Realms



BMC Helix Single Sign-On (BMC Helix SSO) provides realms to support multitenancy for integrated applications and split applications availability. Each realm is identified by a unique identifier and contains one or more application domains.

As a BMC Helix SSO administrator, you manage realms from the BMC Helix SSO Admin console. You can configure a single authentication method for a realm, or a chain of multiple authentication methods to enable authentication fallback or reauthentication mechanisms. 

Role of realms in the authentication process in BMC Helix SSO

In BMC Helix SSO, a realm associates application domains of the integrated BMC Helix SSO applications with an identity provider, and a realm also defines an authentication method to be used to protect integrated applications. End users accessing applications integrated with BMC Helix SSO are authenticated based on domains they can access.

The following diagram shows the role of realms in an authentication flow:

HSSO Architecture.png

  1. In a browser window, an end user enters an application URL to access an application integrated with BMC Helix SSO.
  2. The BMC Helix SSO agent intercepts the login request, validates it, and then sends it to the BMC Helix SSO server.
  3. Based on information extracted from the application URL, the BMC Helix SSO server defines a correct realm for the authentication flow. For more information about this process, see Identifying a realm by application domains.
  4. BMC Helix SSO server allows authentication according to the authentication method specified for the realm. 
  5. Depending on the authentication method, the user is redirected to the login page or is automatically authenticated by BMC Helix SSO. For information about the login options, see Login and logout experience for end users.
  6. When the end user is successfully authenticated on the BMC Helix SSO login page, the end user is automatically redirected to the application.

Identifying a realm by application domains

Realm identification is based on the application URL used for accessing an end user application.

For example, an end user uses the application.domain.com URL to access an application. To authenticate the user, BMC Helix SSO needs to identify the realm by checking the following mappings in all realms available on the BMC Helix SSO server: 

  • application
  • application.domain
  • application.domain.com

When a realm with a matching application domain is found, this realm is used for authentication.

If you have several realms with the same matching application domain parts, realm selection becomes unpredictable. To avoid authentication errors, application domain mapping must be unique across all realms on the BMC Helix SSO.

Usage example: Configuring realms for application domains

Suppose an organization has the following applications:

  • Helpdesk—accessed by all users through the URL http://helpdesk.yourcompany.com
  • ITSM—accessed only by the IT team through the URL http://itsm.yourcompany.com
  • BMC Helix Digital Workplace—accessed only by the IT team through the URL http://dwp.yourcompany.com 

You can create helpdesk and itsm realms and map the application domains and authentication methods to these realms described in the following table:

Application

Accessed by

Realm

Application domain

Authentication method

Description

http://helpdesk.yourcompany.com/

All users

helpdesk

helpdesk.yourcompany

SAML 2.0

The helpdesk realm contains one helpdesk.yourcompany application domain, and it is authenticated by the SAML 2.0 authentication method.

http://itsm.yourcompany.com/

IT team

itsm

itsm.yourcompany

Kerberos

The itsm realm has two application domains: itsm.yourcompany and dwp.yourcompany. Both application domains are authenticated by the Kerberos authentication method.

http://dwp.yourcompany.com/

IT team

itsm

dwp.yourcompany

Kerberos

When an end user accesses the Helpdesk application belonging to the helpdesk.yourcompany.com application domain (Domain 1 in the diagram), the end user gets authenticated through BMC Helix SSO, via helpdesk realm (see Realm 1 in the diagram) which is configured for SAML authentication method (Authentication 1 in the diagram), and allows authentication via helpdesk.yourcompany.com (Domain 1 in the diagram).

This end user can access the ITSM application belonging to the itsm.yourcompany.com application domain (Domain 2 in the diagram). The end user gets authenticated through BMC Helix SSO, via itsm realm (see Realm 2 in the diagram) which is configured for Kerberos authentication method (Authentication 2 in the diagram), and allows authentication via itsm.yourcompany.com (Domain 2 in the diagram).

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 25.4