This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). To view an earlier version, select the version from the Product version menu.

Preauthentication

BMC Helix Single Sign-On provides preauthentication mechanism to allow end users to access applications if they have already been authenticated by another authentication provider. 

To be able to use the preauthentication method, the following preconditions must be met:

  • A third-party authentication provider must issue a JSON Web Token (JWT) as a result of authentication
  • The JWT which contains the user principals must be signed.

To use preauthentication, as the BMC Helix SSO administrator, you must first configure an appropriate realm for the preauthentication type. You must then specify the JWT attributes and the certificate that will be used to validate the authentication server signature under the user principals.

Related topics

Configuring-preauthentication

Enabling cross launch for applications integrated with different Remedy SSO servers

Preauthentication flow

The following table provides the preauthentication login flow:

Stage

Description

1

An end user passes authentication against a third-party authentication server, and gets the JWT representing the authenticated person and signed by the authentication server.

2

The BMC Helix SSO agent deployed on the application side forwards the unauthenticated request to the BMC Helix SSO server and passes the JWT value in the rsso_preauth parameter in the HTTP request.

3

The BMC Helix SSO server verifies that the JWT has been issued by the trusted server and is valid, and then extracts the user name by using the configured JWT attribute.

4

BMC Helix SSO proceeds with the standard authentication flow. It authenticates the user, creates the session, sets the authentication cookie, and redirects the request to the original application.