Information
This documentation supports the 23.4 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). To view an earlier version, select the version from the Product version menu.

Configuring settings for the BMC Helix SSO server


Review the following settings for the BMC Helix SSO server, and configure them as required.

To set the cookie domain

The cookie domain controls the cookie visibility between servers within the same domain or different domains.

By default, the parent domain of a computer on which the BMC Helix SSO server is installed is set as the cookie domain value. The default cookie domain provides the most restrictive access to applications protected by BMC Helix SSO.

You can set a child domain name of a server where BMC Helix SSO is installed as the cookie domain value. For example, if your BMC Helix SSO server is on rsso.yourcompany.com, you can set the cookie domain to rsso.yourcompany.com instead of just yourcompany.com.

If your BMC Helix ITSM and 

BMC Helix Digital Workplace

 applications are available on itsm.yourcompany.com and dwp.yourcompany.com, and 

BMC Helix SSO

 is on sso.yourcompany.com, then the cookie domain must be set to sso.yourcompany.com.

  1. In the BMC Helix SSO Admin Console, select General > Basic.
  2. In the Cookie Domain field, enter the cookie domain value.

    Warning

    Important

    The cookie domain value must contain a dot (".").

    Ensure that the value is correct because a wrong value can cause a redirection loop.

  3.  Click Save.

To prevent BMC Helix SSO cookie sharing between different applications hosted on a single domain

  1. Log in to the BMC Helix SSO Admin Console as a SaaS administrator.
  2. On the navigation panel, click Tenant, and edit the existing tenant or create a new one.
  3. In the section to the right, select the Path-specific session cookie check box.
  4. Click Save.

For more information, see Setting-up-tenants.

To configure the maximum session time for end users

  1. In the BMC Helix SSO Admin Console, select General > Basic.
  2. In theMax Session Time field, set the time after which the user session should expire.
    By default, the session timeout is set as 4 hours. When this value is selected, time constraints are automatically enforced. 

    Warning

    Important

    The time that you set must be more than the time that is set for session token validation on the BMC Helix SSO agent.

  3. Click Save.

To configure the log level for the BMC Helix SSO server

  1. In the BMC Helix SSO Admin Console, select General > Basic.
  2. From the Server Log Level list, select a severity level for logging messages.

    Warning

    Important

    The DEBUG level affects the BMC Helix SSO server performance.

  3. Click Save.

To set the cookie name

The cookie name is automatically created during the installation of BMC Helix SSO, and the name is shared between all applications that use BMC Helix SSO.If you configure BMC Helix SSO across multiple staged environments within the same domain, you must specify a unique cookie name for each environment. For example, if you have four environments (DEV, QA, STAGING, and PRODUCTION), each group of applications within the same domain must have the environment's unique cookie name.

  1. In the BMC Helix SSO Admin Console, select General > Advanced.
  2. In the Cookie Name field, enter a unique value.

    Warning

    Important

    The default cookie name is a timestamp value, which is generated when the BMC Helix SSO database is installed. 

  3. Click Save.

To manage the cookie security for end users by setting site cookie properties

You might need to enable a cross site cookie if you have BMC Helix SSO integrated with applications hosted on different domains or applications not integrated with the same BMC Helix SSO server. For information about these deployment cases, see Deployment-scenarios.

BMC Helix SSO uses cookies to ensure that your users are able to seamlessly access all integrated applications. As browsers implement changes to their default SameSite attributes, cross-site cookie requests will not be sent, and as a result, your users will be prevented from accessing your applications.

  1. In the BMC Helix SSO Admin Console, select General > Advanced.
  2. Select one of the following options: 

    Value

    Action

    Secure cookie

    Select this option to enable secure cookie for a browser.

    If this option is selected, the end user cannot log in to BMC applications integrated with BMC Helix SSO without HTTPS.

    By default, this option is not selected.

    SameSite

    Select one of the following options:

    • None — Select this option if valid only if you selected the Secure Cookie.
    • Strict—Select this option to set the Strict option for the SameSite cookie. When the same site cookie value is set to Strict, the browser does not send cookies for cross-site requests. Cookies are included only if the the target site for the request matches the site currently shown in the browser's address bar.
      This option is only enable when the Cookie SameSite Strict feature is enabled for the tenant. 
    • Blank—To not set any SameSite cookie property
  3. Click Save.

To set the service URL on the BMC Helix SSO server

The service URL provides information about the location of the BMC Helix SSO server, and the BMC Helix SSO server uses the service URL to generate session tokens. 

  1. In the BMC Helix SSO Admin Console, select General > Advanced.
  2. In the Service URL field, set the BMC Helix SSO service URL. 
  3. Click Save.

If you do not set the service URL on the BMC Helix SSO server, you can specify the sso-service-url in the rsso-agent.properties configuration file on the BMC Helix SSO agent and the AREA plugin file for generating session tokens.

To manage the cookie security for administrators

For administrators, the secure cookie is disabled by default. To enable the secure cookie:

  1. In the BMC Helix SSO Admin Console, select General > Advanced.
  2. In the Admin Cookie section, select the Secured Cookie check box.
  3. Click Save.

If this check box is selected, the administrator cannot log in to the BMC Helix SSO Admin Console without HTTPS.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 23.4