Integrating with BMC Helix Single Sign-On

BMC Helix Single Sign-On is an authentication system that supports various authentication protocols such as LDAP and provides single sign-on for users of BMC products. BMC Helix Single Sign-On is used in BMC Helix solutions (BMC Helix SSO) to support seamless authentication for users. For more information about BMC Helix Single Sign-On, see BMC Helix Single Sign-On orientation.

To integrate with BMC Helix Single Sign-On

To integrate BMC Discovery with BMC Helix Single Sign-On, you must first configure the BMC Helix Single Sign-On server and then enable the integration.

See this video (04:38) for an overview of how the integration between BMC Helix Single Sign-On and BMC Discovery takes place.

https://youtu.be/EaK7lWrQo0o

OpenID Connect support

BMC Discovery supports connections to BMC Helix Single Sign-On from version 20.02 with OpenID Connect.

Recent versions of modern browsers are starting to enforce more privacy-preserving defaults and are changing the way cross-site cookies are handled.

Remedy Single Sign-On relies on cookies to enable your users to seamlessly access all integrated applications. As browsers implement changes to their default SameSite attributes, cross-site cookies will not be sent by default. As a result, your users will be prevented from accessing your applications.

To continue to use Remedy SSO with newer browser versions, you must do the following:

Use the secure HTTPS protocol for all of your applications.
Upgrade to Remedy SSO 20.02.
Set the following configuration options in Remedy SSO:
- Enable Secured Cookie
- Use Cross Site Cookie

For instructions, see Configuring settings for Remedy SSO server.

Note: If you subscribe to Remedy SSO 20.08 and later releases (SaaS), no action is required. BMC will update your configuration.

To obtain the OpenID Connect Client ID and Secret

To obtain the OpenID Connect Client ID and Secret from BMC Helix Single Sign-On with OpenID Connect:

From the BMC Helix Single Sign-On Admin Console, select OAuth2.
Select Clients.
Click Register Client.
Enter the client name in the Client Name field.
This is a label, so you can choose to use the appliance name.
Select Enabled.
Click Add Redirect URI.
Enter the redirect URI. To add the URI, double-click the top row in the List of Redirect URIs, enter the URI and press Enter.
The URI is of the following form, where appliancename is the resolvable (from your browser, not from BMC Helix SSO) hostname or IP address of your appliance:
https://appliancename/ui/OICRedirect
Select openid (Scope used for OpenID connect).
Click Save.
A Registration successful banner is displayed.
Ensure that you save the Client ID and Client Secret.
You can find the Client ID from the BMC Helix SSO system again, but there is no way to access the Client Secret. If you lose this, you must perform the procedure again.
If your BMC Helix Single Sign-On server is on a different domain from your appliance, you must set the OpenID issuer URL and generate a JSON Web Key (JWK). Using OpenId requires you to:
1. Set the OpenID issuer URL:
  1. From the BMC Helix SSO Admin Console, click OAuth2, and then select Settings.
  2. In the OpenID Issuer URL field, enter the URL that matches the sso-external-url configured in the rsso-agent.properties file.
2. Generate a JSON Web Key (JWK):
  1. Click OAuth2, and then select OpenID.
  2. Click Generate.

For more information on configuring OpenID in BMC Helix Single Sign-On, see the BMC Helix Single Sign-On product documentation.

Before you begin

Before you begin integrating BMC Discovery with BMC Helix Single Sign-On, ensure that the following considerations are in place:

Mandatory settings

Ensure that following settings are in place:

The minimum supported version of BMC Helix SSO is 9.1.01 and later, fully tested up to 20.02.00.
The users to authenticate must be defined in an LDAP server. This is required to assign permissions to the user, based on the LDAP group that is mapped into a BMC Discovery group. This implies that the non-LDAP authentication methods that may use BMC Helix Single Sign-On are not supported by BMC Discovery. For example, a user locally defined in BMC Helix Single Sign-Oncannot login into BMC Discovery.
BMC Discovery and the BMC Helix Single Sign-On server must use the same LDAP server.
(Not applicable if you use OpenID Connect) The BMC Discovery appliance and the BMC Helix Single Sign-On server must be in the same domain; for example, if your BMC Discovery domain name is discovery.calbro.com, your BMC Helix Single Sign-On domain name must be sso.calbro.com, (not sso.calbro-internal.com).
The BMC Discovery appliance must have a reservation in DNS and must be accessed using that DNS name; otherwise, the integration fails and the following message is displayed: Forbidden request! Goto url is wrong.
Contact your BMC Helix Single Sign-On administrator for the parameters required in the following procedure: HSSO Server URL, HSSO Realm ID, HSSO Agent ID, and HSSO Token revalidation period.

