Skip to Content

 

Configuring SAML 2.0 and Active Directory Federation Services (ADFS) for User Management

This page explains how to configure BMC Helix Network Management to use Active Directory Federation Services (AD FS) for user management when using SAML 2.0 for SSO logins.

To use Active Directory (LDAP) without SAML 2.0, see Configuring Active Directory (LDAP) for User Management.

After SAML 2.0 is enabled, you will only be able to log in to BMC Helix Network Management by using Active Directory usernames and passwords (except for the default BMC Helix Network Management administrator local account). To log in to BMC Helix Network Management using the default administrator local account (on-premises), use the user name format omnicenter/administrator with the local administrator password, which indicates to BMC Helix Network Management that you want to bypass Active Directory. This method is useful if your AD FS server is down or unreachable.

Warning

Warning

If SAML 2.0 is enabled and you delete the preconfigured BMC Helix Network Management local account "administrator", you will not have access to BMC Helix Network Management if your ADFS server becomes unreachable.

Configuring BMC Helix Network Management to use AD FS and SAML 2.0 for user management requires you to make configuration changes in AD FS on your Windows Server before configuring BMC Helix Network Management.

Prerequisites

Before you begin, make sure that you have the following:

  • A Windows Server with AD FS installed, configured, and operational.
  • Administrative access to the AD FS Management Console on the AD FS server.
  • Administrative access to BMC Helix Network Management (SuperAdmin access level).
  • Active Directory security groups that have been created for each BMC Helix Network Management access level you intend to use (User, Power User, Administrator, SuperAdmin), with the appropriate users assigned to each group.

Procedure

To perform the following procedure, you must have administrative access to both BMC Helix Network Management and your AD FS server. It is recommended to have both open in separate windows as you perform the following steps, switching back and forth between them as needed.

Part 1: Begin SAML Configuration in BMC Helix Network Management

  1. Log in to BMC Helix Network Management as a user with the SuperAdmin access level.
  2. From the main menu, select Administration >> Users >> Authentication Settings.
  3. On the Authentication Settings page, in the Authentication panel, in the TYPE field, use the pull-down menu to select SAML (2.0). The SAML configuration options now appear.
  4. Leave this page open. You will return to it throughout the procedure below.

Part 2: Create a Relying Party Trust in AD FS

The Relying Party Trust defines the trust relationship between AD FS and BMC Helix Network Management. This step is the AD FS equivalent of creating an Enterprise Application in Azure Active Directory.

  1. On your AD FS server, open Server Manager, click Tools, and select AD FS Management.
  2. In the AD FS Management console, in the left navigation pane, select Relying Party Trusts.
  3. In the Actions pane on the right, click Add Relying Party Trust. The Add Relying Party Trust Wizard opens.
  4. On the Welcome page, select Claims aware and click Start.
  5. On the Select Data Source page, select Enter data about the relying party manually and click Next.
  6. On the Specify Display Name page:
    1. In the Display name field, enter an easily identifiable name (e.g., "BMC Helix Network Management SAML" or a similar name).
    2. Optionally add a description under Notes.
    3. Click Next.
  7. On the Configure Certificate page, click Next. (No optional token encryption certificate is needed.)
  8. On the Configure URL page:
    1. Check the box for Enable support for the SAML 2.0 WebSSO protocol.
    2. In BMC Helix Network Management, on the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the ACS (CONSUMER) URL field.
    3. Paste this value into the Relying party SAML 2.0 SSO service URL field in the wizard.
    4. Click Next.
  9. On the Configure Identifiers page:
    1. In BMC Helix Network Management, on the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the AUDIENCE (ENTITYID) URI field.
    2. Paste this value into the Relying party trust identifier field.
    3. Click Add to add the identifier to the list.

      • Possible Requirement: In some AD FS configurations, you might also need to add the BMC Helix Network Management login URL as an additional identifier in the Relying Party Trust. For example, add https://<your-bhnm-server>/fw/index.php alongside the standard AUDIENCE (ENTITYID) URI value.

  10. Click Next.
  11. On the Choose Access Control Policy page, select Permit everyone (or a more restrictive policy if your environment requires it) and click Next.
  12. On the Ready to Add Trust page, review your settings and click Next.
  13. On the Finish page, check the box for Configure claims issuance policy for this application and click Close. The Edit Claim Issuance Policy dialog opens.

Note: Leave the Edit Claim Issuance Policy dialog open. You will configure claim rules in Part 3.

Part 3: Configure Claim Issuance Rules

AD FS uses claim rules to determine what user information is passed to BMC Helix Network Management in the SAML assertion. You need to configure rules to send the user's identity and group memberships.

Rule 1: Send LDAP Attributes (NameID)

This rule sends the user's identity as the NameID claim, which BMC Helix Network Management uses to identify the authenticating user.

  1. In the Edit Claim Issuance Policy dialog (opened at the end of Part 2), under the Issuance Transform Rules tab, click Add Rule.
  2. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, select Send LDAP Attributes as Claims and click Next.
  3. On the Configure Rule page:
    1. In the Claim rule name field, enter a descriptive name (e.g., "Send User Attributes").
    2. In the Attribute store dropdown, select Active Directory.
    3. In the mapping table, add a row:
      1. For LDAP Attribute, select User-Principal-Name (or E-Mail-Addresses, depending on what your users use to log in).
      2. For Outgoing Claim Type, select Name ID.
    4. Click Finish.

