Skip to Content
Information
This documentation supports the 25.1 and consecutive patch versions of BMC Helix Single Sign-On. To view an earlier version, select the version from the Product version menu.

 

BMC Helix Single Sign-On 25.1

With BMC Helix Single Sign-On, your end users can present credentials for authentication only once in a multi software environment. Administrators enable single sign-on experience for applications, configure authentication methods, and review audit records.


Release notes and notices Updated 26 May 2025

Learn what’s new or changed in this space, including urgent issues, documentation updates, service packs, and patches.

Success

Tip

To stay informed of changes to this list, click the bell icon on top of this page and configure notifications.

Related topics

Known-and-corrected-issues

Support-information

Downloading the installation files

Date

Summary

Reference

March 19, 2025

Updates available in 25.1.02:

  • Change the password of a tenant administrator account
  • Use the AR bypass functionality for specific IP addresses
25-1-enhancements-and-patches

February 19, 2025

Update available in 25.1.01:

  • Limited number of audit records displayed in a query

January 22, 2025

Update available in 25.1.00:

  • Use any valid URI as a redirect path for native clients

December 19, 2024

Updates available in 24.4.02:

  • Encrypt data
  • Validate SpEL expressions
  • View additional details in audit records
  • Use trace IDs to easily locate issue details in logs for troubleshooting OpenID Connect issues

November 18, 2024

Enhancements available in this release:

  • Retrieve additional user details from an OpenID connect provider ID token
  • Additional scenarios supported for immediate logout sessions

October 16, 2024

Enhancements available in this release:

  • Access the MSP server-side mappings for tenants
  • Support for Redis cluster
Success

Click here to see the steps.

  1. From the Tools menu in the upper-right, select a format:
    • Export to Word to export the current page to Word format
    • Export to PDF to export the current page or a set of pages to PDF
      Tools menu1.png

  2. If exporting to PDF, select what you want to export:

    • Only this page to export the current page
    • This page and its children to export a set of pages

    For example, selecting This page and its children from the home page exports the entire space to PDF.


Setting up BMC Helix SSO administrator accounts

Manage user accounts who will have access to BMC Helix SSO.

Configuring the BMC Helix SSO server

Configure the maximum session time for end users, enable the account lockout for administrators and audit records.

Setting up end user authentication

Configure authentication of end users through a specified authentication method.

Administering

Set up administrator accounts, activate tenants, and secure sensitive data.

Troubleshooting

Resolve common issues or errors, review logs, or contact BMC Customer Support.
Product trials Product trials
CommunitiesCommunities
Knowledge BaseKnowledge Base
VideosVideos
PDFs and videos

This topic describes and links to PDFs, videos and other documents that support this product release. If the ready-made PDFs of this space do not satisfy your requirements, you can export a custom PDF.

Information
Info

When you export a custom PDF, you can select the topics to include. For information about how you can export a custom PDF from this space, see Exporting-to-PDF-and-other-formats.

Ready-made PDFs of this space

Error

You must log in or register to view this page

Videos

The following table lists topics that contain videos that supplement or replace the text-based documentation.

Frequently asked questions

Here are some answers to the most frequently asked questions about the BMC Helix Single Sign-On product.

Related topics

Troubleshooting

Frequently asked questions about BMC Helix SSO

An end user has modified the password, however the end user is still able to access BMC Helix SSO applications. Has the password been updated?

Identity providers do not automatically notify BMC Helix SSO about the password change. Hence, an end user's BMC Helix SSO session remains active until it expires, and is not revoked after password change on the identity provider (IdP). To force the logoff, and receive the request for entering a new password, an end user needs to ask a BMC Helix SSO administrator to delete all active sessions/OAuth of this end user.

How can I change my Helix SSO administrator password?

You can change your password in the BMC Helix SSO Admin Console, in the Admin User Management. To change your password, select your user account name, and then edit your password as required. See Setting up Remedy SSO administrator accounts for more details about how to change the password of an administrator.

I'd like to obtain BMC Helix SSO server version. How can I get that?

You can obtain the BMC Helix SSO server version information through the <RSSO Server>/config/server-status URL. You must be authenticated as a BMC Helix SSO administrator before that.

Is there a way to automatically retrieve OAuth metadata from the Helix SSO server?

Yes, you can do this.

If the OpenID Issuer URL is configured for the OAuth 2.0, developers of third-party applications can retrieve the OAuth metadata from the BMC Helix SSO server by using the following autodiscovery URL: RSSO_host:RSSO_port/rsso/.well-known/openid-configuration.

Running this request in the browser window returns details about the OpenID Connect (OIDC) provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints.

Does BMC Helix SSO provide options for auditing end-user actions?

Yes.

You can enable audit records for end-user events in the BMC Helix SSO Admin Console > General > Advanced > select the End-user events check box.

Frequently asked questions about the idle timeout

What if a page is minimized or hidden?

If the idle timeout value is reached, logout happens anyways.

What if the UI idle timeout Helix SSO script does not work for one of the integrated BMC applications?

If the UI idle timeout BMC Helix SSO script does not work for at least one of the applications, the idle timeout does not work for all of the applications. 

What if applications have a different UI idle timeout period?

A warning message is shown for an application with the least UI idle timeout value first.

What if a user has got an infinite session?

Idle timeout is not applied.

What if the single logout option is not enabled in a realm?

A user is not logged out from all the applications, but only from the applications that reached the idle timeout value.

Frequently asked questions about multi-factor authentication

Does BMC Helix SSO support multi-factor authentication?

Multi-factor authentication (MFA) is not directly implemented in BMC Helix SSO. However, the product supports MFA-enabled IdPs configured for authentication.

For example, if your application integrates with the BMC Helix SSO server by using the SAML protocol, then MFA must be enabled and configured on the SAML IdP for end users to complete the authentication flow.

Important
MFA is not considered state-of-the-art, but it is effective in providing strong and phishing-resistant authentication.

How does MFA work with BMC Helix SSO?

If your application integrates with BMC Helix SSO by using protocols such as OIDC or SAML 2.0, MFA must be configured on the external IdP (for example, Okta Verify and Azure Active Directory). BMC Helix SSO redirects users to the IdP that manages the MFA process.

What is recommended for MFA?

BMC recommends using OIDC or SAML 2.0 for federated authentication in on-premises deployments of BMC Helix SSO and in SaaS environments. For more details, see the following documentation:

How is MFA implemented in BMC Helix SaaS?

For SaaS deployments, BMC recommends using federated authentication through OIDC 1.0 or SAML 2.0. MFA must be configured on the IdP side.

What about MFA for on-premises deployments?

For on-premises environments, must also use federated authentication with an external IdP that supports MFA. BMC Helix SSO redirects users to the IdP that manages the MFA process. For more details, seeAuthentication options.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 25.1