Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring BMC Atrium Single Sign-On as an SP

In a Circle of Trust, BMC Atrium Single Sign-On is normally configured as a Service Provider (SP) for BMC products. The Circle of Trust is then completed with an Identity Provider (IdP) to provide authentication for the federated single sign-on. Following topics are provided:

Verify that certificates were imported into the truststore

Before configuring BMC Atrium Single Sign-On with a Service Provider, verify that all the certificates used for network communication (Transport Layer Security) between the servers that are participating in the Circle of Trust have been imported into the truststore of BMC Atrium Single Sign-On.

  • If you are using signed certificates, import only the root CA certificate.
  • If you are using self-signed certificates, import the public certificates into the truststore.

For more information about importing certificates, see Installing-and-managing-certificates-in-BMC-Atrium-Single-Sign-On and Importing a certificate into the cacerts.p12.

Create a local SP

If you are using a second BMC Atrium Single Sign-On server as an IdP, the certificate from that server must be exported from the <installationDirectory>/tomcat/conf/keystore.p12 file and imported into the cacerts.p12 of the BMC Atrium Single Sign-On server that is providing the SP role.

 

To create a local SP

  1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
  2. On the Federation tab, click Add.
  3. Select Local Service Provider (SP).
  4. Provide the local SP information.
  5. Click Save.

Local SP parameters

The Local Service Provider (SP) Editor has the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Create a remote IdP

 

  1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
  2. On the Federation panel, click Add.
  3. Select Remote Identity Provider (IdP).
  4. Before uploading the IdP metadata, you must import a signed certificate into the cot.jks keystore used for SAMLv2 authentication. The location of the cot.jks file is <installationDirectory>/tomcat directory.
  5. Create a name for the remote IdP and upload the IdP metadata on the Create Identity Provider (IdP) window.

    Parameters

    Description

    Name

    Name for the remote IdP.

    URL

    Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation. For information about providing IdP metadata from another Atrium Single Sign-On server, seeProviding IdP metadata from another Atrium Single Sign-On server

    File Upload

    Select File Upload to upload a file that contains the remote IdP metadata.

    Providing IdP metadata from another Atrium Single Sign-On server

    When using another Atrium Single Sign-On server as an IdP, the following URL template is used to access the metadata needed by the SP:

    https://<host>:<port>/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=<entityid>

    In this case:

    • host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP.
    • port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the IdP.
    • entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server.

    For example:

    https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://idp:18443/atriumsso

     

  6. Click Save
  7. On the Federation panel, select the remote IdP.
  8. Click Edit.
  9. Provide the remote IdP parameters.
  10. Click Save.

Remote IdP Editor parameters

The Remote Identity Provider (IdP) Editor has the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Field

Parameter

Description

Name

 

Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.

Binding

 

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.

 

Authentication Request, Logout Request, Logout Response, Manager Name ID Request, Manager Name ID Response, and Artifact Resolve

These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have been signed by the SP.

Encrypt Elements

Encryption Certificate Alias

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

 

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

 

Name ID

Specifies whether to encrypt the Name ID or leave it in plain text.

Modify the JEE agents

As part of configuring BMC Atrium Single Sign-On to host a SP, the J2EE agents configuration must be modified to work with SAMLv2 federation.

Note

Each time a BMC product is integrated with the BMC Atrium Single Sign-On SP, the configuration must be modified so the integrating product can function in the Federated SSO.

  1. On the BMC Atrium SSO Admin Console, click Agent Details.
  2. Select the agents associated with a BMC product integrated with this Atrium Single Sign-On server. For example, dashboards@sample.bmc.com:8443.
  3. Click Edit.
    1. Delete the URLs in the login URI field.
    2. Enter the Federated login URL. For information about the log in URL syntax, see Federated log in URL syntax.
    3. Delete the URLs in the logout URI field.
    4. Enter the Federated logout URL. For information about the log out URL syntax, see Federated log out URL syntax.
    5. Click Save.

The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter string within any of these values selects the agent to be returned for display. This feature allows you to filter the list of agents to the ones running by specifying "Running".

Agent Editor

The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you can correct problems caused by environment difficulties. For example, with a remote host, the host may report their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of machine.bmc.com.

The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Federated log in URL syntax

https://<host>:<port>/atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID=<entityId>

In this case:

  • host is the FQDN of the Atrium Single Sign-On server hosting the SP.
  • port is the port used for secure communication of the Atrium Single Sign-On server hosting the SP.
  • entityId is the name of the IdP to be used by this SP.

Federated log out URL syntax

https://<host>:<port>/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=<entityId>&RelayState=<webappURL

In this case:

  • host is the FQDN of the BMC Atrium Single Sign-On server hosting the SP
  • port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the SP.
  • entityId is the name of the IdP to be used by this SP.
  • webappURL is the URL for the webapp for this agent.

Federated IdP initiated URL

If you are using IdP Initiated single sign-on and integrate BMC applications with BMC Atrium Single Sign-On, you may choose IdP initiated login. For IdP initiated login, you must redirect the user to an application that is integrated with BMC Atrium Single Sign-On (for example, mid tier) using the following URL format:

https://fqdn:port/atriumsso/idpSSOInit?metaAlias=<idp-metaalias>&spEntityID=<sp-name>[&NameIDFormat=<format>][&RelayState=<final-url>]

In this case:

  • idp-metaalias is the meta alias for the remote IdP that is initiating BMC Atrium SSO.
  • sp-name is the name of the local SP
  • format is the name ID format to be used. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • final-url is the application landing URL where the user should be sent after logging out of BMC Atrium SSO

Note

This Federated IdP initiated URL should be used only when BMC Atrium Single Sign-On is used as an IdP.

When you are integrating BMC Atrium Single Sign-on service provider with an external IdP such as AD FS, the federated IdP initiated URL should use the Assertion Consumer Service (ACS) URL which is available from the SP metadata. The sample URL format can be: https://sample.bmc.com:8443/atriumsso/Consumer/metaAlias/BmcRealm/sp

(Optional) Federate your user accounts in bulk

For information about using bulk federation, see Federating-user-accounts-in-bulk.

Where to go from here

For information about managing users, user groups, and authentication modules, see Administering section.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*