20.02 enhancements

This section contains information about enhancements Remedy Single Sign-On version 20.02 and related patches.

Remedy Single Sign-On enhancements

The feature enhancements delivered in Remedy Single Sign-On version 19.11 (SaaS-only) release are also available in the Remedy Single Sign-On 20.02 release.

Remedy Single Sign-On version 20.02 patch 1

Version 20.02.01 is now available on-premises.

RSSO_SAML configuration__Use Session_20.02.png

SAML sessions parameter

Remedy Single Sign-On provides an option for defining the maximum session time for end users. The Use SessionNotOnOrAfter parameter for session time option is available in the configuration parameters of a SAML realm.

By default, the maximum session time is defined by the value set in the Max Session Time field configured on the General > Basic tab in the Remedy SSO Admin Console. Identity providers (IdPs) supporting SAML authentication also have the SessionNotOnOrAfter configuration parameter, which defines the maximum session time. If the SessionNotOnOrAfter value configured on the IdP side is less than the value specified in the Max Session Time field on the Remedy SSO server, the maximum session time is defined by the value configured on the IdP.

SAML groups support

In earlier releases, retrieval of user groups was supported only for LDAP and Local identity providers. In this release, retrieval of user groups is supported for SAML identity providers.

The Remedy Single Sign-On server retrieves information about user groups from the SAML assertion responses by parsing the authentication login response from a SAML IdP. The information about the user groups is temporarily stored on the Remedy Single Sign-On server during the lifetime of the authentication session. End users logging in to applications integrated with Remedy Single Sign-On, are authorized to access the application features based on the groups they belong to.

The Xpath 1.0 for group retrieval new parameter has been added on the Authentication tab of a SAML realm.

Important

When configuring SAMLv2 authentication for Remedy Single Sign-On in BMC TrueSight Presentation Server, Xpath does not provide the capability to fetch details for all users and groups from SAML IdP. Administrators must create the desired user groups locally in the SAML realm in Remedy Single Sign-On.

For more information about Setting up SAMLv2 authentication in Remedy SSO for BMC TrueSight Presentation, see Setting up SAMLv2 authentication.

For more information about how to use the new configuration parameters, see Importing-configuration-from-an-identity-provider-and-configuring-SAML.

RSSO_SAML configuration_XPath_20.02.png

RSSO_Audit tab_20.02.png

Support to log audit records of Remedy SSO administrators

As a Remedy SSO administrator, you can enable auditing of actions performed by all administrators in the Remedy SSO Admin Console. For information about how to enable auditing of actions, see Configuring-the-Remedy-SSO-server. When enabled, the audit records are displayed on the new Audit tab in the Admin Console.

Introducing self-help

We are pleased to announce embedded self-help with guided assistance in this release of Remedy SSO. Guided assistance helps you learn to navigate the product and to actively complete tasks. In the Self-help pane, you can start guided assistance, access links to help topics, and watch videos relevant to where you are in the product and the task you are performing.

We welcome your feedback and suggestions for additional guided assistance by adding comments when you complete the self-help guidance or on docs.bmc.com.

As a Remedy SSO administrator, you can enable the self-help in the Remedy SSO Admin Console. For information about how to enable self-help, see Configuring-the-Remedy-SSO-server.

RSSO_Enable Self-Help_20.02.png

RSSO_Tenants list_20.02.png

(Version 19.11 and later) Remedy SSO in multitenant mode

Starting with 19.11 release, Remedy SSO is supported in multitenancy mode in which a single application instance serves multiple tenants and guarantees data isolation between tenants. For more information about multitenancy for Remedy SSO, see Remedy-SSO-multitenancy.

By default, SaaS tenant is created when the Remedy SSO server is installed. After upgrade, all configuration available on the Remedy SSO server belongs to a single default SaaS tenant. You can enable multitenancy for Remedy SSO server by adding customer tenants and configuring them as required. For information about how to add tenants, see Activating-tenants.

(Version 19.11 and later) New roles and permissions for using Remedy SSO

After upgrade, all Remedy SSO administrators automatically become SaaS administrators.

As a SaaS administrator, you have full administrative permissions to configure the default SaaS tenant on the Remedy SSO server, create tenant administrator users, and configure customer tenants.

