Security planning
Security is a critical aspect of BMC Helix Single Sign-On. Key requirements and best practices include protecting sensitive data, securing system access, and managing administrator accounts within BMC Helix SSO.
Ensuring security for sensitive data
Sensitive data, such as user credentials and authentication tokens, must be secured by HTTPS configuration. To use HTTPS connections, ensure that Secure Sockets Layer (SSL) certificates are generated and signed.
Security on a high-availability system
BMC Helix SSO supports the X-Forwarded-Proto and X-Forwarded-Host headers that might be sent by the load balancer with a request. BMC Helix SSO uses these headers when generating login URLs (pointing to the BMC Helix SSO server) for the end user. This feature keeps external traffic secure, though internal traffic behind the load balancer might not be secure.
Ensuring more secure and restricted access to the cookie
The domain attribute of the cookie determines which domains can access the cookie. During installation of the BMC Helix SSO server, the default value of the cookie is set to the parent domain. Because of this setting, the parent domain and its sub-domains can access the cookie, and if the cookie carries any sensitive data, that data is accessible to all less trusted or less secure applications hosted on these domains. To prevent this vulnerability, you can set the cookie domain value to the domain on which the BMC Helix SSO server is installed, and not restrict it to the parent domain. This ensures that the cookie is not accessible to any less trusted applications. You can set the cookie domain value either during installation, or after installation in the BMC Helix SSO Admin Console.
You can also enhance the security by tying the cookie to the path attribute, which limits the scope of the cookie to the /rsso path on the BMC Helix SSO server. This limitation prevents unauthorized access to the cookie from other applications on the same host. The path-specific cookie is enabled in the BMC Helix SSO Admin Console. The following diagram demonstrates how this feature affects cookie sharing:
For more information, see Configuring settings for the BMC Helix SSO server.
Support for multiple administrator accounts in BMC Helix SSO
For security reasons, in the Admin User tab, the BMC Helix SSO administrator can create and manage multiple administrator accounts. The BMC Helix SSO administrator can block, unblock, delete the administrator account they created, or change their password. For more information about creating and managing multiple administrator accounts, see Setting up BMC Helix SSO administrator accounts.
User accounts lockout policy
To prevent unauthorized logins, BMC Helix SSO administrators who exceed the allowed number of failed login attempts due to an incorrect password are automatically blocked. BMC Helix SSO administrators can unblock the locked administrators manually through the BMC Helix SSO Admin Console. For more information, see Configuring settings for the BMC Helix SSO server.
BMC Helix SSO relies on the external identity providers to authenticate end users. Users who exceed the allowed number of failed login attempts should be blocked by the identity provider.
Related videos
Watch the video on how to manage SSL certificates with SSL offloading.
