BMC Helix SSO architecture

This topic provides the basic model of the BMC Helix Single Sign-On architecture and describes the BMC Helix SSO components.

After integration with BMC Helix SSO, end users can securely authenticate with multiple BMC applications by using just one set of credentials. For example, Allen logs in to BMC Helix Digital Workplace, browses a catalog and opens a knowledge article that contains a link to BMC Helix Business Workflows with more details about this article. Allen accesses BMC Helix Business Workflows without repeated credentials provision.


Related topics

Orientation

BMC-Helix-SSO-agent

Realms

BMC Helix SSO architecture model

The following diagram shows the BMC Helix SSO architecture, and includes the following details:

  • BMC Helix SSO components
  • BMC applications that can be integrated with BMC Helix SSO
  • Third-party components

Remedy SSO architecture.png

BMC Helix SSO components

The following table provides information about the major components of BMC Helix SSO.

Component

Description

BMC Helix SSO web application

Authenticates users and gets validation requests from BMC Helix SSO agents. If authentication succeeds, the BMC Helix SSO web application generates authentication tokens and stores them in the BMC Helix SSO database. The BMC Helix SSO web application then processes the authentication response by allowing or denying the authentication request.

BMC Helix SSO database

BMC Helix SSO uses the database for storing the following details:

  • Configuration and authentication data including server settings, tenants, realms and authentication configuration, OAuth settings, etc.
  • Sessions data such as BMC Helix SSO authentication tokens, OAuth access, and refresh tokens.

With one database, all BMC Helix SSO server nodes can share the configuration and authentication data and work as a high-availability cluster.

BMC Helix SSO Admin Console

Provides an interface for accessing the BMC Helix SSO web application. BMC Helix SSO administrators perform tasks required to set up authentication and configure the BMC Helix SSO server from the BMC Helix SSO Admin Console. URL to access the BMC Helix SSO Admin Console: https://BMCHelixSSOServer:portNumber/rsso/admin

Identity provider (IdP)

Stores users and user groups information.

Identity providers are external systems, such as Active Directory, Okta, Oracle Access.

BMC Helix SSO components required for integration with BMC applications

To achieve successful integration with BMC applications, ensure that you have configured the following BMC Helix SSO components:

Component

Description

BMC Helix SSO agent

Filters protected resources from unauthenticated requests. When the BMC Helix SSO agent detects an unauthenticated request, it redirects the user to the BMC Helix SSO server web application. The agent defines the right realms for the users depending on their domains. It also defines the right server to communicate in a multi server environment.

Mid Tier BMC Helix SSO authenticator plug-in

Validates the token from the user request and extracts user information from the context. It then passes the information to the Action Request System (AR System) through the Mid Tier authentication infrastructure. The authentication request is then processed on the AR System side by the BMC Helix SSO AREA plug-in.

BMC Helix SSO AREA plug-in

Gets user information from the Mid Tier API call as an authentication token and then makes a REST API call to the BMC Helix SSO web application to verify the token's validity.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*