Configuring the BMC Helix SSO server after upgrade

After you upgrade BMC Helix Single Sign-On, perform the tasks described in this topic.

Related topics

Preparing-for-upgrade

Performing-the-upgrade

Task 1: Update the web.xml file

If before upgrade you modified the original web.xml located in <RSSO Tomcat>\webapps\rsso\WEB-INF folder on the BMC Helix SSO server, then update the upgraded file with your custom settings.

Task 2: Kill an active login session in the BMC Helix SSO Admin Console

Important

This task needs to be performed by all BMC Helix SSO administrators and is required only if BMC Helix SSO is upgraded from version earlier than 19.11.

As an administrator of BMC Helix SSO, you must log out from the BMC Helix SSO Admin Console and log in again.

You need to perform this step if you had an active login session before upgrade, and it remained valid after upgrade.

Task 3: Update SAML SP metadata template

  1. Log in to the BMC Helix SSO Admin Console.
  2. Navigate to Realm > Authentication, and select SAML type of authentication.

  3. For all realms with SAML type of authentication, update the SP metadata template. To access the edit mode of the SP metadata, in the Template section, click Edit

    The following template is the original SP metadata template:

    SP metadata template
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityDescriptor entityID="%%ISSUER%%" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
       <SPSSODescriptor AuthnRequestsSigned="%%SIGN_REQUEST%%" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
           <KeyDescriptor use="signing">
               <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                   <X509Data>
                       <X509Certificate>%%CERTIFICATE_DATA%%</X509Certificate>
                   </X509Data>
               </KeyInfo>
           </KeyDescriptor>
           <KeyDescriptor use="encryption">
               <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                   <X509Data>
                       <X509Certificate>%%ENC_CERTIFICATE_DATA%%</X509Certificate>
                   </X509Data>
               </KeyInfo>
           </KeyDescriptor>
           <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST" Location="%%LOGOUT_REQUEST%%" ResponseLocation="%%LOGOUT_RESPONSE%%" />
           <NameIDFormat>%%NAMEIDFORMAT%%</NameIDFormat>
           <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc: SAML:2.0:bindings:HTTP-POST" Location="%%CONSUMER%%" />
       </SPSSODescriptor>
    </EntityDescriptor>

    1. If you enabled the IdP initiated single logout feature, include the following information in the SP metadata template after the <AssertionConsumerService> tag:

      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="%%LOGOUT_REQUEST%%" ResponseLocation="%%LOGOUT_RESPONSE%%" />
      • Location is the endpoint for the identity provider to send the logout request. For example, https://access.xyz.com:8443/rsso/receiver/Saml.
      • ResponseLocation is the endpoint for the identity provider to send the logout response after getting the logout request from BMC Helix SSO. For example, https://access.xyz.com:8443/rsso/receiver/Saml.

    2. To sign up the SP metadata, update the following tag:

      <EntityDescriptor entityID="%%ISSUER%%" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" %%METADATA_ID%%>
  4. On the identity provider side, update the BMC Helix SSO (SP) metadata .

Where to go from here

When you have configured BMC Helix SSO after upgrade, you can check if the upgrade was successful. For information about how to do this, see Verifying-the-installation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*