20.02 enhancements
Remedy Single Sign-On enhancements
The feature enhancements delivered in Remedy Single Sign-On version 19.11 (SaaS-only) release are also available in the Remedy Single Sign-On 20.02 release.
Remedy Single Sign-On version 20.02 patch 1
Version 20.02.01 is now available on-premises.
SAML sessions parameter
Remedy Single Sign-On provides an option for defining the maximum session time for end users. The Use SessionNotOnOrAfter parameter for session time option is available in the configuration parameters of a SAML realm.
By default, the maximum session time is defined by the value set in the Max Session Time field configured on the General > Basic tab in the Remedy SSO Admin Console. Identity providers (IdPs) supporting SAML authentication also have the SessionNotOnOrAfter configuration parameter, which defines the maximum session time. If the SessionNotOnOrAfter value configured on the IdP side is less than the value specified in the Max Session Time field on the Remedy SSO server, the maximum session time is defined by the value configured on the IdP.
SAML groups support
In earlier releases, retrieval of user groups was supported only for LDAP and Local identity providers. In this release, retrieval of user groups is supported for SAML identity providers.
The Remedy Single Sign-On server retrieves information about user groups from the SAML assertion responses by parsing the authentication login response from a SAML IdP. The information about the user groups is temporarily stored on the Remedy Single Sign-On server during the lifetime of the authentication session. End users logging in to applications integrated with Remedy Single Sign-On, are authorized to access the application features based on the groups they belong to.
The Xpath 1.0 for group retrieval new parameter has been added on the Authentication tab of a SAML realm.
For more information about how to use the new configuration parameters, see Importing-configuration-from-an-identity-provider-and-configuring-SAML.
Support to log audit records of Remedy SSO administrators
As a Remedy SSO administrator, you can enable auditing of actions performed by all administrators in the Remedy SSO Admin Console. For information about how to enable auditing of actions, see Configuring-the-Remedy-SSO-server. When enabled, the audit records are displayed on the new Audit tab in the Admin Console.
Introducing self-help
We are pleased to announce embedded self-help with guided assistance in this release of Remedy SSO. Guided assistance helps you learn to navigate the product and to actively complete tasks. In the Self-help pane, you can start guided assistance, access links to help topics, and watch videos relevant to where you are in the product and the task you are performing.
We welcome your feedback and suggestions for additional guided assistance by adding comments when you complete the self-help guidance or on docs.bmc.com.
As a Remedy SSO administrator, you can enable the self-help in the Remedy SSO Admin Console. For information about how to enable self-help, see Configuring-the-Remedy-SSO-server.
(Version 19.11 and later) Remedy SSO in multitenant mode
Starting with 19.11 release, Remedy SSO is supported in multitenancy mode in which a single application instance serves multiple tenants and guarantees data isolation between tenants. For more information about multitenancy for Remedy SSO, see Remedy-SSO-multitenancy.
By default, SaaS tenant is created when the Remedy SSO server is installed. After upgrade, all configuration available on the Remedy SSO server belongs to a single default SaaS tenant. You can enable multitenancy for Remedy SSO server by adding customer tenants and configuring them as required. For information about how to add tenants, see Activating-tenants.
(Version 19.11 and later) New roles and permissions for using Remedy SSO
After upgrade, all Remedy SSO administrators automatically become SaaS administrators.
As a SaaS administrator, you have full administrative permissions to configure the default SaaS tenant on the Remedy SSO server, create tenant administrator users, and configure customer tenants.
As a tenant administrator, you can log in to your tenant on the Remedy SSO server, and perform actions required to manage local users by realms. For more information about roles and permissions on the Remedy SSO server, see Roles-and-permissions.
(Version 19.11 and later) Multitenancy for OAuth clients
OAuth 2.0 has been updated to support multitenancy for non-native clients. You can set a non-native client as multitenant by configuring the Multi-Tenant client and Tenant Name options for this client application. For more information about how to add non-native multitenant clients, see Configuring-OAuth-2-0.
You can set an OAuth client as multitenant only for the SaaS tenant.
(Version 19.11 and later) Single logout
In earlier versions of Remedy SSO, in order to revoke an end user session on the Remedy SSO server and prevent automatic login to the application after the page refresh, end users had to log out from all integrated with Remedy SSO applications that were sharing a current session of the end user. For more information about logout experience for end users, see Login-and-logout-experience-for-end-users.
Starting with version 19.11, Remedy SSO administrators can enable the Single Log Out option for a realm to configure a global logout across all applications that are sharing a user session created through this realm. For more details about this option, see Configuring-general-settings-for-a-realm.
Remedy Single Sign-On system requirement updates
The following enhancements are made with respect to system supportability:
- Database: Oracle database 19c
- Operating system: Red Hat Enterprise Linux 8
- Third party tools: Open JDK 13, Oracle SE 11 LTS (version 19.11 and later)
For more information about system supportability, see System-requirements.
What else changed in this release
In this release, note the following significant changes in the product behavior:
Update | Product behavior in versions earlier than 20.02 | Product behavior in version 20.02 |
---|---|---|
Authentication chaining support has been enhanced. For more information, see Enabling-authentication-chaining-mode. | If the first authentication method defined in a chain was preauthentication, a second preauthentication method could not be added to the authentication chain. | If the first authentication method in a chain is preauthentication, you can use a second preauthentication method as a fallback mechanism in this chain. |
The autodiscovery URL based on OIDC standard has been implemented for Remedy SSO. | Remedy SSO did not provide any mechanism to automatically retrieve the OAuth 2.0 metadata. | If the OpenID Issuer URL is configured for the OAuth 2.0, developers of third-party applications can easily retrieve the OAuth metadata from the Remedy SSO server by using the following autodiscovery URL: <RSSO host>:<HSSO port>/rsso/.well-known/openid-configuration. Running this request in the browser window will return details about the OpenID Connect provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints. |
The Cross site browser cookie setting has been added to the General > Advanced settings in the Remedy SSO Admin Console. | For Remedy SSO and integrated applications hosted in different domains, you could not enable the single sign-on experience if you were using Google Chrome browser version 80 and later. | If you are using Chrome browser version 80 and later, you must enable the cross-site cookie in the Advanced settings of the Remedy SSO server. For more information about this setting, see Configuring-settings-for-the-Remedy-SSO-server. You must also enable this setting if you are using Chrome browser version 79 and earlier or if you have the SameSite by default cookies option enabled for the browsFer. |
(Version 19.11 and later) A native client secret, which is generated when the native client is registered, can be changed at a later time. | There was no possibility to change a secret of a native client. | After registering an OAuth native client, the Remedy SSO administrator can edit the native client secret which is saved in the Native Client Secret field. For information about how to register a native client, see Configuring-OAuth-2-0. Remedy SSO administrators might need to edit the native client secret if they want to share the same secret between several OAuth native clients. |
(Version 19.11 and later) The consent page is displayed only for OAuth non-native clients in an Authorization code flow in which an end user is involved. | The consent page was displayed when the OAuth client 2.0 was registered as a native client. | The consent page is not shown when an OAuth 2.0 client is registered as a native client. |
(Version 19.11 and later) Data transfer tool has been enhanced to import new entities. | Data transfer tool supported import of realms and OAuth clients. | In addition to the old behavior, the data transfer tool has been enhanced to support import of tenants. For more information about how you can import data from one server to another server, see Transferring-data-between-Remedy-SSO-servers. |