This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring SAMLv2 with AD FS as IdP by using the Tenant Console

The following topics are provided:

Overview

If you have limited access to the BMC Atrium Single Sign-On server, you must configure the SAMLv2 authentication using the BMC Atrium SSO Tenant Console. This topic describes the step-by-step process of configuring BMC Atrium Single Sign-On as a service provider (SP) with Microsoft Active Directory Federation Services (AD FS) as an Identity Provider (IdP).

The following examples are provided:

  • <ATRIUM_SSO_HOME> — Directory where BMC Atrium Single Sign-On is installed
  • <JAVA_HOME> — Path to your <ATRIUM_SSO_HOME>/JRE
  • <TOMCAT_HOME> — Path to <ATRIUM_SSO_HOME>/tomcat
  • http://adfs-server.sso.com — URL of the AD FS server
  • https://sso-server.bmc.com:8443/atriumsso — URL of the BMC Atrium Single Sign-On server
  • http://adfs-server.sso.com/adfs/services/trust — IdP name
  • sp — Service Provider name
  • BmcRealm — Realm name. If you are using SAMLv2 authentication in a different realm, use the corresponding realm name.

Before you begin

  • Verify that the BMC Atrium Single Sign-On administrator has configured a local SP named sp in the BMC Atrium SSO Admin Console. If the sp is not defined, you cannot log on to the Tenant Console.
  • Verify that the AD FS server meets the following requirements:
    • Working and configured properly
    • Installed and running on the server
    • Integrated with Internet Information Services (IIS)
    • Integrated with Microsoft Windows Active Directory
  • Verify that you can access the BMC Atrium SSO Tenant Console by using the following URL:
    https://<fqdn>:<port>/atriumsso/UI/Login?realm=<realm>.

Configuring the AD FS server and the BMC Atrium SSO Tenant Console

Perform the following tasks to configure Security Assertion Markup Language 2.0 (SAMLv2) with an AD FS server by using the BMC Atrium SSO Tenant Console:

No.

Task

Procedure

1

Understanding how SAMLv2 works

Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identity Provider (IdP) and a web service. For more information, see SAMLv2-authentication.

2

Getting the metadata certificate from the AD FS server

You must get the IdP certificate to establish a trust relationship between the AD FS server and the BMC Atrium Single Sign-On server. Follow these steps for getting the certificate to configure BMC Atrium Single Sign-On as a remote IdP:

  1. Download the IdP metadata file from AD FS server.
    For example, open https://adfs-server.sso.com/federationmetadata/2007-06/Federationmetadata.xml and save the Federationmetadata XML file on your computer.
  2. Open the file and copy the URL provided in the Location attribute of the <SingleSignOnService Binding> tags and save it to a local file. Select the tag URL based on the SAMLv2 binding you plan to select in the BMC Atrium SSO Tenant Console.
    binding.jpg
  3. Copy and paste the <ds:x509Certificate> details into a new file and save the file as importedcertfromidp.cer. The <X509Certificate> signing certificate details can be found within the <md:KeyDescriptor use="signing"> and </md:KeyDescriptor> tags.
  4. Close the file.

    Note: The certificate should be in Privacy Enhanced Mail (PEM) format, and it should contain "BEGIN CERTIFICATE" and "END CERTIFICATE" as shown in the following image.
    cert_new.jpg

This SingleSignOnService URL and certificate are used when you configure remote IdP by using the BMC Atrium SSO Tenant Console.

3

Configuring remote IdP on the BMC Atrium SSO Tenant Console

You must configure AD FS server parameters in the BMC Atrium SSO Tenant Console. Follow these steps for configuring remote IdP.

In the BMC Atrium SSO Tenant Console, the SAML Console tab is displayed. Enter the following parameter values on the Identity Provider (IdP) tab:

Enter the IdP SingleSignOnService binding URL that you copied from the IdP metadata file.

  1. In the Name field, enter the name of the IdP.
    You can use the URL with IdP details.
  2. Enter the IdP SingleSignOnService binding URL that you copied from the IdP metadata file.
     The BMC Atrium Single Sign-On server uses this URL to redirect users to the AD FS server for authentication. Based on the binding that you will select in step 4 of this procedure, select the single sign-on URL.
  3. Enter the final logout URL.
    This URL is the final URL that a user is redirected to after logging out of the application; it is not an SAMLv2 SLO (Single Logout URL) URL.
  4. Enter a value for SAMLv2 binding to determine how SAMLv2 messages are sent and received between the IdP and the SP.
  5. Open the importedcertfromidp.cer certificate file that you created on the AD FS server.
  6. Copy the certificate details and paste them into the Certificate field. Alternatively, you can upload the certificate file, as well.
  7. Click Save.

Note: On the Service Provider (SP) tab, click View Metadata XML and copy the metadata URL for configuring the AD FS server as described in the next step.

For complete information about parameters on the Identity Provider (IdP) tab and the Service Provider (SP) tab, see Configuring-SAMLv2-for-authentication-using-the-Tenant-Console.

5

Configuring the AD FS server

After the BMC Atrium Single Sign-On administrator has configured the local SP and the remote IdP in the BMC Atrium SSO Admin Console, you must configure the AD FS. For more information, see Configuring-the-AD-FS-server.

Note: You must provide the metadata URL that you copied from the BMC Atrium SSO Tenant Console for establishing the trust relationship.

6

Verifying the AD FS server configuration

  • IdP verification— Go to the following URL:
    https://adfs-server.sso.com/adfs/ls/IdPInitiatedSignon.aspx
  • SP verification— Go to the following URL:
    https://sso-server.bmc.com:8443/atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID=http://adfs-server.sso.com/adfs/services/trust&nameIDFormat=transient&binding=HTTP-POST

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*