Skip to Content
Information
This documentation supports the 20.08 version of Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS). To view an earlier version, select the version from the Product version menu.

Security planning

Security is a critical aspect of Remedy Single Sign-On. Key requirements and best practices include protecting sensitive data, securing system access, and managing administrator accounts within Remedy SSO.

Info
The security requirements described on this page apply only to legacy virtual machine-based on-premises deployments.

Ensuring security for sensitive data

Sensitive data, such as user credentials and authentication tokens, must be secured by HTTPS configuration. To use HTTPS connections, ensure that Secure Sockets Layer (SSL) certificates are generated and signed.

Security on a high-availability system

Remedy SSO supports the X-Forwarded-Proto and X-Forwarded-Host headers that might be sent by the load balancer with a request. Remedy SSO uses these headers when generating login URLs (pointing to the Remedy SSO server) for the end user. This feature keeps external traffic secure, though internal traffic behind the load balancer might not be secure.

Network configuration for HA mode.png

Ensuring more secure and restricted access to the cookie

The domain attribute of the cookie determines which domains can access it. By default, the cookie set is to the parent domain and its sub-domains while installing the Remedy SSO server. If the cookie contains sensitive data, it might be accessible to all less trusted or less secure applications hosted on these domains. To mitigate the risk, set the cookie domain value to the specific domain where the server is installed, rather than restricting it to the parent domain. You can set the cookie domain value during installation or after installation in the Remedy SSO Admin Console. For more information, see Configuring the Remedy SSO server.

Support for multiple administrator accounts in Remedy SSO

For security reasons, in the Admin User tab, the Remedy SSO administrator can create and manage multiple administrator accounts. The Remedy SSO administrator can block, unblock, delete the administrator account they created, or change their password. For more information about creating and managing multiple administrator accounts, see Setting up Remedy SSO administrator accounts.

User accounts lockout policy

To prevent unauthorized logins, Remedy SSO administrators who exceed the allowed number of failed login attempts due to an incorrect password are automatically blocked. Remedy SSO administrators can unblock the locked administrators manually through the Remedy SSO Admin Console. For more information, see Configuring the Remedy SSO server.

Remedy SSO relies on the external identity providers to authenticate end users. Users who exceed the allowed number of failed login attempts should be blocked by the identity provider.

Warning

Important

The administrator lockout policy does not apply to external LDAP administrators.

Related videos

Watch the video on how to manage SSL certificates with SSL offloading.

Warning

Important

The following video shows an older version of Remedy SSO. Although there might be minor changes in the user interface, the overall functionality remains the same.

icon_play.png https://www.youtube.com/watch?v=jFbKpzJX4pk?rel=0

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

Remedy Single Sign-On 20.08