Transforming userID to match login ID

During the login procedure, BMC Helix Single Sign-On checks that the login ID provided by an end user matches the userID available in the user store of an identity provider (IdP). In many use cases, the login ID and the userID do not match, therefore end users cannot log in by using their login credentials. In such cases, BMC Helix Single Sign-Ontransform the userID for an authentication method by specifying a userID transformation type.

For example, the user name from the identity provider response is CustomeUserName@gmail.com coming from the identity provider response and the user name specified in the Remedy AR System is CustomUserName. To configure the authentication method for end users' login, you must remove the domain from the userID.

You might also need to transform a userID when you integrate BMC Helix SSO with BMC applications, set up an authentication method, and then change the original authentication method. The new authentication method might not provide the same userID format that was available with the original method, and you must specify a userID transformation type for this authentication type.   

Related topics

Adding-and-configuring-realms


Important

The userID transformation options are supported for all authentication types except "Local".

To transform the userID to match the login ID

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  2. In the UserID Transformation field, specify a required transformation type.

  3. Click Save.
    The following table lists the userID transformation options available in the UserID Transformations list:

    Transformation

    Description

    None

    Displays the entered userID without any transformation.

    RemoveBMCDomain

    Displays the userID without the suffix, for example, abc@ is a suffix for the abc@<anyemaildomain>.

    RemoveDomain

    Displays the userID without the prefix <domain>.

    Example: companyname\userid is transformed to userID.

    RemoveEMailDomain

    Displays userID without the suffix@<anyemaildomain>.

    ToLowerCase

    Displays userID after converting it to lower case.

    Example: UserID is transformed to userid.

    ToUpperCase

    Displays userID after converting it to upper case.

    Example: userid is transformed to USERID.

To specify a custom userID to match the login ID

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  2. In the Custom Expression field, specify your value in the following format "userId + {value}".
    For example, by using the #userId + "@bmc.com" expression, you construct Mary@bmc.com.

  3. Click Save.
    You can specify a custom userID by using predefined string functions. The list of Java string functions and their description is displayed in the following table:

    Function

    Description

    strip()

    Returns a string whose value is this string, with all leading and trailing white spaces removed.

    substring(int beginIndex)

    Returns a string that is a substring of this string. The substring begins with the character at the specified index and extends to the end of this string.

    substring(int beginIndex, int endIndex)

    Returns a string that is a substring of this string. The substring begins at the specified beginIndex and extends to the character at index endIndex - 1.

    toLowerCase()

    Converts all of the characters in this string to lower case.

    toUpperCase()

    Converts all of the characters in this string to upper case.

    split(String regex)

    Splits a string at matches of the given regular expression.

    replace(String target, String replacement)

    Returns a string resulting from replacing all occurrences of target in this string with replacement.

    The following table represents examples of using string functions: 

    Expression

    Current value

    Transformed value

    #userId.split('@')[0]

    user1

    #userId.split('@')[0].toUpperCase()

    USER1

    #userId.replace("@example.com", "@abc.com")

    #userid.substring(2)

    p_user12345

    user12345

    #userid.substring(4, 9) + #userid.substring(0, 4)

    user12345

    12345user

To transform AR System login ID

When your AR System login ID doesn't match the BMC Helix SSO login ID format, you can transform the login ID with the help of AR REST API. For information about the AR REST API, see AR Server REST API architecture.

To activate the login ID transformation option:

  1. In BMC Helix SSO, navigate to the appropriate realm.
  2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  3. In the Custom Expression field, specify your value in the following format: 
    #arAliasToLoginName.convert('AR REST API URL', 'ARUser', 'encrypted ARUser Password', Field ID, #userId)
  4. Click Save.
    For example, you get the following result:
    #arAliasToLoginName.convert('    https://example.com:8443', 'Demo', 'AES-GCM:5de2a10c228a89e8aaaf069c5fb7e448afb997565c0d3c46ba3ddac39fccbddc', 117, #userId)
    where '117' is a field ID for "Full Name" of the schema User.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*