This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring BMC Atrium Single Sign-On as an IdP

If you configure the BMC Atrium Single Sign-On server as an Identity Provider (IdP), do not use this server as the integration server for BMC products. Instead, a separate BMC Atrium Single Sign-On server should be configured as a Service Provider (SP) and used as the integration host.

Important

Do not integrate BMC products into a BMC Atrium Single Sign-On server which is configured as an Identity Provider.

Importing a Circle of Trust certificate (X509 certificate)

Before creating the IdP, a X509 certificate is needed for signing communications between the IdP and SP of the SAML Circle of Trust (COT). When you want to add a certificate in an existing COT, the certificate must be imported into the keystore. A default certificate is created and stored in the keystore during the installation with the alias name of test. This certificate can be used without creating and importing a new certificate. For more information, see Managing-certificates-in-BMC-Atrium-Single-Sign-On.

To import the Circle of Trust certificate

When BMC Atrium Single Sign-On is configured as an IdP, the Circle of Trust certificate must be imported into a keystore for the server to use.

  1. Navigate to the keystore location, and replace the test certificate with your generated certificate.

    Note

    The default Circle of Trust keystore location and name is <installationDirectory>/tomcat/cot.jks. This keystore must be of the type, JKS (not PKCS12 or any other type). The default password for the keystore and certificates is changeit.

  2. If the password for the keystore was changed, update the default .keypass and .storepass configuration files with the encrypted form of the new password.
     The configuration files are located in the same <installationDirectory>/tomcat/ directory as the Circle of Trust keystore.

  3. Stop and restart the Tomcat server.

    Note

    The new certificate is not available to use for creating an IdP until the Tomcat server is stopped and restarted.

To encrypt the password for storage in the files

  1. Enter the following URL into the browser:
    https://<host>:<port>/atriumsso/encode.jsp 

    In this case:
    • host is the FQDN of the BMC Atrium Single Sign-On host.
    • port is the port number that BMC Atrium Single Sign-On is using for secure communication.
  2. Enter a new password.
  3. To encrypt the value, click Encode.
  4. Copy the encrypted password into the configuration files.
  5. Stop and restart the BMC Atrium Single Sign-On server.

Creating a local IdP

Note

If you are modifying the local IdP configuration using the Local IdP Editor, you must also modify your configuration on the SP server. For example, if you have configured BMC Atrium Single Sign-On server as a Service Provider and another BMC Atrium Single Sign-On server as an Identity Provider, and you modify your IdP server settings, you must also reconfigure setting on your Remote IdP Editor by either making the change manually or re-importing the metadata on the SP server. Also, if you have changed your settings on the Remote IdP Editor on the SP server, you must reconfigure the IdP server by either making the changes manually or re-importing the SP metadata.

The Local Identity Provider (IdP) Editor has the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

To create a local IdP

  1. On the BMC Atrium SSO Admin Console, select the realm that you want to edit.
  2. On the Federation tab, click Add.
  3. Select Local Identity Provider (IdP).
  4. Enter the values for fields on the Local IdP editor.
  5. Click Save.

Note

If there are issues with keystore configuration, an error message is displayed.

The fields on the local IdP editor are as follows:

Services tab

Signing/Encryption tab

Logging tab

Assertion Processing tab

Creating a remote SP

  1. On the BMC Atrium SSO Admin Console, select the realm that you want to edit.
  2. On the Federation panel, click Add.
  3. Select Remote Service Provider (SP).
  4. Add a URL for the remote SP and upload the SP metadata to the Create Service Provider (SP) window. For more information about parameters, see Create-Remote-Service-Provider.
  5. Click Save
  6. On the Federation panel, select the remote IdP.
  7. Click Edit.
  8. Provide the remote SP parameters.
  9. Click Save.

Remote SP Editor parameters

The Remote Service Provider (SP) Editor has the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

The fields on the Remote SP editor are:

Services tab

Signing/Encryption tab

Authentication Request

Assertion Processing

(Optional) Federate your user accounts in bulk

For information about using bulk federation, see Federating-user-accounts-in-bulk.

Where to go from here

  • For information about managing users, user groups, and authentication modules, see Administering.
  • For information about troubleshooting SAMLv2 authentication, see Troubleshooting-SAMLv2.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*