This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).To view an earlier version, select the version from the Product version menu.

Configuring OpenID Connect authentication


You can configure the Remedy Single Sign-On server to authenticate end users through the OpenID Connect authentication method.


Before you begin

Add a realm for the OpenID Connect authentication and configure its general settings. Learn how to add and configure realms in Adding-and-configuring-realms.

Related topics

OpenID-Connect-authentication

Transforming User ID to match Login

Enabling-AR-authentication-for-bypassing-other-authentication-methods

To configure OpenID Connect authentication

  1. Log in to the Remedy SSO Admin Console.
  2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  3. From the Authentication Type list, select OIDC.
  4. To import OpenID Connect provider information, click Import.

  5. Complete the OpenID Connect Discovery URL or Issuer field, and click Import

    The following fields get prepopulated:

    Field

    Description

    Issuer

    URL that the OpenID Connect provider asserts as its Issuer Identifier.

    Authorization URL

    URL of the OpenID Connect provider's Authorization Endpoint.

    Token URL

    URL of the OpenID Connect provider's Token Endpoint.

    UserInfo URL

    URL of the OpenID Connect provider's UserInfo Endpoint.

    JWKS URI

    URL of the OpenID Connect provider's JSON Web Key Set (JWK) document.

    End Session URL

    URL of the End Session Endpoint.

  6. On the Authentication tab, configure the remaining fields:

    Fields on the Authentication tab

    Field

    Description

    Client ID

    Registers the client application on the OpenID Connect provider side.

    Client Secret

    Identifies the client application.

    When the Remedy SSO server is registered as a client on the OpenID Connect provider side, the OpenID Connect provider generates and provides the client ID and client secret values.

    Scope

    A space or comma-separated list of scopes indicating the required scope of the access token from the OpenID Connect provider.

    RSSO Server URL

    URL of the Remedy SSO server.

    RSSO Callback URL

    This is a read-only field.

    Prompt

    The authorization server prompts the user for a required action. Select one of the following options from the list:

    • none: Does not display any authentication or consent user interface pages. The authorization server returns an error if an end user is not already authenticated or if the client does not have a pre-configured consent for the requested claims or does not fulfill other conditions for processing the request. The error code will typically be one of the following codes:
      - login_required,
      - interaction_required,
      - account_selection_required,
      - consent_required,
      - invalid_request_uri,
      - invalid_request_object,
      - request_not_supported,
      - request_uri_not_supported,
      - registration_not_supported.
      This can be used as a method to check for existing authentication or consent.
    • login: Prompts the end user for reauthentication. If the authrization server cannot reauthenticate the end user, it returns an error, typically login_required.
    • consent: Prompts the end user for consent before returning information to the client. If the authorization server cannot obtain the consent, it returns an error, typically consent_required.
    • select_account: Prompts the end user to select a user account. This enables an end user who has multiple accounts at the authorization server to select an account that they might have current sessions for. If the authorization server cannot obtain an account selection choice made by the end user, it returns an error, typically account_selection_required.

    User ID field name

    User ID.

  7. Click Save.

Important

URLs to endpoints can include additional query parameters.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*