This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).To view an earlier version, select the version from the Product version menu.

Configuring OAuth 2.0

As a Remedy Single Sign-On administrator, you might need to configure OAuth 2.0 in any of the following cases:  

  • You have applications which act as OAuth clients and interact with applications protected by Remedy SSO.
  • You have applications hosted on different top-level domains which are integrated with the same Remedy SSO server. For more information about this deployment case, see Deployment-scenarios.

Depending on your application type, you need to register either a native or a non-native OAuth client. When you have a client registered, you can configure tokens timeout for the client application. 

If you are going to use OpenID Connect protocol for the OAuth client, you must additionally generate JWKs and specify OpenID Connect Issuer URL that must correspond to the current FQDN of the Remedy SSO tenant, so that Remedy SSO server can sign the id_token, and the OpenID client can check the id_token signature.

Related topics

Setting-up-end-user-authentication

OAuth-2-0-authorization

Invalidating-and-configuring-end-user-sessions

Troubleshooting-authentication-issues

Remedy-SSO-multitenancy

To register a non-native OAuth client application

  1. Log in to Remedy SSO Admin Console, and then click OAuth2.
  2. Select Clients, and then click Register Client.

  3. Specify the following fields to register an OAuth client:

    Field

    Description

    Client Name

    Specify any name of your choice.

    Enabled

    Select this check box to enable the client for authorization.

    Redirect URIs

    Click Add Redirect URI, and then add the URI to which the authorization code is sent after an /authorize request succeeds. The client side must support the URI.

    The Redirect URIs are different for third-party clients and for Remedy SSO agents that act as OAuth clients.

    To deploy a client on multiple URIs, add multiple URIs separated by commas. After you click Save, the client is registered. When you click Back to return to the list of existing clients, the certificate is enabled, and the URIs are parsed successfully.

    Note: When adding multiple URIs, ensure that each URI does not exceed 2000 characters.

    To enable multiple domain support when Remedy SSO agent is configured as OAuth2 client, apply the following default pattern in the Redirect URIs field: http(s)://<application.domain>:[port]/[path]/_rsso/oauth/callbackFor more details about this feature, see Configuring-Remedy-SSO-for-applications-hosted-on-different-domains.

    openid (Scope used for OpenID connect) (Optional)

    To enable the OAuth client to use the OpenID Connect protocol, select this check box. Enable this setting if the client application uses the OpenID Connect for communication. If the setting is disabled, the client will not be allowed to use the OpenID Connect.

    Note: You must enable this setting to authenticate users who are using applications hosted on different domains that use the same Remedy SSO server.


    • You must enable this setting to authenticate clients hosted on different domains that use the same Remedy SSO server.

    If you have the OpenID scope for the OAuth client enabled, you must also configure the user session timeout value. Configure the Access Token Timeout field to specify the timeout value of the ID token and Access token.

  4. (Optional) To make the client multitenant, additionally complete the following fields:

    Field

    Description

    Multi-Tenant client

    Select this check box to configure the client application as multitenant. Note: You can configure the client as multitenant only for the SaaS tenant.

    Tenant Name

    Click Add Redirect URI, and then select a tenant from the Tenant Name list before adding the redirect URI. For each tenant that you add, you must specify the redirect URI.

    Important

    Multitenancy for OAuth clients is not supported in Helix deployment yet.

  5. Click Save.

    The following information is automatically generated when you register a non-native client:

    Automatically generated information

    Description

    Client ID

    Registers the client identifier issued to the client by Remedy SSO server during the registration process. You can view this information when you select the registered client, and click to view its details.

    Client Secret

    The client secret (private key) is shown only after you click Save.
    The private key is used to sign the JWT, which contains the client authorization. This JWT is different from the one containing the end user credentials and which is used in the JWT assertion grant type.

    Certificate

    The certificate is signed with the private key and contains the public key.

    To view the certificate value, select the registered client and click to view its details.

