Importing configuration from an identity provider and configuring SAML


After you have configured the advanced options for SAML authentication, import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your BMC Helix Single Sign-On server.

Video about configuring SAML

Watch this video (3:53) on how to configure SAML in the BMC Helix SSO Admin Console.

icon_play.png https://www.youtube.com/watch?v=UATasTrfliU?rel=0

 

Before you begin

  • Create a realm for SAML authentication, and configure the general details for the realm. For more information, see Configuring general settings for a realm.
  • Obtain the following information from the IdP administrator:
    • Import from SAML IdP metadata URL or metadata file imported from the IdP
    • IdP entity ID  
    • IdP login URL

 

To configure SAML authentication

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  2. In the Authentication Type field, select SAML.
  3. Configure the SAML fields as required:

Field

Description

Identity Provider

Import

Option to import the SAML metadata. Perform one of the following actions:

  • Select Import from URL, and type the URL where the IdP SAML configuration is stored.
  • Select Import from file, and upload the SAML configuration file from a local folder on your computer.

After you import SAML metadata, most of the fields on the Authentication page get populated with imported values. 

Federation metadata URL

URL of the IdP federation metadata.

Use this URL to enable automatic rollover — Automatic certificate update on the BMC Helix SSO server after this certificate is updated on the SAML IdP side. Such rollovers are more frequent if you use Azure Active Directory as an identity provider. 

If the IdP federation metadata URL is not specified, an administrator must renew the signing certificate manually.

IdP Entity ID

Identity provider entity ID obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.

Example: http://adfs.local/adfs/services/trust

Login URL

Login URL obtained from an external IdP such as AD FS or Okta.

Example: https://adfs.local/adfs/ls

Logout URL

URL provided by the IdP to which the user is redirected for service provider (SP) initiated logout.

If you do not provide any value for this parameter, the value specified in the Login URL field is used both for both login and logout.

Logout Response URL

URL provided by the IdP to which the user is redirected for IdP initiated logout.

HTTP Binding Type

HTTP binding for the SP initiated logout URL.

IdP Signing Certificate

Signing certificate that BMC Helix SSO uses to sign requests that are sent to the IdP.

(Optional) User ID Attribute

Used to retrieve the user ID from the specified attribute in the SAML response. If a value is not specified, the NameID is used as the user ID. The value of this field depends on the SAML IdP configuration.

NameID Format

Name identifier formats supported by a SP. SPs use name identifiers to pass information about users.

In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.

If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.

Important: For linking user accounts from the SP and the remote IdP together, after an end user logs in to the integrated BMC application through the SAML IdP, the persistent NameID format must be at the top of the list.

For more information about Name Format Identifiers, see paragraph 8.2 in Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0.

Auth Issuer

Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.

If the value is not specified, by default, the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.

Auth Context Compare

Options (exact, minimum, maximum, better) available for the Auth Context Compare.

For more information about Auth Context Compare options, see Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0.

Auth Context

Authentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the SP.

Auth Issuer

Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the SP for this request.

If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.

Assertion Time Skew

Time offset between BMC Helix SSO and the IdP. The value must be specified in minutes.

Assertion Time Format

Time format used by assertions and depends on the defined patterns. For more information, see Patterns for Formatting and Parsing.

Example:

yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Sign Request

Option to indicate whether the IdP requires the authentication request to be signed.

To sign the SAML request, select this check box. Additionally, on the General > Advanced tab, specify the Signing Key Alias.

Force Authentication

Option to enforce authentication.

Enable Single Logout

Option to delete the SAML IdP session on application logout. If an end user logs out from the application, the user will be logged out from SAML IdP as well. 

Sign Metadata

Option to indicate whether the identity provider requires SAML metadata to be signed.

You might need to sign the SAML metadata to ensure that the security policies of your organization are followed. When you configure a realm for SAML signing metadata, the BMC Helix SSO server gets the certificate and private key from the keystore's alias, and signs the metadata with it.

Signing Algorithm

Important: You can select the signing algorithm only if you select the Sign Request checkbox, the Sign Metadata checkbox or both.

