25.3 enhancements and patches


Review the BMC Helix SSO 25.3 enhancements and patches for features that will benefit your organization and to understand changes that might impact your users.

Version

SaaS

On premises

Fixed issues

Updates and enhancements

25.3.02✅️ Known and corrected issues25.3.02
25.3.01✅️ NA25.3.01

25.3.00

✅️

 

For a list of recent updates and enhancements across multiple versions, see Release notes and notices.

BMC Helix applies upgrades as described in the BMC Helix Upgrade policy. BMC Helix applies upgrades and patches during Maintenance windows.

25.3.02


Login-audit decoupling

BMC Helix SSO introduces the login-audit decoupling feature to ensure uninterrupted admin and end-user logins, even if audit event creation fails due to database exceptions. By isolating the login process from audit logging, this feature prevents database issues, such as insufficient space, from disrupting user login. Administrators can take advantage of this feature to improve system reliability and prevent downtime caused by audit-related failures. For more details, see Setting up tenants.

The following figure represents the login-audit decoupling functionality in tenant settings:

Login-audit decoupling.png


Identify realms by an IP address

BMC Helix SSO has extended the Multiple Service Provider (MSP) functionality by supporting realm identification based on a user's IP address. This enhancement enables the BMC Helix SSO server to map users to realms by matching their IP addresses against predefined patterns, streamlining the login process without redirecting users to the MSP page. Administrators can configure IP address patterns by using the #clientIPRange.include(...) keyword to configure rules with specific IP addresses or ranges of IP addresses for realm identification. To configure realm identification by users' IP addresses, see Configuring realm identification for multiple service providers.

The following figure shows an example of the rule defining the IP address range for users who will get access to the integrated BMC Helix application:

IP address pattern.png


Configure the JWKS size limit for OpenID Connect authentication and preuthentication

Set up a JSON Web Key Set (JWKS) size limit for OpenID Connect authentication and preuthentication. Administrators can configure the JWKS size limit for specific tenants and realms to align with the payload size of the JWKS URI expected from the identity provider. This enhancement provides greater control over payload sizes, ensuring efficient and secure authentication processes. For more details, see Configuring OpenID Connect authentication and Configuring preauthentication.

The following figures show the JWKS size limit option for:

  • OpenID Connect

      OpenID Connect JWKS Size Limit.png

  • Preauthentication

      Preauth JWKS Size Limit.png

25.3.01


Support for Azerbaijani and Georgian languages

BMC Helix SSO has added support for the Azerbaijani and Georgian languages to enhance accessibility and improve the user experience across more regions. For the details about localization in BMC Helix SSO, see Supported languages and locals.

The following images show the login page examples in each language:

  • Azerbaijani

     Login page_az.jpg

  • Georgian

     Login page_ge.jpg

25.3.00


Customize the webhook payload for the user data extracted from OpenID Connect

Administrators can extend the webhook payload for the user data retrieved from the OpenID Connect identity provider. Use this capability to enrich the authentication data sent to external systems and gain more control over logging activities. To configure custom attributes, go to the User attributes from ID Token section in the realm's OpenID Connect settings. For detailed steps, see Notifying an external service about user authentication by using a webhook

The following image shows the customization fields for a realm configured to authenticate users through OpenID Connect:

OpenID Connect webhooks.png


Improved audit logging to resolve login issues

Leverage extended audit of failed user logins for AR, Local, and LDAP authentication types. When a login fails and the audit record indicates USER_LOGIN_FAILED, an administrator can see specific reasons for the failure, such as an unreachable LDAP server or a disabled Local user. This enhancement helps expedite the troubleshooting and reduce SLA resolution times. To understand the logic of audit logging in BMC Helix SSO, see Reviewing audit records.

The following image shows an example of the audit record details for a failed login event:​​​​​

Extended audit.png


What else changed in this release

The following table lists the changes in the product behavior:

UpdateProduct behavior in versions earlier than 25.3Product behavior in version 25.3 and later versions
Confirmation dialog to notify administrators about changes to critical settings.

When administrators updated critical settings in the BMC Helix SSO Admin Console, they were not notified about potential disruptions in the authentication flow.

When a change is made to critical settings in the BMC Helix SSO Admin Console, a warning message is displayed to the administrator. This enhancement helps prevent unintentional misconfigurations. Examples of critical settings are Cookie Domain, Cookie Name, and External URL.
Revised copyright statement.The copyright statement referred to BMC Software.

The copyright statement reflects the new company name—BMC Helix, Inc.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 25.3