This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring SAMLv2 for authentication using the Tenant Console

For this release, you may use BMC Remedy Action Request System (BMC Remedy AR System) authentication or SAMLv2 authentication. If you are using Security Assertion Markup Language 2.0 (SAMLv2) authentication, you must use the BMC Atrium SSO Tenant Console. The SAML Console tab on the Tenant Console enables you to configure the service provider (SP) and external identity provider (IdP) details for your realms.

Note

If you want to use AR authentication option from the Realm Editor for your tenants, you do not need to configure the parameters on this page. Contact BMC Remedy administrators for configuration of AR authentication. However, you can modify the branding parameters for your tenants and customize their logon pages using the BMC Atrium SSO Tenant Console. For more information, see Branding-the-BMC-Atrium-Single-Sign-On-login-page.

The following topics are provided:

Before you begin

  • Verify that the BMC Remedy administrator has provided you with appropriate tenant admin account credentials and the BMC Atrium SSO Tenant Console URL. The URL has the following format: https://<fqdn>:<port>/atriumsso/UI/Login?realm=<realm_name>
  • Verify the integration architecture when BMC Atrium Single Sign-On is integrated with BMC Remedy AR System and BMC Remedy Mid Tier. For more information, see BMC-Atrium-Single-Sign-On-integration-architecture.

To configure SAMLv2 for authentication

  1. Log on to the BMC Atrium SSO Tenant Console using the credentials you received from the BMC Remedy administrator. The URL has the following format: https://<fqdn>:<port>/atriumsso/UI/Login?realm=<realm>.
  2. In the BMC Atrium SSO Tenant Console, click the SAML Console tab.
  3. Enter the appropriate parameters on the panels:
    • Configuring the Identity Provider (IdP) panel—The customer's IdP provides information that you will need to enter appropriate values for these parameters. The most common IdPs are AD FS and AR System.
    • Configuring the Service Provider (SP) panel—Most of the parameters are already present on this panel. You must select the authentication context and name ID formats.
    • Configuring the Logging panel—You can enable logging if you are having issues integrating with the customer's IdP. The logs are used for debugging integration issues. When you do not need debugging information, you should turn off logging, because logs occupy a lot of disk space.

  4. Verify the configuration and perform one of the following actions:

    • To confirm the changes, click Save.

    • To reset the values to the last saved configuration, click Revert to Saved.

      Note

      When you click Save, the changes made on both the tabs (SAML Console and SSO Branding) are saved.

Configuring the Identity Provider (IdP) panel

Enter values for the parameters listed in the following table, and then click Save.

Note

If you are integrating SAMLv2 with AD FS, you must perform additional configuration steps on the AD FS server for integration. For more information, see Configuring-SAMLv2-with-AD-FS-as-IdP-by-using-the-Tenant-Console.

Field

Description

Name

Enter the IdP name or IdP URL that you want to provide for identification.

SingleSignOn URL

Enter the single sign-on URL that is provided to you by your IdP. The Atrium SSO server uses this URL to redirect users to the IdP for authentication.

The format of the URL depends upon your IdP. The URL must be a valid HTTP or HTTPS URL.

(Optional) Final Logout URL

This URL is the final URL that a user is redirected to after logging off from the application. It is not a Federation Server URL.

You can specify a URL to perform user logoffs, or you can provide a URL that provides your company information; for example, http://www.bmc.com.

SAMLv2 Binding

Select SAMLv2 binding. This option determines the way in which SAMLv2 messages are sent and received between the IdP and the SP. The following two binding options differ in the method used to exchange SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Certificate

Upload the certificate that you received from your IdP. This certificate is used for authenticating incoming user requests. The certificate must be a PEM/DER-encoded certificate. After you upload the certificate, it is available for viewing in human-readable format.

To upload a certificate, perform the following actions:

  1. Click Upload
  2. Copy and paste the certificate details into the PEM-encoded certificate, or click Browse and upload the certificate file.
  3. Click Save.

Configuring the Service Provider (SP) panel

Enter values for the parameters listed in the following table, and then click Save.

Field

Description

Assertion Consumer Service URL

This field is read only. The Assertion Consumer Service URL sends assertion to the service provider. This field contains a predefined value; for example, https://xyz.bmc.com:8443/atriumsso/Consumer/metaAlias/xyzrealm/sp.

You must use this URL when you configure your IdP.

Default Authentication Context

Select the authentication context. This attribute maps the SAMLv2-defined, authentication context classes to the authentication level that is set for the user session for the SP.

Name Id Formats

Define the name-identifier formats that the SP supports. Providers use name identifiers to communicate with each other about a user.

The Name ID format list is an ordered list. The first name ID has the highest priority in determining the name ID format to use. If the user does not specify a name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote IdP.

A persistent identifier is saved to a particular user's data-store entry as the value of two attributes. A transient identifier is temporary, and no data is written to the user's persistent data store.

Note:
To enable linking of user accounts from the local SP and the remote IdP, after logon the persistent name ID format must be at the top of the list.

Sign Authentication Requests

Select this check box to add a signature to all authentication requests sent from the SP to the IdP.

View Metadata XML

Click this option to view metadata XML for the configured SP.  When you click View Metadata XML, a new page opens, displaying the metadata.

Configuring the Logging panel

Enter values for the parameters listed in the following table, and then click Save.

Note

After authenticating successfully with the IdP, if the BMC application user is still prompted for a password, the BMC Atrium Single Sign-On server might not have found the assertion attribute specified for the user id. You must enable logging to confirm that the assertion attribute is passed correctly and that you have provided the correct spelling for the attribute name.

Field

Description

Logging panel

Enable Logging to log federated processing of the SP. You can log information about the following items:

  • Realms
  • Entity info
  • Client info from http requests
  • Authentication requests
  • Assertions received

Click View Log to view the logs in a new window. 

Where to go from here

Branding-the-BMC-Atrium-Single-Sign-On-login-page

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*