As a tenant administrator, you can log in to your tenant on the Remedy SSO server, and perform actions required to manage local users by realms. For more information about roles and permissions on the Remedy SSO server, see Roles-and-permissions.

RSSO_roles_20.02.png

RSSO_OAuth2_20.02.png

(Version 19.11 and later) Multitenancy for OAuth clients

OAuth 2.0 has been updated to support multitenancy for non-native clients. You can set a non-native client as multitenant by configuring the Multi-Tenant client and Tenant Name options for this client application. For more information about how to add non-native multitenant clients, see Configuring-OAuth-2-0.

You can set an OAuth client as multitenant only for the SaaS tenant.

(Version 19.11 and later) Single logout

In earlier versions of Remedy SSO, in order to revoke an end user session on the Remedy SSO server and prevent automatic login to the application after the page refresh, end users had to log out from all integrated with Remedy SSO applications that were sharing a current session of the end user. For more information about logout experience for end users, see Login-and-logout-experience-for-end-users.

Starting with version 19.11, Remedy SSO administrators can enable the Single Log Out option for a realm to configure a global logout across all applications that are sharing a user session created through this realm. For more details about this option, see Configuring-general-settings-for-a-realm.

RSSO_Single logout from a realm_20.02.png

Remedy Single Sign-On system requirement updates

The following enhancements are made with respect to system supportability:

Database: Oracle database 19c
Operating system: Red Hat Enterprise Linux 8
Third party tools: Open JDK 13, Oracle SE 11 LTS (version 19.11 and later)

For more information about system supportability, see System-requirements.

What else changed in this release

In this release, note the following significant changes in the product behavior:

Update	Product behavior in versions earlier than 20.02	Product behavior in version 20.02
Authentication chaining support has been enhanced. For more information, see Enabling-authentication-chaining-mode.	If the first authentication method defined in a chain was preauthentication, a second preauthentication method could not be added to the authentication chain.	If the first authentication method in a chain is preauthentication, you can use a second preauthentication method as a fallback mechanism in this chain.
The autodiscovery URL based on OIDC standard has been implemented for Remedy SSO.	Remedy SSO did not provide any mechanism to automatically retrieve the OAuth 2.0 metadata.	If the OpenID Issuer URL is configured for the OAuth 2.0, developers of third-party applications can easily retrieve the OAuth metadata from the Remedy SSO server by using the following autodiscovery URL: <RSSO host>:<HSSO port>/rsso/.well-known/openid-configuration. Running this request in the browser window will return details about the OpenID Connect provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints.
The Cross site browser cookie setting has been added to the General > Advanced settings in the Remedy SSO Admin Console.	For Remedy SSO and integrated applications hosted in different domains, you could not enable the single sign-on experience if you were using Google Chrome browser version 80 and later.	If you are using Chrome browser version 80 and later, you must enable the cross-site cookie in the Advanced settings of the Remedy SSO server. For more information about this setting, see Configuring-settings-for-the-Remedy-SSO-server. You must also enable this setting if you are using Chrome browser version 79 and earlier or if you have the SameSite by default cookies option enabled for the browsFer.
(Version 19.11 and later) A native client secret, which is generated when the native client is registered, can be changed at a later time.	There was no possibility to change a secret of a native client.	After registering an OAuth native client, the Remedy SSO administrator can edit the native client secret which is saved in the Native Client Secret field. For information about how to register a native client, see Configuring-OAuth-2-0. Remedy SSO administrators might need to edit the native client secret if they want to share the same secret between several OAuth native clients.
(Version 19.11 and later) The consent page is displayed only for OAuth non-native clients in an Authorization code flow in which an end user is involved.	The consent page was displayed when the OAuth client 2.0 was registered as a native client.	The consent page is not shown when an OAuth 2.0 client is registered as a native client.
(Version 19.11 and later) Data transfer tool has been enhanced to import new entities.	Data transfer tool supported import of realms and OAuth clients.	In addition to the old behavior, the data transfer tool has been enhanced to support import of tenants. For more information about how you can import data from one server to another server, see Transferring-data-between-Remedy-SSO-servers.