This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).To view an earlier version, select the version from the Product version menu.

Preauthentication

Remedy Single Sign-On provides preauthentication mechanism to allow end users to access applications if they have already been authenticated by another authentication provider. 

To be able to use the preauthentication method, the following preconditions must be met:

  • A third-party authentication provider must issue a JSON Web Token (JWT) as a result of authentication
  • The JWT which contains the user principals must be signed.

To use preauthentication, as the Remedy SSO administrator, you must first configure an appropriate realm for the preauthentication type. You must then specify the JWT attributes and the certificate that will be used to validate the authentication server signature under the user principals.

Related topics

Configuring-preauthentication

Enabling cross launch for applications integrated with different Remedy SSO servers

Preauthentication flow

The following table provides the preauthentication login flow:

Stage

Description

1

An end user passes authentication against a third-party authentication server, and gets the JWT representing the authenticated person and signed by the authentication server.

2

The Remedy SSO agent deployed on the application side forwards the unauthenticated request to the Remedy SSO server and passes the JWT value in the rsso_preauth parameter in the HTTP request.

3

The Remedy SSO server verifies that the JWT has been issued by the trusted server and is valid, and then extracts the user name by using the configured JWT attribute.

4

Remedy SSO proceeds with the standard authentication flow. It authenticates the user, creates the session, sets the authentication cookie, and redirects the request to the original application.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*