This documentation supports the 21.3 version of BMC Helix Single Sign-On.To view an earlier version, select the version from the Product version menu.

Configuring general settings for a realm

When you are in the process of adding a realm for any authentication type, the first thing you need to do is to configure the general details of a realm.

Related topics

Adding-and-configuring-realms

Realms

The following table describes realm settings on the General tab that you need to configure:

Field

Action

Realm ID

Enter a realm name. The value that you enter must satisfy the following requirements:

  • Must be a unique value
  • Must not be more than 80 characters
  • Must include only alphanumeric characters

  • Can contain the following special symbols:

    • asterisk ( * )
    • dot ( . )
    • underscore ( _ )
    • dash ( - )

    Note: The realm ID stored in the BMC Helix SSO database is case-insensitive. So, for example, you cannot create a realm called "Cola" if a realm "cola" already exists.

Application Domain(s) 

Enter comma-separated domain names of applications integrated with BMC Helix SSO. Each value in the application domain is a host of an application URL of a tenant. For example, if the URL for the Mid Tier application is http://tenant1.midtier.company.com/arsys, the host will be tenant1.midtier.company.com.

Ensure that all applications of a tenant have a corresponding value in the application domain string. For example, consider that you created realm1 for a tenant that has two applications with the following URLs:

  • Mid Tier URL as http://tenant1.midtier.company.com/arsys
  • BMC Digital Workplace URL as http://tenant1.dwp.company.com/ux/dwpapp

In this scenario, for realm1, the application domain value will be a comma-separated string of tenant1.midtier.company.com and tenant1.dwp.company.com.

You can define the application domain by using one of the following patterns:

  • Subdomain of an application
  • Host name + subdomain of an application
  • Host name

Example:

<hostname>.calbro.bmc.com is a fully qualified domain name.

calbro is a subdomain of bmc.com

bmc is a subdomain of com

com is the parent domain.

Notes:

  • You must not add a domain to more than one realm.
  • The Application Domains field does not accept uppercase characters; every entry is automatically transformed to lowercase characters.

Tenant

(Optional)

Enter a tenant name of the integrated applications.

Note: You can associate a realm with only one application tenant.

After Logout URL

(Optional)

Enter the URL to which a user is redirected after the user logs out from BMC Helix SSO.

Important

If you use the OpenID Connect authentication method, the After logout URL functionality is available only if you upgrade BMC Helix SSO from versions earlier than 20.08.

Single Log Out

(Optional)

Select this check box to enable the single logout option for end users.

When the single logout experience is enabled, if an end user clicks the logout URL in one application, the user is automatically logged out from the Remedy SSO server and, as a result, from all applications belonging to his realm.

When the single logout experience is disabled, if an end user clicks the logout URL in one application, the user is still logged in to Remedy SSO server if the user is simultaneously logged in to at least one application.

The single logout experience might take some time. To expedite single logout, the BMC Helix SSO SaaS administrator can configure the Redis server:

  1. In the BMC Helix SSO Admin Console, select Service > Redis.
  2. Specify the following attributes:

    • Redis URI
    • Password
    • Channel

3. Click Update.

The Redis configuration is applied to the whole BMC Helix SSO server and is effective only if BMC Helix SSO uses Auth Proxy as a sidecar container.

For more information about the logout experience for end users, see Logon and logoff experience for end users.

Session Quota

For security reasons, you might need to configure the number of active sessions or simultaneous logins for a particular realm. You can also decide whether to invalidate an older session or not allow the user to log in to a new session and display an error message.

In this field, you can enter the number of active sessions or simultaneous logins for a particular user.

Enter one of the following values:

  • 0—Allow multiple simultaneous logins, that is, any number of logins are allowed.
    Note: This is the default value, so that after an upgrade, there is no restriction on the number of simultaneous logins.
  • 1—Only one login session is allowed for the user.
  • Any other value other than 0 or 1—Only those number of session logins will be allowed for the user.

Note: If you select the Automatically invalidate oldest session on reaching quota checkbox, and if a user exceeds the number of logins, the user can log in, but will get logged out from the oldest session. If you do not select this option, the user cannot log in to any session beyond the entered value and the following error message is displayed: Exceeded session quota limit.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*