Skip to Content

Changing the BMC Helix IT Operations Management authentication context

As a tenant administrator, you can change the authentication type of the BMC Helix Platform tenant by using the tctl utility. For BMC Helix IT Service Management, you must change the BMC Helix Platform authentication context from Local to OIDC, which sets the authentication type in BMC Helix Single Sign-on. Make sure that you change the authentication context at the time of onboarding the tenant.

To know more about authentication types, see Configuring authentication in the BMC Helix Single Sign-on documentation.

Related topics

Managing-tenants-with-tctl-commands


Before you begin

  • BMC Helix IT Service Management must be deployed and configured.
  • BMC Helix Platform common services must be installed and a tenant must be onboarded.


To change the authentication type from Local to OIDC

  1. Create a user in BMC Helix Platform with the relevant access permissions and the same login ID as in BMC Helix IT Service Management.

    Warning

    Important

    Make sure that the user that you created in BMC Helix Platform also has the administrator permission and all the other relevant permissions as in BMC Helix IT Service Management.

  2. Run the following command to update the authentication type from Local to OIDC:

    tctl update tenant <tenant_ID> -f update-tenant.json

  3. In the auth_context section of the payload JSON, set the parameters as shown below:

    {
    "auth_context": {
    "issuer": "string", //issuer is openID connect url configured in itsm rsso (SAAS  or multi-tenant) , this will be same as "iss"in rsso jwt token
    "itsm_password": "string", //ITSM Server password
    "itsm_server_url": "string", //ITSM Server url (REST API URL, not Mid-tier)
    "itsm_user_name": "string",//ITSM Server Admin user
    "rsso_password": "string", // admin password for ITSM rsso
    "rsso_realm": "string", //realm present in ITSM RSSO under SAAS Tenant or Multi-Tenant space
    "rsso_server_url": "string", //ISTM RSSO server url
    "rsso_tenant_uuid": "string", //optional, mandatory only when above "rsso_realm" present in ITSM RSSO is under Multi-Tenant space
    "rsso_user_name": "string", //admin username of ISTM RSSO 
    "type": "OIDC" //authentication type, as of now two type are supported OIDC and Local, default type is LOCAL.
    }
    }
Warning

Important

After you change the authentication type from Local to OIDC, the local user on the tenant can no longer be used. Only the synced BMC Helix IT Service Management users can log in.

What happens next?

After you set the OIDC configuration, the following jobs are auto-trigggered: 

  • User Sync Job: Syncs all licensed users from BMC Helix IT Service Management to BMC Helix Platform for the tenant.
  • IMS Webhook Job: Activates all IMS webhooks in BMC Helix IT Service Management for the tenant, ensuring any change in the user and groups are synced back into BMC Helix Platform

If the jobs have failed and users are not synced, you can retrigger the jobs manually. For this, run the following command:

tctl run job <tenantid> -l <label> -f <string>

where:

  • l is a lable that can be ITSM_USER_SYNC or ITSM_IMS_WEB_HOOK
  • f is a force flag, which is a non-mandatory field, and can be either true or false


To update a changed BMC Helix IT Service Management user password

If the BMC Helix IT Service Management user password changes after the integration, you must update the BMC Helix Platform tenant with the auth_context JSON that has the changed password. To do this, run the following command:

tctl update tenant <tenant id> -f <path to the JSON file that contains the latest auth_context JSON with the changed password>


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix IT Operations Management deployment 24.3