Select one of the following signing algorithms containing a hash type function and key type, supported by your IdP:

  • SHA1withRSA 
  • SHA256withRSA

Important:

Java 17 does not support the SHA-1 signing algorithm, as SHA1 is no longer considered secure. If you're currently using SHA-1, we recommend that you use it temporarily until you switch to a more secure option for the signing algorithm.

For more information about the security issue, see NIST Retires SHA-1 Cryptographic Algorithm.

If your instance of Helix Single Sign-On container uses Java17, and you are currently using SHA1withRSA, remove the following code block from the jdk.xml.dsig.secureValidationPolicy property from <JAVA_HOME>\conf\security\java.security file:

sha1Code.gif

Service Provider

View Metadata

BMC Helix SSOmetadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.

Template

Authentication Request Template

Template used for a SAML authentication request.

To edit the template, select Default or Custom based on the type of template you want to edit, and click Edit.

The Default template is applicable to all Realms in the Tenant, and the Custom template is applicable to the specific Realm only. Editing the default Logout Request Template may impact other Realms.

After BMC Helix SSO upgrade, the authentication request template is not updated. To be able to use the new functionality after upgrade, you must manually edit and update the template in the realm settings.

SP Metadata Template

Template used for SP Metadata content

To edit the template, select Default or Custom based on the type of template you want to edit, and click Edit.

The Default template is applicable to all Realms in the Tenant, and the Custom template is applicable to the specific Realm only. Editing the default Logout Request Template may impact other Realms.

Logout Request Template

Template used for logout requests.

To edit the template, select Default or Custom based on the type of template you want to edit, and click Edit.

The Default template is applicable to all Realms in the Tenant, and the Custom template is applicable to the specific Realm only.

After BMC Helix SSO upgrade, the logout request template is not updated. To be able to use the new functionality after upgrade, you must manually edit and update the template in the realm settings. Editing the default Logout Request Template may impact other Realms.

Important: 

Editing the default Logout Request Template may impact other Realms. 

Bypass for reauth requests

Setting to indicate that SAML must not be used for reauthentication requests in an authentication chain.

SSO settings

Use SessionNotOnOrAfter parameter for session time

Option to define where the maximum time of an end user authentication session is configured.

By default, the maximum session time is specified by the value set in the Max Session Time field, configured in the General > Basic tab in the BMC Helix SSO Admin Console.

If the SessionNotOnOrAfter value configured on the IdP side is less than the value specified in the Max Session Time field on the BMC Helix SSO server, the maximum session time will be defined by the value configured on the IdP.

Xpath 1.0 for group retrieval

A field for entering an XPath query for extracting user groups from the SAML assertion.

Example:
//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='http://schemas.microsoft.com/ws/2008/06/identity/claims/role']/*[local-name()='AttributeValue']

The information about the user groups is stored in the authentication session attributes, and is retrieved from the response of the /token/groups REST API endpoint.

Important:

  • Make sure the XPath you specified is valid.
    If you enter an incorrect XPath, end users will be able to log in to applications protected by SAML but BMC Helix SSO will not be able to retrieve user groups from the SAML response. If you do not specify anything in this filed, no groups will be retrieved.
  • This option can be used only for IdP providers that allow retrieving user groups.

Infinite session group

Option to provide a group name of users with the infinite sessions experience.

For more information, see Configuring infinite user sessions.

User ID Transformation

Option to transform userID to match Login ID for the successful login procedure. It allows to modify userID by the predefined transformation commands or a custom expression.

For more information, see Transforming User ID to match Login ID.

Custom expression

Option to specify a custom value for the userID transformation.

For more information, see Transforming User ID to match Login ID.

ALLOW-FROM Domain(s)

Setting enables the BMC Helix SSO server to launch applications in iframes.

For more information, see Allowing Remedy SSO to open applications in iframes.

4. Click Save.

To obtain the Federation metadata address URL

After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.  

  1. In the left navigation panel of the Edit Realm page, click Authentication.
  2. Click View Metadata.
    The metadata file opens in the browser.
  3. Copy the URL displayed in the browser window, and save it to a text editor.  
    The URL might look as follows: https://hostname:port/rsso/getmetadata.jsp?tenantName=saml
    You will need this URL when you configure the IdP for SAML authentication.  

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 25.4