up, Move Down, Move to Top, or Move to Bottom to change the order in which the module instances are processed.
  6. To update the re-ordering of the module instance, click OK.

On this page, module instances can be selected and moved up or down the chain. The selected module instance can be moved to the top or bottom of the list by clicking Move to Top or Move to Bottom.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*