Configuring authentication for BMC Helix SSO administrators

Internal authentication is configured as the default method for logging in to the BMC Helix SSO Admin Console. Only administrators created on the BMC Helix SSO server by default can log in to the BMC Helix SSO Admin Console. You can use any external LDAP as an identity provider for BMC Helix SSO administrator accounts. 

You have the following options to configure authentication for BMC Helix SSO admin users:

  • You can use the default Internal authentication method to authenticate administrators. 
    You can specify the Internal authentication type only once in a chain.
  • You can use both methods of authentication by adding LDAP authentication method into a chain with the default Internal method. You can set LDAP authentication multiple times in an authentication chain.
  • You can disable Internal authentication and use only LDAP authentication by adding LDAP method into an authentication chain, and then removing the Internal type from the authentication chain.
  • You can restrict access to the BMC Helix SSO Admin Console for external users defined in LDAP. 
  • You can define groups to identify users who can log in to BMC Helix SSO by using REST API or the user interface.

Related topics

Configuring-the-Remedy-SSO-server

Setting-up-Remedy-SSO-administrator-accounts

Before you begin

You must have an external LDAP identity provider up and running, and you must have administrative permissions in BMC Helix SSO. 

To enable access control based on LDAP groups for the BMC Helix SSO Admin Console

  1. Log in to the BMC Helix SSO server as a SaaS administrator. 
  2. On the navigation panel, click Tenant
  3. Select the tenant, and from the Actions menu, click Edit Tenant Icon.pngEdit Tenant.

  4. Select the Admin console access control option.

    Important

    By default, this option is disabled.

  5. Save your changes.

To configure admin authentication through an external LDAP identity provider

  1. In the BMC Helix SSO Admin Console, select General > Admin Authentication.
  2. Click Add authentication.

  3. To configure a connection to an external LDAP identity provider, complete the following fields:

    Field

    Description


    Host

    Name of the server where LDAP identity provider is hosted.

    If LDAP is used in failover mode, you can specify more than one LDAP identity provider by providing a comma-separated list of servers. If the first server is unavailable, the BMC Helix SSO server switches to the second server specified in the list.


    Port

    Port number for the LDAP server, such as 389.


    Bind DN

    The distinguished name (DN) of a bind LDAP user.

    For example: CN=User,CN=Users,DC=example,DC=com

    This user must have privileges to search the directory.


    Bind Password

    Password for the bind LDAP user.


    Connection timeout, millis

    Enter an integer value, in milliseconds, greater than zero to timeout a connection request. 

    If the LDAP provider cannot establish a connection with the server within this time period, the connection attempt is aborted. 

    If this value is blank, the server waits for the connection to be established until the underlying network times out. 

    10

    Read timeout, millis

    Enter an integer value, in milliseconds, greater than zero to timeout a read request. 

    If the LDAP provider does not get an LDAP response within this time period, the read attempt is aborted.

    If this value is blank, the server waits for the response until it is received.

    10

  4. To specify which users from the LDAP identity provider will have permissions to access the BMC Helix SSO Admin Console, complete the following fields:

    Field

    Description

    User Search Filter

    The LDAP query to search for users. These users will have permissions to access the BMC Helix SSO Admin Console.

    For example: (&(objectCategory=user) (sAMAccountName=$ADMIN$)(memberof=CN=RSSOAdmin,OU=Users,DC=example,DC=com)).

    The user login ID is specified by the $ADMIN$ keyword.

    Users Base DN

    Base distinguished name used for users search.

    For example: CN=Users,DC=example,DC=com

    Identity Attribute

    Enter the LDAP attribute to be used as the login ID of the administrator.

    For example: sAMAccountName


  6. Click Add to chain.
  7. Click Save.

To disable Internal authentication

Important

You can disable the Internal authentication method only if you have LDAP authentication method added to the chain.

  1. In the BMC Helix SSO Admin Console, select General > Admin Authentication.
  2. From the Authentication Type list, select INTERNAL, and then click Delete_authentication_20.08.jpg.
  3. Click Save.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*