Setting up tenants

As a SaaS administrator, to enable the single sign-on experience for a customer company, you must first create a tenant on the BMC Helix Single Sign-On server, and then proceed with the onboarding tasks for this tenant.

Default tenant

The SAAS TENANT is the default tenant, which is available on the BMC Helix SSO server. Only a SaaS administrator has access to this tenant.

The SAAS TENANT has a predefined name and host, which you cannot modify. You cannot disable this tenant. You can only modify the default description.

SaaS tenant.png

To create a tenant

Log in to the BMC Helix SSO server as a SaaS administrator.
On the navigation panel, click Tenant.
Click Add Tenant.
To add a tenant, complete the following fields:
- Name
- Hostname—Specify the hostname to access an individual tenant by using the following format: host.example.com
- (Optional) Description
- (Optional) Self service configuration
  Note: The tenant name and tenant host name must be unique.
To enable the tenant, select the Enabled check box.
Click Save.

To enable features for a tenant

Use feature flags to enable specific functionalities for a tenant.

Edit or create a tenant for which you want to update the feature flags.
Select the check boxes with the functionalities to be enabled for a tenant.
The list of the features is as follows:
- Local User Management "Confirm Registration"—Ability for local users to set their own password; see Managing-local-users-and-passwords.
- Local User Management "Forgot Password"—Ability for local users to reset a forgotten, lost, or compromised password; see Configuring-Local-authentication.
- Disable email template sanitizing—Ability to check and modify the email template input in the Forgot Password functionality; see Configuring-Local-authentication.
- Webhooks on authentication response—Ability to notify an external service about user authentication in BMC Helix SSO by using webhooks; see Notifying-an-external-service-about-user-authentication-by-using-a-webhook.
- UserID transformation to convert AR alias to login—Ability to specify a custom UserID to match the login ID; see Transforming-userID-to-match-login-ID.
- Path-specific session cookie—Ability to limit the scope of the cookie to the /rsso path on the BMC Helix SSO server; see Security-planning.
- Use tenant token timeouts for multi-tenant clients—Ability to apply for multi-tenant clients the same access and refresh timeout values that are defined for the particular tenant level; see Configuring-OAuth-2-0. By default, the checkbox is cleared.
Click Save.
The changes are applied automatically for a tenant.

To switch to the Admin Console view of a tenant

On the List of Tenants page, select a tenant.
Click the pin button.
An information message is displayed above the navigation panel stating which tenant you have selected:
The Tenant field on the navigation panel displays the name of the tenant you have switched to.

Where to go from here

After you have created a tenant, create administrators for this tenant. For information about how to create a tenant administrator, see Setting-up-BMC-Helix-SSO-administrator-accounts.