Setting up tenants
As a SaaS administrator, to enable the single sign-on experience for a customer company, you must first create a tenant on the BMC Helix Single Sign-On server. You can then proceed with the onboarding tasks for this tenant.
The SAAS_TENANT, which is available on the BMC Helix SSO server, is the default and central tenant. You cannot modify the name of this tenant or disable this tenant. You can only change the default description and host for this tenant. However, you cannot modify the SaaS tenant host name if its value was set by using the RSSO_SAAS_HOST environment variable. Only a SaaS administrator has access to this tenant.
As a SaaS administrator, you can create, modify, configure, and disable other tenants. To switch between different tenants, on the List of Tenants page, select and pin a tenant. The Tenant field on the navigation panel will display the name of the tenant you have switched to.
To create a non-SaaS tenant
- As a SaaS administrator, log in to the BMC Helix SSO server. On the navigation panel, click Tenant.
- Click Add Tenant, and specify the following fields in the Basic Information section:
- Name - Tenant name
- Hostname - Host name to access an individual tenant by using the following format: host.example.com
- (Optional) Description
- To enable the tenant, select the Enabled check box.
- Click Save Changes.
The tenant name and tenant host name must be unique.
To enable self-service for a tenant
You can enable the self-service feature to allow customers to manage their tenant’s configuration settings independently through a dedicated admin console available on the specified tenant host. If the feature is enabled, you can customize which authentication options are available to the tenant administrator and predefine the host and port for bypass scenarios. When the feature is disabled, all authentication methods are available for self-service realms.
- As a SaaS administrator, log in to the BMC Helix SSO server. On the navigation panel, click Tenant, and click Edit Tenant
for the tenant that you want to modify. - In the Self Service Config section, select the Enable Self Service check box.
- Select an authentication method from the list:
- SAML
- AR
- CERT
- LDAP
- KERBEROS
- PREAUTH
- LOCAL
- OIDC
- (Optional) To enable tenant administrators to isolate different applications, select the Allow tenant admins to update application domains check box.
- (Optional) To enable AR authentication to bypass other authentication methods configured for a realm, enter the host name and port of the AR System server in the Bypass AR Hostname section.
- Click Save Changes.
For more information, see Self-service configuration for BMC Helix SSO tenant administrator.
To enable features for a tenant
Use feature flags to enable specific functionalities for a tenant.
- Edit or create a tenant for which you want to update the feature flags.
- In the Tenant Properties & Feature Flags section, select the check boxes with the functionalities to be enabled for a tenant. All these features are disabled by default.
- Click Save Changes.
The changes are applied automatically for a tenant.
Functionality | Description | Reference |
|---|---|---|
| User management | ||
Local User Management "Confirm Registration" | Allows the registration of a user with an email through an API call, enabling users to set or change their password. | |
Disable email template sanitizing | Helps check and modify the email template input in the Forgot Password functionality. | |
| Security & Session | ||
Webhooks on authentication response | Helps notify an external service about user authentication in BMC Helix SSO by using webhooks. | |
Path-specific session cookie | Helps limit the scope of the cookie to the /rsso path on the BMC Helix SSO server. | |
Check TCP connection | Enables the Check TCP connection feature in the Service tab of a tenant. Helps administrators troubleshoot failed connections between BMC Helix SSO and other applications. The Host, Port, and Type fields are required. In the Type field, select a Transmission Control Protocol (TCP) connection type established between the BMC Helix SSO server and an integrated BMC application:
| |
Use tenant token timeouts for multi-tenant clients | Helps apply the same access and refresh timeout values that are defined for the particular tenant level for multi-tenant clients. | |
| UI & Experience | ||
Hide copyright | Helps administrators hide the BMC copyright message on the login page and managed service provider page of the integrated BMC application. | |
UI idle timeout | Enables user logout from a BMC application integrated with BMC Helix SSO due to inactivity in the UI based on defined criteria. This option is available for deployments where applications are protected by the BMC Helix SSO agent:
| |
| Advanced | ||
MSP server side | Enables the BMC Helix SSO Server with a realm identifying functionality on the server side. It is used for multi-domain applications to enhance configuration experience for user sessions. MSP server side feature is applicable for a BMC Helix SSO Agent and Auth Proxy. | |
| Login-audit decoupling | Ensures an uninterrupted admin and end-user login if an audit event fails due to database exceptions. The feature disassociates the creation of a BMC Helix SSO session from auditing the login event. | Reviewing audit records |
| Configuration archive | Allows administrators to revert the BMC Helix SSO server configuration to a previous state, rewinding the server settings up to the selected point in time. | Reverting BMC Helix SSO configuration to an earlier version
|
Where to go from here
After you have created a tenant, create administrators for this tenant. For information about how to create a tenant administrator, see Setting up Remedy SSO administrator accounts.