This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). To view an earlier version, select the version from the Product version menu.

Transforming userID to match login ID

During the login procedure, BMC Helix Single Sign-On checks that the login ID provided by an end user matches the userID available in the user store of an identity provider (IdP). In many use cases, the login ID and the userID do not match, and end users cannot login by using their login credentials. In such cases, BMC Helix Single Sign-Ontransform the userID for an authentication method by specifying a userID transformation type.

For example, the user name from the identity provider response is CustomeUserName@gmail.com coming from the identity provider response and the user name specified in the Remedy AR System is CustomUserName. To configure the authentication method for end users' login, you must remove the domain from the userID.

You might also need to transform a userID when you integrate BMC Helix SSO with BMC applications, set up an authentication method, and then change the original authentication method. The new authentication method might not provide the same userID format that was available with the original method, and you must specify a userID transformation type for this authentication type.   

Related topics

Adding-and-configuring-realms

Important

The user ID transformation options are supported for all authentication types except "Local".

To transform the userID to match the login ID

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  2. In the UserID Transformation field, specify a required transformation type.
  3. Click Save.

The following table lists the userID transformation options available in the UserID Transformations list:

Transformation

Description

None

Displays the entered userID without any transformation.

RemoveBMCDomain

Displays the userID without the suffix, for example, abc@ is a suffix for the abc@<anyemaildomain>.

RemoveDomain

Displays the userID without the prefix <domain>.

Example: companyname\userid is transformed to userID.

RemoveEMailDomain

Displays userID without the suffix@<anyemaildomain>.

ToLowerCase

Displays userID after converting it to lower case.

Example: UserID is transformed to userid.

ToUpperCase

Displays userID after converting it to upper case.

Example: userid is transformed to USERID.

In addition to the options provided by BMC Helix SSO, you can create and deploy custom transformation types. For more information, see Creating-User-ID-custom-transformation-types.


To specify a custom userID to match the login ID

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  2. In the Custom Expression field, specify your value in the following format "userId + {value}".
    For example, by using the #userId + "@bmc.com" expression, you construct Mary@bmc.com.
  3. Click Save.

You can specify a custom userID by using the predefined string functions. The list of Java string functions and their description is displayed in the following table:

Function

Description

strip()

Returns a string whose value is this string, with all leading and trailing white spaces removed.

substring(int beginIndex)

Returns a string that is a substring of this string. The substring begins with the character at the specified index and extends to the end of this string.

substring(int beginIndex, int endIndex)

Returns a string that is a substring of this string. The substring begins at the specified beginIndex and extends to the character at index endIndex - 1.

toLowerCase()

Converts all of the characters in this string to lower case.

toUpperCase()

Converts all of the characters in this string to upper case.

split(String regex)

Splits a string at matches of the given regular expression.

replace(String target, String replacement)

Returns a string resulting from replacing all occurrences of target in this string with replacement.


The following table represents examples of using string functions.

Expression

Current value

Transformed value

#userId.split('@')[0]

user1@example.com

user1

#userId.split('@')[0].toUpperCase()

user1@example.com

USER1

#userId.replace("@example.com", "@abc.com")

user1@example.com

user1@abc.com

#userid.substring(2)

p_user12345

user12345

#userid.substring(4, 9) + #userid.substring(0, 4)

user12345

12345user


To transform AR System login ID

When your AR System login ID doesn't match the BMC Helix SSO login ID format, you can transform the login ID with the help of AR REST API. For information about the AR REST API, see AR Server REST API architecture.

To activate the login ID transformation option:

  1. In BMC Helix SSO, navigate to the appropriate realm.
  2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.

  3. In the Custom Expression field, specify your value in the following format: 

    #arAliasToLoginName.convert('AR REST API URL', 'ARUser', 'encrypted ARUser Password', Field ID, #userId)

      4. Click Save.

As an example, you can get the following result:
#arAliasToLoginName.convert('https://example.com:8443', 'Demo', 'AES-GCM:5de2a10c228a89e8aaaf069c5fb7e448afb997565c0d3c46ba3ddac39fccbddc', 117, #userId)

Where '117' is a field id for "Full Name" on schema User.

A password for BMC Helix SSO should be encrypted. For information about how to encrypt passwords, see Configuring-after-installation