Setting up tenants

As a SaaS administrator, to enable the single sign-on experience for a customer company, you must first create a tenant on the BMC Helix Single Sign-On server, and then proceed with the onboarding tasks for this tenant.

Default tenant

The SAAS TENANT is the default tenant, which is available on the BMC Helix SSO server. Only a SaaS administrator has access to this tenant.

The SAAS TENANT has a predefined name which you cannot modify. You cannot disable this tenant. You can only modify the default description and Host.

SaaS tenant.png

To create a tenant

Log in to the BMC Helix SSO server as a SaaS administrator.
On the navigation panel, click Tenant.
Click Add Tenant.
To add a tenant, complete the following fields:
- Name
- Hostname—Specify the hostname to access an individual tenant by using the following format: host.example.com
- (Optional) Description
- (Optional) Self-service configuration
  Important
  The tenant name and tenant host name must be unique.
To enable the tenant, select the Enabled check box.
Click Save.

To modify the SAAS tenant host name

Log in to BMC Helix SSO server as a SaaS Administrator.
On the navigation panel, click Tenant.
Click Edit Tenant for the SaaS Tenant you want to update.
Update the Tenant hostname and click Save.
This option not available if the host name value was set by using the RSSO_SAAS_HOST environment variable.

To enable features for a tenant

Use feature flags to enable specific functionalities for a tenant.

Edit or create a tenant for which you want to update the feature flags.

Select the check boxes with the functionalities to be enabled for a tenant.

Functionality	Description	Reference
Local User Management "Confirm Registration"	Helps local users to set their own password.	Managing-local-users-and-passwords
Local User Management "Forgot Password"	Helps local users to reset a forgotten, lost, or compromised password.	Configuring-Local-authentication
Disable email template sanitizing	Helps to check and modify the email template input in the Forgot Password functionality.	Configuring-Local-authentication
Webhooks on authentication response	Helps to notify an external service about user authentication in BMC Helix SSO by using webhooks.	Notifying-an-external-service-about-user-authentication-by-using-a-webhook
Path-specific session cookie	Helps to limit the scope of the cookie to the /rsso path on the BMC Helix SSO server.	Security planning
Use tenant token timeouts for multi-tenant clients	Helps to apply the same access and refresh timeout values that are defined for the particular tenant level for multi-tenant clients.	Configuring-OAuth-2-0
Hide copyright	Helps administrators to hide the BMC copyright message on the login page of the integrated BMC application.	Login-and-logout-experience-for-end-users
Enable attribute extraction from SAML IdP	Enables creation of user attributes and claims to use from data extracted from SAML IdP requests.	Configuring-attributes-for-the-userinfo-endpoint-and-ID-token-for-OAuth-clients
UI idle timeout	Enables user logout from a BMC application integrated with BMC Helix SSO due to inactivity in the UI based on defined criteria. This option is available for deployments where applications are protected by the BMC Helix SSO agent: Deployments where the BMC Helix SSO agent communicates with the BMC Helix SSO server using the legacy flow. Deployments where the BMC Helix SSO agent is deployed with multi-domain support. Deployments where the BMC Helix SSO agent is protected by Auth Proxy.	Enabling-idle-timeout-for-integrated-BMC-applications
Check TCP connection	Enables the Check TCP connection feature in the Service tab of a tenant. Helps administrators to troubleshoot failed connections between BMC Helix SSO and other applications. The Host, Port, and Type fields are required. In the Type field (available with version 23.1.01 and later), select a Transmission Control Protocol (TCP) connection type established between the BMC Helix SSO server and an integrated BMC application: Plain — Non-TLS connection. Encrypted insecure — TLS connection without certificate verification. Encrypted secure — TLS connection with certificate verification. After you add values to these fields, click Send. A command line shows whether a connection is successful.	Troubleshooting-integration-issues
MSP server side	Enables the BMC Helix SSO Server with a realm identifying functionality on the server side. It is used for multi-domain applications to enhance configuration experience for user sessions. MSP server side feature is applicable for a BMC Helix SSO Agent and Auth Proxy.	Configuring-realm-identification-for-multiple-service-providers

All these features are disabled by default.

Click Save.
The changes are applied automatically for a tenant.

To switch to the Admin Console view of a tenant

On the List of Tenants page, select a tenant.
Click the pin button.
An information message is displayed above the navigation panel stating which tenant you have selected:
The Tenant field on the navigation panel displays the name of the tenant you have switched to.

Where to go from here

After you have created a tenant, create administrators for this tenant. For information about how to create a tenant administrator, see Setting-up-BMC-Helix-SSO-administrator-accounts.