Configuring realm identification for multiple service providers
As a SaaS administrator, activate the Multiple Service Provider (MSP) functionality for a tenant and then enable realm identification by specifying a pattern for a user's login and/or (starting with version 25.3.02) IP address. The MSP functionality helps the BMC Helix Single Sign-On server to identify the realm to which a user has access. After the realm is identified, the user can access all domains associated with the realm
The MSP functionality works for Auth Proxy-based integrations and agent-based integrations.
Tenant administrator access
Tenant administrators can access the MSP server-side settings for their tenants, and can change the mappings and their sequences. This access helps tenant administrators to get insights into the available mappings and manage them according to the business needs.
To activate the MSP functionality for a tenant
As a SaaS administrator, perform the following steps:
- Log in to the BMC Helix SSO Admin Console.
- On the navigation panel, click Tenant.
- Edit a tenant for which you want to enable realm identification.
- In the tenant feature flags section, select the MSP server side check box.
- Click Save.
Identifying realms by a user name
The following figure provides an overview of how realm identification works when a user name pattern is configured:
After you enable the MSP functionality and activate user name-based realm identification, the following events occur:
Event | Description |
---|---|
1 | A user opens an application URL. |
2 | The BMC Helix Single Sign-On server redirects the user to the MSP page and prompts the user to enter a user name or any meaningful value. |
3 | After the user enters their credentials, the server attempts to identify a realm to which the user has access, and one of the following events occurs:
|
How user name patterns are used to identify a realm
After the user enters their login credentials, the server maps the user name to the user name patterns defined for different realms. A user name pattern is an expression defined inSpring Expression Language (SpEL). The expression must contain the #login keyword, which is a placeholder for the user name or any meaningful value that a user enters during runtime. Along with #login, you can use any of thestring class functions that return a boolean value to identify the realms that a user has access to.
To define a user name pattern for realm identification
A SaaS administrator can create or edit a user name pattern for all realms whereas a tenant administrator can create or edit a user name pattern for a realm where self-service is enabled.
As a SaaS or a tenant administrator, perform the following steps:
- On the navigation panel, click Realm. The Realm Configuration page is displayed where the Realms tab contains a list of tenant realms, and the MSP tab contains the MSP mappings that can be configured for any realm.
- Click the MSP tab.
- Click Add.
- In the Pattern field, specify a pattern with the #login.string method("value") format; for example, enter #login.endsWith("@local.com"). If you specify multiple patterns for the same realm, the first value in the list of user name patterns takes precedence. Note: A user name pattern must be unique for each realm.
- From the Realm list, select a realm that should be identified for the user name pattern you added.
- In the Actions column, click the confirmation icon.
- Click Save.
If you do not create any user name patterns, the login process for a user runs as usual.
Identifying realms by an IP address
The following figure provides an overview of how realm identification works when an IP address pattern is configured:
After you enable the MSP functionality and activate IP address-based realm identification, the following events occur:
Event | Description |
---|---|
1 | A user opens an application URL. |
2 | The BMC Helix Single Sign-On server checks whether the user's IP address matches the specified rule. A user is not redirected to the MSP page. |
3 | After the server finishes checking the user's IP address, one of the following events occurs:
|
How IP address patterns are used to identify a realm
When the user opens an integrated application URL, the server maps the IP address to the IP address patterns defined for different realms. An IP address pattern is an expression defined inSpring Expression Language (SpEL). The expression must contain the #clientIPRange(...) keyword, which is a placeholder for the IP address or a range of IP addresses.
To define a user's IP address pattern for realm identification
A SaaS administrator can create or edit an IP address pattern for all realms whereas a tenant administrator can create or edit an IP address pattern for a realm where self-service is enabled.
As a SaaS or a tenant administrator, perform the following steps:
- On the navigation panel, click Realm. The Realm Configuration page is displayed where the Realms tab contains a list of tenant realms, and the MSP tab contains the MSP mappings that can be configured for any realm.
- Click the MSP tab.
- Click Add.
- In the Pattern field, specify a pattern with the #clientIPRange.include("IP address 1", "IP address 2", "IP address 3") format; for example, enter #clientIPRange.include("172.28.133.25"). You can also specify a range of IP addresses, for example, #clientIPRange.include("172.28.133.25-172.28.140.197") or increase the complexity of the rule by adding a user name pattern in the same line; for example, #clientIPRange.include("172.28.133.25-172.28.140.197")&&#login.equals("LD"), meaning that only users with an IP address from within the given range and having the "LD" as a user name will have access to the integrated BMC Helix application. If you specify multiple patterns for the same realm, the first value in the list of user name patterns takes precedence.
- From the Realm list, select a realm that should be identified for the IP address pattern you added.
- In the Actions column, click the confirmation icon.
- Click Save.
If you do not create any IP address patterns or combine them with user name patterns, the login process for a user runs as usual.
To change the sequence of MSP server-side mappings
As a SaaS or a tenant administrator, you can change the sequence of the MSP server-side mappings by performing the following steps:
- Log in to the BMC Helix Single Sign-On Admin Console.
- On the navigation panel, click Realm.
- Click the MSP tab.
The available mappings between patterns and realms are displayed. - To change the sequence of mappings in the list, click the Up arrow
or the Down arrow
.
- Click Save.