Considerations for configuring certificates

Communication between BMC Discovery and BMC Helix Single Sign-On can take place only over secured protocol (HTTPS). To enable communication by using HTTPS, you must obtain the HTTPS certificate from the BMC Helix Single Sign-On server. For more information, see Pinning an HTTPS certificate.

You can supply a CA bundle that is trusted by your organization, pin the certificate downloaded from BMC Helix Single Sign-On, or use both.

A pinned certificate is more secure than a CA bundle; however, pinned certificates require more frequent renewal.

Note

We recommend that you use both a pinned certificate and a trusted CA bundle to verify the identity of the BMC Helix Single Sign-On server.

Configuring the connection to the BMC Helix Single Sign-On server

You should obtain the connection parameter types required from your BMC Helix SSO administrator.

Before you configure the connection to the BMC Helix Single Sign-Onserver, ensure that the LDAP settings are configured and you are able to log in to the BMC Discovery appliance as an LDAP user with administrative privileges. After you activate the BMC Helix Single Sign-On integration, as an administrator, you can log in again and change the configuration, if required.

To apply the BMC Helix SSO settings, perform the following steps:

On the main menu, click the Administration icon.
In the Security section, click Single Sign On.
By default, the Helix SSO tab opens.

On the Helix SSO tab, enter the following parameters:

Parameter name	Description
HSSO Server URL	Important When connecting to the BMC Helix SSO server using OpenID Connect, the "same domain" restriction is removed. Enter the URL for the BMC Helix SSO server.
OpenID Connect Client ID	To use OpenID Connect, enter the OpenID Connect Client ID. For information on obtaining the OpenID Connect Client ID and Secret, see To obtain the OpenID Connect Client ID and Secret.
OpenID Connect Client Secret	To use OpenID Connect, enter the OpenID Connect Client Secret.
HSSO Realm ID	Realms are used to support multitenancy for integrated applications and split application availability. Each realm has a unique identifier and contains one or more application domains.Enter the Realm ID.
HSSO Agent ID	The HSSO Agent ID identifies the application integrated with Helix SSO. Enter the HSSO Agent ID.
HSSO Token revalidation period	Enter the revalidation period in minutes. Contact your Helix SSO administrator for more information.
HSSO server timeout	Enter the server timeout in seconds. You need to monitor this parameter and accordingly increase or decrease the number of seconds required for the HSSO server to respond.
Optional Helix Platform IMS URL	The address of the IMS to be used. If left empty IMS will not be used. You should only use this field if requested by Customer Support.
Optional Helix Platform Tenant ID	OpenID Connect tenant ID. Used in IMS authentication. You should only use this field if requested by Customer Support.

Click Save.

Uploading a CA bundle

We recommend that you upload a trusted CA bundle. Trusted CA bundles enable you to validate the BMC Helix SSO server certificate.

To upload a CA bundle, perform the following steps:

In the Trusted CA section, click Choose File and select the CA bundle file from your local file system.
Click Upload CA Bundle.
The new certificate bundle is uploaded.

Pinning an HTTPS certificate

The following section explains how to pin an HTTPS certificate:

Download the HTTPS certificate from the BMC Helix SSO server by clicking Get a certificate from the server.
After downloading the certificate, details such as Fingerprint, Validity dates, and certificate content are displayed.
After you have downloaded the certificate and verified that the displayed details exactly match the certificate on the BMC Helix SSO server, click Pin certificate.

Certificate pinning involves certificate checks. If the BMC Helix SSO server certificate and the pinned certificate are no longer identical (for example, a planned update to the BMC Helix SSO server certificate), click Unpin Certificate and retrieve a new certificate from the BMC Helix SSO server, verify the displayed details and then pin the certificate.

After the configuration completes successfully, the Enable button is available. The HTTPS certificate validity is subject to a baseline check. A baseline alert is raised five days before the certificate expires.

For information about troubleshooting Helix SSO configuration in BMC Discovery, see troubleshooting.

Enabling Helix SSO Integration

To enable the Helix SSO integration, click Enable.

Troubleshooting

If you are unable to log in to BMC Discovery using Helix SSO, use the local login URL to access the BMC Discovery UI and log in as a local user.

https://ip-address/ui/LocalLogin