This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). To view an earlier version, select the version from the Product version menu.

Reauthentication

Some BMC applications are designed to provide an additional security level to some business critical functionality available to end users. This protection mechanism invokes a reauthentication request, and end users are asked to provide their credentials when they perform some action in the system, for example, approving a service request.

BMC Helix Single Sign-On handles authentication requests from applications integrated with them differently. Depending on how a realm is configured, BMC Helix Single Sign-On processes authentication requests in one of the following ways:

  • Enables automatic reauthentication—end users are not required to provide the user name and password at the time of reauthentication on the BMC Helix Single Sign-On login page. 
  • Enables manual reauthentication—end users are required to provide their credentials at the time of a reauthentication request.

Related topics

Single-sign-on-authentication-methods

Authentication-fallback

Realms

Enabling-authentication-chaining-mode

Automatic reauthentication

End users are automatically authenticated at the time of a reauthentication request, only if a single authentication method is configured for a realm, and if this method is one of the following:

  • Kerberos
  • Certificate-based
  • Preauthentication
  • SAML—when configured not to display the login page for end users.

Manual reauthentication for a realm with a single authentication method

If you have one of the following authentication methods configured for a realm, the reauthentication is manual, and end users are required to provide their credentials on the login page at the time of the reauthentication request:

  • AR
  • LDAP
  • Local
  • OpenID Connect
  • SAML configured to display the login page for end users

For SAML and OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.
For AR, Local and LPAD IdPs, the BMC Helix Single Sign-On login page is displayed.

Manual reauthentication for a realm with a chain of authentication methods

If you have an authentication chain configured for a realm, you can enable manual reauthentication. The secondary authentication in the chain is invoked at the time of a reauthentication request, and end users are required to provide their credentials on the login page at the time of the reauthentication request.

The following diagram shows how reauthentication works for a realm with several authentication methods:

Reauthentication model.png

To configure manual reauthentication for a realm with several authentication methods, chain them in accordance with the principles described in the following table:

Authentication type

Authentication methods supported

Notes

Primary authentication

  • SAML
  • Kerberous
  • Certificate-based
  • Preauthentication

SAML note:

If SAML IdP is configured not to display the login page to end users, then you must enable the Bypass for reauth requests setting in SAML configuration of the realm. For information about this setting, see Importing-configuration-from-an-identity-provider-and-configuring-SAML.

Preauthentication notes:

  • If the authentication request from application contains JWT, then end users are authenticated via Preauth, and the request is not redirected to the next IdP in the chain.
  • If the authentication request from application does not contain JWT, the request is redirected to the next IdP in the chain.

Secondary authentication

  • LDAP
  • AR
  • Local
  • OpenID Connect

For OpenID Connect IdPs, the login page of the IdP is displayed at the time of the reauthentication request.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*