Configuring OpenID Connect authentication

You can configure the BMC Helix Single Sign-On server to authenticate end users through the OpenID Connect authentication method.

Before you begin

Add a realm for the OpenID Connect authentication and configure its general settings. Learn how to add and configure realms in Adding-and-configuring-realms.

Related topics

OpenID-Connect-authentication

Transforming User ID to match Login

Enabling-AR-authentication-for-bypassing-other-authentication-methods

To configure OpenID Connect authentication

  1. Log in to the BMC Helix SSO Admin Console.
  2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
    OIDC authentication fields.png
  3. From the Authentication Type list, select OIDC.
  4. To import OpenID Connect provider information, click Import.
  5. Complete the Issuer or OpenID Connect Discovery provider URL field, and click Import.

  6. On the Authentication tab, complete the following fields:

    Important

    URLs to endpoints can include additional query parameters.

    Field

    Description

    Issuer

    URL that the OpenID Connect provider asserts as its Issuer Identifier.

    Authorization URL

    URL of the OpenID Connect provider's Authorization Endpoint.

    Token URL

    URL of the OpenID Connect provider's Token Endpoint.

    UserInfo URL

    URL of the OpenID Connect provider's UserInfo Endpoint.

    JWKS URI

    URL of the OpenID Connect provider's JSON Web Key Set (JWK) document.

    End Session URL

    URL of the End Session Endpoint.

    Client ID

    Registers the client application on the OpenID Connect provider side.

    Client Secret

    Identifies the client application.

    When the BMC Helix SSO server is registered as a client on the OpenID Connect provider side, the OpenID Connect provider generates and provides the client ID and client secret values.

    Scope

    A space or comma-separated list of scopes indicating the required scope of the access token from the OpenID Connect provider.

    RSSO Server URL

    URL of the BMC Helix SSO server.

    RSSO Callback URL

    This is a read-only field.

    Prompt

    The authorization server prompts the user for a required action. Select one of the following options from the list:

    • none: Does not display any authentication or consent user interface pages. The authorization server returns an error if an end user is not already authenticated or if the client does not have a pre-configured consent for the requested claims or does not fulfill other conditions for processing the request. The error code will typically be one of the following codes:
      - login_required
      - interaction_required
      - account_selection_required
      - consent_required
      - invalid_request_uri
      - invalid_request_object
      - request_not_supported
      - request_uri_not_supported
      - registration_not_supported
      This can be used as a method to check for existing authentication or consent.
    • login: Prompts the end user for reauthentication. If the authorization server cannot reauthenticate the end user, it returns an error, typically login_required.
    • consent: Prompts the end user for consent before returning information to the client. If the authorization server cannot obtain the consent, it returns an error, typically consent_required.
    • select_account: Prompts the end user to select a user account. This enables an end user who has multiple accounts at the authorization server to select an account that they might have current sessions for. If the authorization server cannot obtain an account selection choice made by the end user, it returns an error, typically account_selection_required.

    User ID field name

    User ID.

    Client Authentication method

    Identifies client's authentication method during registration. Available methods:

    • client_secret_basic
    • client_secret_post - the default one
    • client_secret_jwt

    User ID Transformation

    Option to transform User ID to match Login ID for the successful login procedure. It allows to modify User ID by the predefined transformation commands or a custom expression.

    For more information, see Transforming-User-ID-to-match-Login-ID.

    Custom expression

    Option to specify a custom value for the User ID transformation. For more information, see Transforming-User-ID-to-match-Login-ID.

    Groups Claim name

    The name of the claim in id_token from which to extract end-user groups.

    Infinite session group

    Option to provide a group name of users with the infinite sessions experience. For more information, see Configuring-infinite-user-sessions.

    ALLOW-FROM Domain(s)

    Setting allows BMC Helix SSO server to launch applications in iframes. For more information, see Allowing-Remedy-SSO-to-open-applications-in-iframes.

    Additional attributes from ID Token

    Fetch user details from the ID token of an OpenID connect provider to add another level of user authentication.

    Specify the following fields:

    • Name—The name of an attribute associated with a user that is stored in a BMC Helix Single Sign-On session.
    • Type—The type of user data that you want to fetch.
    • Claim—A value for the attribute name that will be a part of the ID token response.

    User attributes from userinfo endpoint

    Fetch user details from the /userinfo endpoint to add another level of user authentication.

    Specify the following fields:

    • Attribute name—The name of an attribute associated with a user that is stored in a BMC Helix Single Sign-On session.
    • Type—The type of user data that you want to fetch.
    • Claim—A value for the attribute name that will be a part of the userinfo endpoint response.
  7. Click Add.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*