This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).To view an earlier version, select the version from the Product version menu.

Login and logout experience for end users

When you implement a single sign-on system, the normal authentication behavior is altered for end users. If an end user who is already logged in to an application, opens a second application in a browser window, the user is automatically logged on.

Single sign-on experience is enabled for applications that are registered within a single realm on the Remedy Single Sign-On server.  

Related topic

Password-change-mechanisms

Start-page

Adding-and-configuring-realms

Login

Based on how a realm is configured for authentication, when a user attempts to log in to an application integrated with Remedy SSO, the following events are triggered:

Event

Configuration

Remedy SSO login page is displayed

When a realm on the Remedy SSO server is configured for one of the following authentication types:

  • AR
  • Local
  • LDAP

Login page of the Identity Provider (IdP) is displayed

When a realm on the Remedy SSO server is configured for one of the following authentication types:

  • SAML
  • OpenID Connect

No login page is displayed

When a realm on the Remedy SSO server is configured for one of the following authentication types:

  • Cert
  • Kerberos
  • Preauth

After the end user enters valid credentials, the Remedy SSO server authenticates the end user according to the configured authentication mechanism and redirects the request to an integrated application. The Remedy SSO agent verifies that the user is authenticated, and then allows the user to access the integrated application.

If the end user tries to access the same application or any other integrated application from another browser tab or window, the Remedy SSO agent checks for an existing user session to determine whether or not the user is already logged on. If the user is already logged on, as in this case, the application UI is displayed without the user being prompted for credentials.

If the user session does not exist yet, or the user is not already logged on, Remedy SSO does the normal token check (from a cookie) and redirects the user to the login page.

Logout

When an end user clicks the logout URL in the integrated application, the Remedy SSO agent sends a request to the Remedy SSO server. 

Based on how a realm is configured, end users have the following logout experience: 

Realm configuration

Logout experience

Single logout is disabled

A reference counter on the user token table in the web application increments or decrements the application count when the user logs in or logs out from an application. The reference counter is implemented by applications that are logged in to by using the Remedy SSO token.

When an end user logs out from an application, but the application count is greater than 0, it means the user is still logged in to one or more applications. In this case, the system does not prompt the user for credentials when the user logs in to another application again.

When an end user logs out from an application, and the application count is 0, it means the user is logged out from Remedy SSO. The user will be prompted for credentials on accessing applications.

Single logout is enabled

When an end user clicks the logout URL for one application, the user is automatically logged out from Remedy SSO.