Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring BMC Atrium Single Sign-On as an IdP

If you configure the BMC Atrium Single Sign-On server as an Identity Provider (IdP), do not use the server as the integration server for BMC products. Instead, a separate BMC Atrium Single Sign-On server should be configured as a Service Provider (SP) and used as the integration host.

Important

Do not integrate BMC products into a BMC Atrium Single Sign-On server when it is configured as an Identity Provider.

Verify that a X509 certificate is imported into the keystore

Before creating the IdP, a X509 certificate is needed for signing communications between the IdP and SP of the SAML Circle of Trust (COT). When joining an already existing COT, the certificate for the COT must be imported into the keystore.. A default certificate is created and stored in the keystore during the installation with the alias name of test. This certificate can be used without creating and importing a new certificate.

To import the Circle of Trust certificate

When BMC Atrium Single Sign-On is configured as an IdP, the Circle of Trust certificate must be imported into a keystore for the server to use.

  1. Navigate to the keystore location, and replace the test certificate with your generated certificate.

    Note

    The default Circle of Trust keystore location and name is <installationDirectory>/tomcat/cot.jks. This keystore must be of the type, JKS (not PKCS12 or any other type). The default password for the keystore and certificates is changeit.

  2. If the password for the keystore was changed, update the default .keypass and .storepass configuration files with the encrypted form of the new password.
     The configuration files are located in the same <installationDirectory>/tomcat/ directory as the Circle of Trust keystore.

  3. Stop and restart the Tomcat server.

    Note

    The new certificate is not available to use for creating an IdP until the Tomcat server is stopped and restarted.

To encrypt the passwords for storage in the files

  1. Enter the following URL into the browser:
    https://:/atriumsso/encode.jsp

    In this case:
    • host is the FQDN of the BMC Atrium Single Sign-On host.
    • port is the port number that BMC Atrium Single Sign-On is using for secure communication.
  2. Enter a new password.
  3. To encrypt the value, click Encode.
  4. Copy the encrypted password into the configuration files.
  5. Stop and restart the BMC Atrium Single Sign-On server.

Create a local IdP

The Local Identity Provider (IdP) Editor has the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

To create a local IdP

  1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
  2. On the Federation tab, click Add.
  3. Select Local Identity Provider (IdP).
  4. Provide the local IdP information.
  5. Click Save.

Note

If there are issues with keystore configuration, an error message is displayed.

Create a remote SP

  1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
  2. On the Federation panel, click Add.
  3. Select Remote Service Provider (SP).
  4. Create a name for the remote IdP and upload the IdP metadata on the Create Service Provider (SP) pop-up.

    Parameters

    Description

    Name

    Name for the remote SP.

    URL

    Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation. For information about providing SP metadata from another Atrium Single Sign-On server, seeProviding SP metadata from another Atrium Single Sign-On server

    File Upload

    Select File Upload to upload a file that contains the remote SP metadata.

    Providing SP metadata from another Atrium Single Sign-On server

    For accessing SP metadata, the following URL syntax is used:
    https://<host>:<port>/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=<entityid> 

    In the case:

    • host is the FQDN of the server hosting the SP.
    • port is the port used for secure communications of the server hosting the SP.
    • entityid is the name of the SP hosted by the server.

    For example:

    https://sp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=https://sp:8443/atriumsso

  5. Click Save
  6. On the Federation panel, select the remote IdP.
  7. Click Edit.
  8. Provide the remote SP parameters.
  9. Click Save.

Remote SP Editor parameters

The Remote Service Provider (SP) Editor has the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

(Optional) Federate your user accounts in bulk

For information about using bulk federation, see Federating-user-accounts-in-bulk.

Where to go from here

  • For information about managing users, user groups, and authentication modules, see Administering.
  • For information about troubleshooting SAMLv2 authentication, see Troubleshooting-SAMLv2.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*