Skip to Content

Security planning

 

Security is a critical aspect of BMC Helix Single Sign-On. Key requirements and best practices include protecting sensitive data, securing system access, and managing administrator accounts within BMC Helix SSO.

Info
The security requirements described on this page apply only to legacy virtual machine-based on-premises deployments.

Ensuring security for sensitive data

Sensitive data, such as user credentials and authentication tokens, must be secured by HTTPS configuration. To use HTTPS connections, ensure that Secure Sockets Layer (SSL) certificates are generated and signed.

Security on a high-availability system

BMC Helix SSOsupports the X-Forwarded-Proto and X-Forwarded-Host headers that might be sent by the load balancer with a request. BMC Helix SSO uses these headers when generating login URLs (pointing to the BMC Helix SSO server) for the end user. This feature keeps external traffic secure, though internal traffic behind the load balancer might not be secure.

Network configuration for HA mode.png

Ensuring more secure and restricted access to the cookie

Important
You can set the cookie domain and path to the BMC Helix SSO server host name only if the multi-domain setting is enabled. For details about enabling the multi-domain setting, see Configuring Remedy SSO for applications hosted on different domains.

The domain attribute of the cookie determines which domains can access it. By default, the cookie set is to the parent domain and its sub-domains while installing the BMC Helix SSO server. If the cookie contains sensitive data, it might be accessible to all less trusted or less secure applications hosted on these domains. To mitigate the risk, set the cookie domain value to the specific domain where the server is installed, rather than restricting it to the parent domain. You can set the cookie domain value during installation or after installation in the BMC Helix SSO Admin Console. For more information, see Configuring the Remedy SSO server.

You can also enhance the security by tying the cookie to the path attribute, which limits the scope of the cookie to the /rsso path on the BMC Helix SSO server. This limitation prevents unauthorized access to the cookie from other applications on the same host. The path-specific cookie is enabled in the Remedy SSO Admin Console. The following diagram demonstrates how this feature affects cookie sharing:

Network configuration for simple deployment use case.png

Support for multiple administrator accounts in BMC Helix SSO

For security reasons, in the Admin User tab, the BMC Helix SSO administrator can create and manage multiple administrator accounts. The BMC Helix SSO administrator can block, unblock, delete the administrator account they created, or change their password. For more information about creating and managing multiple administrator accounts, see Setting up Remedy SSO administrator accounts.

User accounts lockout policy

To prevent unauthorized logins, BMC Helix SSO administrators who exceed the allowed number of failed login attempts due to an incorrect password are automatically blocked. BMC Helix SSO administrators can unblock the locked administrators manually through the BMC Helix SSO Admin Console. For more information, see Configuring the Remedy SSO server.

BMC Helix SSOrelies on the external identity providers to authenticate end users. Users who exceed the allowed number of failed login attempts should be blocked by the identity provider.

Warning

Important

The administrator lockout policy does not apply to external LDAP administrators.

Related videos

Watch the video on how to manage SSL certificates with SSL offloading.

Warning

Important

The following video shows an older version of BMC Helix SSO. Although there might be minor changes in the user interface, the overall functionality remains the same.

icon_play.png https://www.youtube.com/watch?v=jFbKpzJX4pk?rel=0

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 26.1