Configuring authentication for BMC Helix SSO administrators
Before you begin
You must have an external LDAP identity provider up and running, and you must have administrative permissions in BMC Helix SSO.
To enable access control based on LDAP groups for the BMC Helix SSO Admin Console
- Log in to the BMC Helix SSO server as a SaaS administrator.
- On the navigation panel, click Tenant.
- Select the tenant, and from the Actions menu, click
Edit Tenant. Select the Admin console access control option.
- Save your changes.
To configure admin authentication through an external LDAP identity provider
- In the BMC Helix SSO Admin Console, select General > Admin Authentication.
- Click Add authentication.
To configure a connection to an external LDAP identity provider, complete the following fields:
Field
Description
Host
Name of the server where LDAP identity provider is hosted.
If LDAP is used in failover mode, you can specify more than one LDAP identity provider by providing a comma-separated list of servers. If the first server is unavailable, the BMC Helix SSO server switches to the second server specified in the list.
Port
Port number for the LDAP server, such as 389.
Bind DN
The distinguished name (DN) of a bind LDAP user.
For example: CN=User,CN=Users,DC=example,DC=com
This user must have privileges to search the directory.
Bind Password
Password for the bind LDAP user.
Connection timeout, millis
Enter an integer value, in milliseconds, greater than zero to timeout a connection request.
If the LDAP provider cannot establish a connection with the server within this time period, the connection attempt is aborted.
If this value is blank, the server waits for the connection to be established until the underlying network times out.
10
Read timeout, millis
Enter an integer value, in milliseconds, greater than zero to timeout a read request.
If the LDAP provider does not get an LDAP response within this time period, the read attempt is aborted.
If this value is blank, the server waits for the response until it is received.
10
To specify which users from the LDAP identity provider will have permissions to access the BMC Helix SSO Admin Console, complete the following fields:
Field
Description
User Search Filter
The LDAP query to search for users. These users will have permissions to access the BMC Helix SSO Admin Console.
For example: (&(objectCategory=user) (sAMAccountName=$ADMIN$)(memberof=CN=RSSOAdmin,OU=Users,DC=example,DC=com)).
The user login ID is specified by the $ADMIN$ keyword.
Users Base DN
Base distinguished name used for users search.
For example: CN=Users,DC=example,DC=com
Identity Attribute
Enter the LDAP attribute to be used as the login ID of the administrator.
For example: sAMAccountName
(SaaS tenant only) To assign roles to specific LDAP user groups, select Enable Group Mapping, and then complete the following fields:
Field
Description
Group of User Filter
Enter an LDAP query for search for user groups.
The queried groups will have permissions to access the BMC Helix SSO Admin Console.
For example: member:1.2.840.113556.1.4.1941:=$ADMIN_DN$.
(Optional) Group Base DN
Specify a base distinguished name used for groups search.
For example: DC=example,DC=local.
We recommend that you leave the field blank.
Group Name Attribute
Specify an attribute that holds the name of a group. This field is mandatory.
For example: CN.
SaaS Administrator
Specify a group in the LDAP directory for users who will have a role of SaaS Administrator in the BMC Helix SSO Admin Console.
For example: saas_admin.
SaaS Administrator with Restricted access
Specify a group in the LDAP directory for users who will have a role of SaaS Administrator with Restricted access in the BMC Helix SSO Admin Console.
For example: saas_admin_restricted.
SaaS Administrator with Read-only access
Specify a group in the LDAP directory for users who will have a role of SaaS Administrator with Read-only access in the BMC Helix SSO Admin Console.
For example: saas_admin_ro.
SAAS Administrator REST access
Use this filter to specify the group in the LDAP directory for users with the role of SaaS Administrator with only API access and no UI access to the BMC Helix SSO Admin Console; for example, saas_rest_access_group.
The group defined should be one of the Group Mappings specified in the SaaS Administrator, SaaS Administrator restricted access, or the SaaS Administrator with Read Only access fields. If you specify any other groups, the users will not be able to access the Admin Console via the Rest API.
Important:
- You can only add one group for REST API access.
- Users in the specified group receive their admin_token via REST API and can access the BMC Helix SSO Admin Console via the REST API.
- If you leave this field blank, but provide a group for SAAS Administrator UI access, users cannot log in to the Admin Console via the REST API.
SAAS Administrator UI access
Use this filter to specify the group in the LDAP directory for users with the role of SaaS Administrator with UI access and no Rest API access to the BMC Helix SSO Admin Console; for example saas_ui_access_group.
The group defined should be one of the Group Mappings specified in the SaaS Administrator, SaaS Administrator restricted access, or the SaaS Administrator with Read Only access fields. For any other groups, If you specify any other groups, the users will not be able to access the Admin Console via the UI.
Important:- Users in the specified group receive their admin_tokens via the user interface and can access the BMC Helix SSO Admin Console via the UI.
- If you leave this field blank, but provide a group for SAAS Administrator REST access, users cannot log in to the Admin Console via the user interface.
The following image shows security groups in an external user directory:
- Click Add to chain.
- Click Save.
To disable Internal authentication
- In the BMC Helix SSO Admin Console, select General > Admin Authentication.
- From the Authentication Type list, select INTERNAL, and then click
. - Click Save.