This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring BMC Atrium Single Sign-On as an SP

In a Circle of Trust (COT), BMC Atrium Single Sign-On is normally configured as a Service Provider (SP) for BMC products. The Circle of Trust is then completed with an Identity Provider (IdP) to provide authentication for the federated single sign-on.

The following topics are provided:

Verifying that certificates were imported into the truststore

Before configuring BMC Atrium Single Sign-On with a Service Provider, verify that all the certificates used for network communication (Transport Layer Security) between the servers that are participating in the Circle of Trust have been imported into the truststore of BMC Atrium Single Sign-On:

  • If you are using signed certificates, verify that only the root Certificate Authority (CA) certificate is imported.
  • If you are using self-signed certificates, verify that the public certificates are imported into the truststore.

For more information about importing certificates, see Managing-certificates-in-BMC-Atrium-Single-Sign-On and Importing-a-certificate-into-the-truststore.

Note

If you are modifying the local SP configuration using the Local SP Editor, you must also modify your configuration on the IdP server. You must make the changes from the local SP to the remote IdP. For example, if you have configured BMC Atrium Single Sign-On as an SP and the Active Directory Federated Services (AD FS) server as an IdP, and you modify your AD FS server settings, you must also reconfigure the settings on your Remote IdP Editor either manually or by reimporting the metadata. Also, if you have changed your settings on the Local SP Editor, you must reconfigure the AD FS sever either manually or by reimporting the SP metadata.

Creating a local SP

If you are using a second BMC Atrium Single Sign-On server as an IdP, export the certificate from that server from the <installationDirectory>/tomcat/conf/keystore.p12 file and import it into cacerts.p12 on the BMC Atrium Single Sign-On server that is providing the SP role.

To create a local SP

  1. On the BMC Atrium SSO Admin Console, select the realm that you want to edit.
  2. On the Federation tab, click Add.
  3. Select Local Service Provider (SP).
  4. Provide the local SP information.
  5. Click Save.

Local SP parameters

The Local Service Provider (SP) Editor contains the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

The fields on the local SP editor are as follows:

Services tab

Signing/Encryption tab

Authentication Request

Logging tab

Assertion Processing tab

Creating a remote IdP

  1. On the BMC Atrium SSO Admin Console, select the realm that you want to edit.
  2. On the Federation panel, click Add.
  3. Select Remote Identity Provider (IdP).

  4. Import a signed certificate into the cot.jks keystore used for SAMLv2 authentication.

    The cot.jks file is located at <installationDirectory>/tomcat.

  5. Create a name for the remote IdP and upload the IdP metadata using the Create Identity Provider (IdP) window. For more information about the parameters, see Create-Identity-Provider.
  6. Click Save.
  7. On the Federation panel, select the remote IdP.
  8. Click Edit.
  9. Provide the remote IdP parameters.
  10. Click Save.

Remote IdP editor parameters

Note

Your browser must be able to access the IdP server for authentication.

The Remote Identity Provider (IdP) editor contains the following options:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

The fields on the Remote IdP editor are as follows

Field

Parameter

Description

Name

 

Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.

View SAMLv2 Metadata

 

Click this option to view metadata XML for the configured IdP.  When you click View SAMLv2 Metadata, a new page opens, displaying the metadata.

Binding

 

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direct connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.

Click View to see the selected signing certificate details.

 

Authentication Request, Logout Request, Logout Response, Manager Name ID Request, Manager Name ID Response, and Artifact Resolve

These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have been signed by the SP.

Encrypt Elements

Encryption Certificate Alias

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

Click View to see the selected encryption certificate details.

 

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

 

Name ID

Specifies whether to encrypt the Name ID or leave it in plain text.

Modifying the JEE agents

As part of configuring BMC Atrium Single Sign-On to host an SP, you must modify the configuration of the JEE agents to work with SAMLv2 federation.

Note

Each time a BMC product is integrated with the BMC Atrium Single Sign-On SP, you must modify the configuration so the integrating product can work with federated BMC Atrium Single Sign-On server.

  1. On the BMC Atrium SSO Admin Console, click Agent Details.
    For more information about agent properties, see Agent-manager-in-multi-tenant-environment.
  2. Select the agents associated with a BMC product integrated with this BMC Atrium Single Sign-On server; for example, arsystem@sample.bmc.com:8443.

  3. Perform one of the following actions:

    • If you have a single realm, click Edit.
    • If you have multiple realms, open the Realms tab.
    1. Perform the following actions:

  4. Perform the following actions:

    • Delete the URLs in the login URI field.
    • Delete the URLs in the logout URI field.

  5. Click Save.

    Note

    For more information about mapping realm URLs to the agent, see Mapping-realm-URLs-to-an-agent-for-multi-tenancy.

Federated login URL syntax

https://<host>:<port>/atriumsso/spssoinit?metaAlias=<metaalias>&idpEntityID=<entityId>

In this example, the following descriptions apply:

  • host is the FQDN of the BMC Atrium Single Sign-On server hosting the SP.
  • port is the port used for secure communication of the Atrium Single Sign-On server hosting the SP.
  • entityId is the name of the IdP to be used by this SP.
  • metaalias is its own token with the value identified by the SP.

Federated logout URL syntax

https://<host>:<port>/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=<entityId>&RelayState=<webappURL>

In this example, the following descriptions apply:

  • host is the FQDN of the BMC Atrium Single Sign-On server hosting the SP
  • port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the SP.
  • entityId is the name of the IdP to be used by this SP.
  • webappURL is the URL for the webapp for this agent.

(Optional) Federating your user accounts in bulk

For information about using bulk federation, see Federating-user-accounts-in-bulk.

Where to go from here

See Administering for information about managing users, user groups, and authentication modules.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*