Setting up tenants
Default tenant
The SAAS TENANT is the default tenant, which is available on the BMC Helix SSO server. Only a SaaS administrator has access to this tenant.
The SAAS TENANT has a predefined name which you cannot modify. You cannot disable this tenant. You can only modify the default description and Host.
To create a tenant
- Log in to the BMC Helix SSO server as a SaaS administrator.
- On the navigation panel, click Tenant.
- Click Add Tenant.
- To add a tenant, complete the following fields:
- Name
- Hostname—Specify the hostname to access an individual tenant by using the following format: host.example.com
- (Optional) Description
(Optional) Self-service configuration
- To enable the tenant, select the Enabled check box.
- Click Save.
To modify the SAAS tenant host name
- Log in to BMC Helix SSO server as a SaaS Administrator.
- On the navigation panel, click Tenant.
- Click Edit Tenant
for the SaaS Tenant you want to update. Update the Tenant hostname and click Save.
To enable features for a tenant
Use feature flags to enable specific functionalities for a tenant.
- Edit or create a tenant for which you want to update the feature flags.
Select the check boxes with the functionalities to be enabled for a tenant.
Functionality
Description
Reference
Local User Management "Confirm Registration"
Helps local users to set their own password.
Local User Management "Forgot Password"
Helps local users to reset a forgotten, lost, or compromised password.
Disable email template sanitizing
Helps to check and modify the email template input in the Forgot Password functionality.
Webhooks on authentication response
Helps to notify an external service about user authentication in BMC Helix SSO by using webhooks.
UserID transformation to convert AR alias to login
Helps to specify a custom UserID to match the login ID.
Path-specific session cookie
Helps to limit the scope of the cookie to the /rsso path on the BMC Helix SSO server.
Use tenant token timeouts for multi-tenant clients
Helps to apply the same access and refresh timeout values that are defined for the particular tenant level for multi-tenant clients.
Hide copyright
Helps administrators to hide the BMC copyright message on the login page of the integrated BMC application.
Multiple certificates in SP Metadata
Helps administrators to use two aliases for signing and encryption certificates in SAML Metadata. After you enable this feature, update the SP Metadata Template to include secondary certificate(s).
Important: If you use Active Data Federation Services as an IdP, only one encryption key is supported.
UI idle timeout
Enables user logout from a BMC application integrated with BMC Helix SSO due to inactivity in the UI based on defined criteria.
This option is available for deployments where applications are protected by the BMC Helix SSO agent:
- Deployments where the BMC Helix SSO agent communicates with the BMC Helix SSO server using the legacy flow.
- Deployments where the BMC Helix SSO agent is deployed with multi-domain support.
- Deployments where the BMC Helix SSO agent is protected by Auth Proxy.
Check TCP connection
Enables the Check TCP connection feature in the Service tab of a tenant. Helps administrators to troubleshoot failed connections between BMC Helix SSO and other applications. The Host, Port, and Type fields are required. In the Type field (available with version 23.1.01 and later), select a Transmission Control Protocol (TCP) connection type established between the BMC Helix SSO server and an integrated BMC application:
- Plain — Non-TLS connection.
- Encrypted insecure — TLS connection without certificate verification.
- Encrypted secure — TLS connection with certificate verification.
After you add values to these fields, click Send. A command line shows whether a connection is successful.
CSP Headers
Enables adding custom Content Security Policy (CSP) headers to an HTTP response from the OAuth 2.0 authorization endpoint. CSP headers prevent issues with access to integrated BMC applications through a multi-domain flow. When the CSP Headers setting is turned on, an administrator can add predefined headers, their values, and optionally specify origin headers.
Fetch AR user info
Enables the BMC Helix SSO server to fetch additional user information about the authenticated user from the Action Request System server (AR System server), store it in the BMC Helix SSO database, and provide the information to external services and integrated applications.
Important: The information is fetched from AR Server's CTM: People form. If such a form does not exist on AR System server for the user, no information is fetched.
MSP server side
Enables the BMC Helix SSO Server with a realm identifying functionality on the server side. It is used for multi-domain applications to enhance configuration experience for user sessions. MSP server side feature is applicable for a BMC Helix SSO Agent and Auth Proxy.
Admin console access control
Enables BMC Helix SSO to provide admin authentication tokens to log in to the BMC Helix SSO Admin Console based on the access group.
Cookie SameSite Strict
Enables the Strict option for the SameSite cookie usage.
All these features are disabled by default.
- Click Save.
The changes are applied automatically for a tenant.
To switch to the Admin Console view of a tenant
- On the List of Tenants page, select a tenant.
Click the pin button.
An information message is displayed above the navigation panel stating which tenant you have selected:
The Tenant field on the navigation panel displays the name of the tenant you have switched to.
Where to go from here
After you have created a tenant, create administrators for this tenant. For information about how to create a tenant administrator, see Setting-up-BMC-Helix-SSO-administrator-accounts.