Configuring realm identification for multiple service providers

As a SaaS administrator, activate the Multiple Service Provider (MSP) functionality for a tenant and then enable realm identification by specifying a pattern for a user's login. The MSP functionality helps the BMC Helix Single Sign-On server to identify the realm to which a user has access to. After the realm is identified, the user can access all domains associated with the realm.

The MSP functionality works for AuthProxy based integrations, and agent-based integrations when multi-domain support is activated.

Tenant administrator access

Tenant administrators can access the MSP server-side settings for their tenants, and can change the mappings and their sequences. This access helps tenant administrators to get insights into the available mappings and manage them according to the business needs. 

How realm identification works

The following image provides an overview of how realm identification works:

How realm identification works.png

After you enable the MSP functionality and activate realm identification, the following events occur:

Event

Description

1

A user opens an application URL.

2

The BMC Helix Single Sign-On server redirects the user to the MSP page and prompts the user to enter a user name or any meaningful value.

3

After the user enters their credentials, the server attempts to identify a realm to which the user has access to and one of the following events occur:

  • If the server successfully identifies a realm, the user proceeds with the login activity and accesses domains in the realm to which they have access.
    The user accesses a domain by providing credentials based on the authentication configured for that realm.
  • If the server cannot identify a realm, the server displays the following error:Not possible to define realm To troubleshoot this error, create the #login.matches(".*") user name pattern and add it as the last pattern in the list.

To learn about how the server identifies a realm, see How user name patterns are used to identify a realm.

How user name patterns are used to identify a realm

After the user enters their login credentials, the server maps the user name with the user name patterns defined for different realms. A user name pattern is an expression defined in Spring Expression Language (SpEL). The expression must contain the #login keyword, which is a placeholder for the user name or any meaningful value that a user enters during runtime. Along with #login, you can use any of the string class functions that returns a boolean value to identify the realms that a user has access to.

Example

Allen, an administrator in Apex Global, defines the #login.endsWith(@apex.com) user name pattern for the Apex Global realm. Hannah, an end user, logs in to an application that is integrated with BMC Helix Single Sign-On and the following events occur:

  1. She enters the hannah@apex.com user name so that the server identifies her as a user who has access to the Apex Global realm.
  2. The BMC Helix Single Sign-On server maps hannah@apex.com with the #login.endsWith(@apex.com) user name pattern.
  3. The server finds that the user name Hannah provided matches with the user name pattern defined for Apex Global.
  4. The server authenticates Hannah according to the authentication settings defined for the realm.
  5. The server prompts Hannah to enter the credentials to complete the authentication process and grants her access to the application.

To activate the MSP functionality for a tenant

As a SaaS administrator, perform the following steps:

  1. Log in to the BMC Helix SSO Admin Console.
  2. On the navigation panel, click Tenant.
  3. Edit a tenant for which you want to enable realm identification.
  4. In the tenant feature flags section, select the MSP server side check box.
  5. Click Save.

To define a user name pattern for realm identification

A SaaS administrator can create or edit a user name pattern for all realms whereas a tenant administrator can create or edit a user name pattern for a realm where self-service is enabled.

As a SaaS or a tenant administrator, perform the following steps:

  1. On the navigation panel, click Realm.
    The Realm Configuration page is displayed where the     Realms tab contains a list of tenant realms, and the MSP tab contains the MSP mappings that can be configured for any realm.
  1. Click the MSP tab.

  2. In the Pattern field, specify a pattern with the #login.string method("value") format; for example, enter #login.endsWith("@local.com").
    If you specify multiple patterns for the same realm, the first value in the list of user name patterns takes precedence.

    Important

    A user name pattern must be unique for each realm.

  3. From the Realm list, select a realm that should be identified for the user name pattern you added.
  4. In the Actions column, click the confirmation icon.
  5. Click Add
  6. Click Save.
    MSP Server-Side05.JPG

If you do not create any user name patterns, the login process for a user runs as usual.

To change the sequence of MSP server-side mappings

As a SaaS or a tenant administrator, you can change the sequence of the MSP server-sider mappings by performing the following steps:

  1. Log in to the BMC Helix Single Sign-On admin console.
  2. On the navigation panel, click Realm.
  3. Click the MSP tab.
    The available mappings between a user name pattern and a realm are displayed.
  4. To change the sequence of mappings in the list, click the Up arrow Up arrow.pngor the Down arrow Down arrow.png.
  5. Click Save.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*