25.3 enhancements and patches

 25.3.02

Login-audit decoupling

BMC Helix SSO introduces the login-audit decoupling feature to ensure uninterrupted admin and end-user logins, even if audit event creation fails due to database exceptions. By isolating the login process from audit logging, this feature prevents database issues, such as insufficient space, from disrupting user login. Administrators can take advantage of this feature to improve system reliability and prevent downtime caused by audit-related failures. For more details, see Setting up tenants.

The following figure represents the login-audit decoupling functionality in tenant settings:

Identify realms by an IP address

BMC Helix SSO has extended the Multiple Service Provider (MSP) functionality by supporting realm identification based on a user's IP address. This enhancement enables the BMC Helix SSO server to map users to realms by matching their IP addresses against predefined patterns, streamlining the login process without redirecting users to the MSP page. Administrators can configure IP address patterns by using the #clientIPRange.include(...) keyword to configure rules with specific IP addresses or ranges of IP addresses for realm identification. To configure realm identification by users' IP addresses, see Configuring realm identification for multiple service providers.

The following figure shows an example of the rule defining the IP address range for users who will get access to the integrated BMC Helix application:

Configure the JWKS size limit for OpenID Connect authentication and preuthentication

Set up a JSON Web Key Set (JWKS) size limit for OpenID Connect authentication and preuthentication. Administrators can configure the JWKS size limit for specific tenants and realms to align with the payload size of the JWKS URI expected from the identity provider. This enhancement provides greater control over payload sizes, ensuring efficient and secure authentication processes. For more details, see Configuring OpenID Connect authentication and Configuring preauthentication.

The following figures show the JWKS size limit option for:

• OpenID Connect

• Preauthentication

25.3.01

Support for Azerbaijani and Georgian languages

BMC Helix SSO has added support for the Azerbaijani and Georgian languages to enhance accessibility and improve the user experience across more regions. For the details about localization in BMC Helix SSO, see Supported languages and locals.

The following images show the login page examples in each language:

• Azerbaijani

• Georgian

25.3.00

Customize the webhook payload for the user data extracted from OpenID Connect

Administrators can extend the webhook payload for the user data retrieved from the OpenID Connect identity provider. Use this capability to enrich the authentication data sent to external systems and gain more control over logging activities. To configure custom attributes, go to the User attributes from ID Token section in the realm's OpenID Connect settings. For detailed steps, see Notifying an external service about user authentication by using a webhook. 

The following image shows the customization fields for a realm configured to authenticate users through OpenID Connect:

Improved audit logging to resolve login issues

Leverage extended audit of failed user logins for AR, Local, and LDAP authentication types. When a login fails and the audit record indicates USER_LOGIN_FAILED, an administrator can see specific reasons for the failure, such as an unreachable LDAP server or a disabled Local user. This enhancement helps expedite the troubleshooting and reduce SLA resolution times. To understand the logic of audit logging in BMC Helix SSO, see Reviewing audit records.

The following image shows an example of the audit record details for a failed login event:​​​​​

What else changed in this release

The following table lists the changes in the product behavior: