This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).To view an earlier version, select the version from the Product version menu.

Importing configuration from an identity provider and configuring SAML

After you have configured the advanced options for SAML authentication, import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your Remedy Single Sign-On server.

Related topic

Configuring-SAML-2-0-authentication

Video about configuring SAML

Watch this video (3:53) on how to configure SAML in the Remedy SSO Admin Console.

icon_play.pnghttps://www.youtube.com/watch?v=UATasTrfliU?rel=0



Before you begin

  • Create a realm for SAML authentication, and configure the general details for the realm. For more information, see Configuring-general-settings-for-a-realm.
  • Obtain the following information from the IdP administrator:
    • Import from URL or SAML metadata file imported from the IdP
    • IdP entity ID  
    • IdP login URL


To configure SAML authentication

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  2. In the Authentication Type field, select SAML.
  3. Configure the SAML fields as required:

 Field

Description

Identity Provider

Import

Option to import the SAML metadata. Perform one of the following actions:

  • Select Import from URL, and type the URL where the IdP SAML configuration is stored.
  • Select Import from file, and upload the SAML configuration file from a local folder on your computer.

After you import SAML metadata, most of the fields on the Authentication page get populated with imported values. 

Federation metadata URL

URL of the IdP federation metadata.

Use this URL to enable automatic rollover — Automatic certificate update on the Remedy SSO server after this certificate is updated on the SAML IdP side. Such rollovers are more frequent if you use Azure Active Directory as an identity provider. 

If the IdP federation metadata URL is not specified, an administrator must renew the signing certificate manually.

IdP Entity ID

Identity provider entity ID obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.

Example: http://adfs.local/adfs/services/trust

Login URL

Login URL obtained from an external IdP such as AD FS or Okta.

Example: https://adfs.local/adfs/ls

Logout URL

URL provided by the IdP to which the user is redirected for service provider (SP) initiated logout.

If you do not provide any value for this parameter, the value specified in the Login URL field is used both for both login and logout.

Logout Response URL

URL provided by the IdP to which the user is redirected for IdP initiated logout.

HTTP Binding Type

HTTP binding for the SP initiated logout URL.

IdP Signing Certificate

Signing certificate that Remedy SSO uses to sign requests that are sent to the IdP.

(Optional) User ID Attribute

Used to retrieve the user ID from the specified attribute in the SAML response. If a value is not specified, the NameID is used as the user ID. The value of this field depends on the SAML IdP configuration.

NameID Format

Name identifier formats supported by a SP. SPs use name identifiers to pass information about users.

In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.

If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.

Note: For linking user accounts from the SP and the remote IdP together, after an end user logs in to the integrated BMC application through the SAML IdP, the persistent NameID format must be at the top of the list.

For more information about Name Format Identifiers, see paragraph 8.2 in Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0.

Auth Issuer

Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.

If the value is not specified, by default, the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.

Auth Context Compare

Options (exact, minimum, maximum, better) available for the Auth Context Compare.

For more information about Auth Context Compare options, see Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0.

Auth Context

Authentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the SP.

Auth Issuer

Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the SP for this request.

If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.

Assertion Time Skew

Time offset between Remedy SSO and the IdP. The value must be specified in minutes.

Assertion Time Format

Time format used by assertions and depends on the defined patterns. For more information, see Patterns for Formatting and Parsing.

Example:

yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Sign Request

Option to indicate whether the IdP requires the authentication request to be signed.

To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, specify the Signing Key Alias.

Force Authentication

Option to enforce authentication.

Enable Single Logout

Option to delete the SAML IdP session on application logout. If an end user logs out from the application, the user will be logged out from SAML IdP as well. 

Sign Metadata

Option to indicate whether the identity provider requires SAML metadata to be signed.

You might need to sign the SAML metadata to ensure that the security policies of your organization are followed. When you configure a realm for SAML signing metadata, the Remedy SSO server gets the certificate and private key from the keystore's alias, and signs the metadata with it.

Signing Algorithm

Note

You can select the signing algorithm only if you select the Sign Request checkbox, the Sign Metadata checkbox or both.

Select one of the following signing algorithms containing a hash type function and key type:

  • SHA1withRSA 
  • SHA256withRSA

Select an algorithm supported by your IdP.

Service Provider

View Metadata

Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.

Template

Authentication Request Template

Template used for a SAML authentication request.

You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the authentication request template is not updated. To be able to use the new functionality after upgrade, you must manually edit and update the template in the realm settings.

SP Metadata Template

SP metadata template. 

You can select Default or Custom and edit the template, if required. After Remedy SSO upgrade, the SP metadata template is not updated. To be able to use the new functionality after upgrade, you must manually update the metadata template. For more information about updating the metadata template after upgrading, see Upgrading.

Bypass for reauth requests

Setting to indicate that SAML must not be used for reauthentication requests in an authentication chain.

RSSO settings

Use SessionNotOnOrAfter parameter for session time

Option to define where the maximum time of an end user authentication session is configured.

By default, the maximum session time is specified by the value set in the Max Session Time field, configured in the General > Basic tab in the Remedy SSO Admin Console.

If the SessionNotOnOrAfter value configured on the IdP side is less than the value specified in the Max Session Time field on the Remedy SSO server, the maximum session time will be defined by the value configured on the IdP.

Xpath 1.0 for group retrieval

A field for entering an XPath query for extracting user groups from the SAML assertion.

Example:
//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='()='AttributeValue']

The information about the user groups is stored in the authentication session attributes, and is retrieved from the response of the /token/groups REST API endpoint.

Notes:

  • Make sure the XPath you specified is valid.
    If you enter an incorrect XPath, end users will be able to log in to applications protected by SAML but Remedy SSO will not be able to retrieve user groups from the SAML response. If you do not specify anything in this filed, no groups will be retrieved.
  • This option can be used only for IdP providers that allow retrieving user groups.

4. Click Save.

To obtain the Federation metadata address URL

After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.  

  1. In the left navigation panel of the Edit Realm page, click Authentication.
  2. Click View Metadata.
    The metadata file opens in the browser.
  3. Copy the URL displayed in the browser window, and save it to a text editor.  
    The URL might look as follows: https://hostname:port/rsso/getmetadata.jsp?tenantName=saml
    You will need this URL when you configure the IdP for SAML authentication.  

Where to go from here

Configuring-Active-Directory-Federation-Services-as-a-SAML-identity-provider

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*