  6. Make a note to save the Client Secret value as this value will not be displayed again.

To register a native OAuth client

  1. Log in to Remedy SSO Admin Console, and then click OAuth2.
  2. Select Clients, and then click Register Client.

  3. Configure the following fields:

    Field

    Description

    Client Name

    Registers the client name specified during the registration process. This could be any name of the administrator's choice.

    Enabled

    Select this check box to allow the client for authorization.

    Native (Public) Client

    Select this check box to register the OAuth client as a native application client.

    Redirect Path(s)

    In this field, you must enter a callback path for the native client. If you are using a Remedy DevStudio native client, then you must type callback in this field.

    Click Add to automatically generate the following loopback interfaces:

    http://127.0.0.1/>—the generated link corresponds to the IPv4 protocol specification.

    http://[::1]/<RedirectPath> —the generated link corresponds to the IPv6 protocol specification.

    Client Realm

    Select a realm for which you are registering the native application client.

    openid (Scope used for OpenID connect) (Optional)

    Select this check box to allow usage of OpenID Connect protocol by the client. Enable this setting if the client uses OpenID Connect for communication. If the setting is disabled, the client will not be allowed to use OpenID Connect.

    Note: You must enable this setting to authenticate clients hosted on different domains that use the same Remedy SSO server.

    When you have the OpenID scope for a native client enabled, you must also configure the user session timeout. Configure the Max Session Time field to specify the timeout value of the ID token and Access token.

  4. Click Save.
    The following information is automatically generated when you register a native client. You can view it later at any time:

    Field

    Description

    Client ID

    Remedy SSO server issues the client identifier to the client during the client registration process.

    Native Client Secret

    The native client secret is generated during a registration of the native client. You can change the native client secret at a later time if you need to share the same secret between several OAuth native clients.

To configure the token timeout for OAuth clients

  1. Log in to Remedy SSO Admin Console. 
  2. Click OAuth2, and then select Settings.

  3. Configure the following fields:

    Fields

    Description

    Access Token Timeout

    Sets a timeout for the access token. After expiration, the issued access token is no longer valid.

    The Access Token Timeout is applied to ID token which is generated when the Opend ID Scope is used.

    Note:

    This setting is not applicable for native clients. The timeout value for access token is specified in the Max Session Time field available in the General > Basic configuration of Remedy SSO. 

    Refresh Token Timeout

    Sets a timeout for the refresh token. After expiration, the issued access token is no longer valid.

    Access and refresh tokens remain valid until their expiration. To avoid security concerns, access tokens must be of a short duration. Refresh tokens typically have a longer validity, but cannot be used without providing a valid client id and secret value.

    Note:

    Refresh tokens are not issued for native clients, hence the setting is applicable only for non-native clients.

  4. Click Save.

To manage list of tokens of OAuth client applications

You can view and delete tokens of active user sessions. You can also refresh the of List of Tokens table.

  1. In Remedy SSO Admin Console, click OAuth2.
  2. Select Tokens.
  3. To refresh the list of tokens table, click Refresh.
  4. To invalidate the access token, in the Tokens tab, click Delete in the Action column for the required token.

To set the OpenID issuer URL

If Remedy SSO agent uses the Openid scope to support applications hosted on different domains, you must configure OAuth to use the URL of a server that issues the id_token.

  1. In Remedy SSO Admin Console, click OAuth2 > Settings.
  2. In the OpenID Issuer URL field, enter the URL that matches the sso-external-url configured in the rsso-agent.properties file. For details, see Connecting-the-same-Remedy-SSO-agent-to-different-Remedy-SSO-servers.
  3. Click Update.

To generate JWKs for the OAuth flow

To support multiple domain applications when Remedy SSO server is used as an OAuth server, and Remedy SSO agent is used as an OAuth client, you need to generate JSON Web Key (JWK). 

  1. Log in to Remedy SSO Admin Console. 
  2. Click OAuth2, and then select OpenID.

  3. Click Generate.

    The generated JWK is used by the Remedy SSO server to authenticate applications hosted on different domains.