Configuring general settings for a realm

When you are in the process of adding a realm for any authentication type, the first thing you need to do is to configure the general details of a realm.

Related topics

Adding-and-configuring-realms

Realms

Login-and-logout-experience-for-end-users

The following table describes realm settings on the General tab that you need to configure:

Field

Action

Realm ID

Enter a realm name. The value that you enter must satisfy the following requirements:

  • Must be a unique value
  • Must not be more than 80 characters
  • Must include only alphanumeric characters

  • Can contain the following special symbols:

    • asterisk ( * )
    • dot ( . )
    • underscore ( _ )
    • dash ( - )

    Important: The realm ID stored in the BMC Helix SSO database is case-insensitive. So, for example, you cannot create a realm called "Cola" if a realm "cola" already exists.

Application Domain(s)

Enter comma-separated domain names of applications integrated with BMC Helix SSO. Each value in the application domain is a host of an application URL of a tenant. For example, if the URL for the Mid Tier application is http://tenant1.midtier.company.com/arsys, the host will be tenant1.midtier.company.com.

Ensure that all applications of a tenant have a corresponding value in the application domain string. For example, consider that you created realm1 for a tenant that has two applications with the following URLs:

  • Mid Tier URL as http://tenant1.midtier.company.com/arsys
  • BMC Digital Workplace URL as http://tenant1.dwp.company.com/ux/dwpapp

In this scenario, for realm1, the application domain value will be a comma-separated string of tenant1.midtier.company.com and tenant1.dwp.company.com.

You can define the application domain by using one of the following patterns:

  • Subdomain of an application
  • Host name + subdomain of an application
  • Host name

Example:

<hostname>.calbro.bmc.com is a fully qualified domain name.

calbro is a subdomain of bmc.com

bmc is a subdomain of com

com is the parent domain.

Important:

  • You must not add a domain to more than one realm.
  • The Application Domains field does not accept uppercase characters; every entry is automatically transformed into lowercase characters.

(Optional)

Tenant

Enter the tenant name of the integrated applications. 

Important: You can associate a realm with only one application tenant.

(Version 22.3.01 and later) If you select the Invalidate Sessions On Tenant Change check box, all tokens and sessions of users who are logged in within this realm are invalidated when the tenant changes.

(Optional)

After Logout URL


Enter the URL to which a user is redirected after the user logs out from BMC Helix SSO.

Important

If you use the OpenID Connect authentication method, the After logout URL functionality is available only if you upgrade BMC Helix SSO from versions earlier than 20.08.

(Optional)

Single Log Out


Select this check box to enable the single logout option for end users.

When the single logout experience is enabled, if an end user clicks the logout URL in one application, the user is automatically logged out from the BMC Helix SSO server and, as a result, from all applications belonging to the user's realm.

When the single logout experience is disabled, if an end user clicks the logout URL in one application, the user is still logged in to BMC Helix SSO server if the user is simultaneously logged in to at least one application. 

The BMC Helix SSO agent maintains a cache. Therefore, for applications that are open in other browser tabs, single log out occurs after a short delay. 

For an enhanced single logout experience for users, see Supporting-immediate-logout-from-all-applications.

Session Quota

For security reasons, you might need to configure the number of active sessions or simultaneous logins for a particular realm. You can also decide whether to invalidate an older session or not allow the user to log in to a new session and display an error message.

In this field, you can enter the number of active sessions or simultaneous logins for a particular user.

Enter one of the following values:

  • 0—Allow multiple simultaneous logins, that is, any number of logins are allowed.
    Important: This is the default value so that after an upgrade, there is no restriction on the number of simultaneous logins.
  • 1—Only one login session is allowed for the user.
  • Any other value other than 0 or 1—Only those number of session logins will be allowed for the user.

Important:

  • If you select the Automatically invalidate oldest session on reaching quota check box, and if a user exceeds the number of logins, the user can log in but will get logged out from the oldest session. If you do not select this option, the user cannot log in to any session beyond the entered value, and the following error message is displayed: Exceeded session quota limit.
  • Immediate logout applies to the session quota to avoid user session caching. Immediate logout must be enabled and the BMC Helix SSO server and agent (in rsso-agent.properties file) or Auth Proxy (in external.conf file) should be configured with a Redis server.

    For more information about the Redis server configuration, see Supporting-immediate-logout-from-all-applications.

AR API URL

Enter the URL of the Action Request System server (AR System server) API.

If you choose to add this configuration, you must populate all the AR Integration fields to enable the feature to fetch additional user information from the authenticated user from the AR System server and store it in the BMC Helix SSO database.

AR Integration User Name

Enter the user name to be used to access the AR System server.

Important:

The user must have permissions to get information about users from the AR CTM:People form.

AR Integration User Password


Enter the password for the specified user name to access the AR System server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*