Important

BMC Helix Network Management expects the NameID value to be in user@domain format (for example, a UPN or email address). If your users do not have a suitable UPN/email address, configure Alternative NameID Mapping (Part 7) and make sure the chosen attribute value is in the user@domain format.

Rule 2: Send Group Membership

This rule sends the user's Active Directory group memberships to BMC Helix Network Management, which can then determine the user's access level.

  1. Still in the Edit Claim Issuance Policy dialog, click Add Rule again.
  2. On the Select Rule Template page, select Send LDAP Attributes as Claims and click Next.
  3. On the Configure Rule page:
    1. In the Claim rule name field, enter a descriptive name (for example, "Send Group Memberships").
    2. In the Attribute store dropdown, select Active Directory.
    3. In the mapping table, add a row:
      1. For LDAP Attribute, select Token-Groups – Unqualified Names.
      2. For Outgoing Claim Type, select an outgoing claim type for groups (often a claim description/URI).
        • In Part 5, you will configure BMC Helix Network Management with the SAML assertion's exact Attribute Name value for this claim (it is recommended to use a SAML tracer to confirm the value).
    4. Click Finish.
  4. Click OK to close the Edit Claim Issuance Policy dialog.
Information

Group Claim Values

The "Token-Groups – Unqualified Names" LDAP attribute sends the Active Directory group names (e.g., "BHNM_Users", "BHNM_Power_Users") rather than group SIDs or GUIDs. These are the values you will paste into BMC Helix Network Management's access level fields in Part 5. Ensure the AD group names you created in the Prerequisites are easily identifiable (e.g., BHNM_Users, BHNM_Power_Users, BHNM_Admins, BHNM_SuperAdmins).

Part 4: Logout behavior (local BHNM logout only)

The Single Logout URL shown in BMC Helix Network Management ends only the local BMC Helix Network Management session. BMC Helix Network Management does not implement the SAML Single Logout (SLO) protocol (LogoutRequest/LogoutResponse), so do not configure an AD FS SAML Logout endpoint expecting SAML SLO behavior.

Information

Note

When a user logs out of BMC Helix Network Management, the local session is destroyed but the user can remain signed in to AD FS. If the user navigates back to BMC Helix Network Management, AD FS may automatically re-authenticate them. To fully sign out, the user must also sign out of AD FS directly.

Part 5: Configure Group Mapping in BMC Helix Network Management

  1. In BMC Helix Network Management, on the Authentication Settings page, in the User Permission Mapping panel, in the ATTRIBUTE NAME field, paste the exact group claim attribute Name value from the SAML assertion (that is, the SAML <Attribute Name="..."> value for the group membership claim).
    • Use a SAML tracer browser extension to capture the assertion and copy this value.
  2. For each BMC Helix Network Management access level, enter the corresponding Active Directory group name:
    1. (Optional) In the USER field, enter the exact name of the AD group for basic users (for example, "BHNM_Users" ). (This field is for reference only.)
    2. In the POWER USER field, enter the exact name of the AD group for power users (for example, "BHNM_Power_Users").
    3. In the ADMIN field, enter the exact name of the AD group for administrators (for example, "BHNM_Admins").
    4. In the SUPERADMIN field, enter the exact name of the AD group for super administrators (for example, "BHNM_SuperAdmins").
Error

Important

The values entered in the access level fields must exactly match the Active Directory group names (case-sensitive). These are the unqualified group names (without domain prefix) as they appear in Active Directory Users and Computers.

Information

Note

Any user who authenticates through ADFS but does not belong to any of the configured Power User, Admin, or SuperAdmin groups will automatically be assigned the User access level. The USER field value serves as a reference for administrators. If you need to restrict BMC Helix Network Management access to only specific AD users, configure a restrictive Access Control Policy on the Relying Party Trust in AD FS (Part 2, step 9) rather than relying solely on group mapping.

Part 6: Export the AD FS Token-Signing Certificate

  1. On your AD FS server, in the AD FS Management console, in the left navigation pane, expand Service and select Certificates.
  2. In the Certificates pane, under Token-signing, right-click the certificate and select View Certificate.
  3. In the Certificate dialog that opens, select the Details tab.
  4. Click Copy to File. The Certificate Export Wizard opens.
  5. Click Next.
  6. On the Export File Format page, select Base-64 encoded X.509 (.CER) and click Next.
    1. Specify a file name and location for the exported certificate and click Next.
    2. Click Finish to complete the export.
  7. Open the exported .cer file in a plain text editor (one that does not add hidden formatting).
  8. Copy the certificate contents (the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, not including those boundary lines).

Part 7: Complete Identity Provider Configuration in BMC Helix Network Management

  1. In BMC Helix Network Management, on the Authentication Settings page, in the Identity Provider Configuration panel, paste the certificate contents you copied in Part 6 into the X509 CERTIFICATE STRING field.
  2. In the ENTITY ID field, enter your AD FS Federation Service Identifier. This value is typically: http://<your-adfs-server-fqdn>/adfs/services/trust
    • We recommend you confirm this value by running the following PowerShell command on the AD FS server: Get-AdfsProperties | Select-Object -ExpandProperty Identifier
  3. In the LOG IN URL field, enter your AD FS SAML 2.0 SSO endpoint. This value is typically: https://<your-adfs-server-fqdn>/adfs/ls
  4. For the INCLUDE SUBJECT IN REQUEST field, switch the selector to OFF.
  5. Click Save.
Information

Optional – Alternative NameID Mapping

If your AD FS claim rules send the user identity as a custom SAML attribute rather than in the standard NameID Subject element, you can specify that attribute's name in the Alternative NameID Mapping section's ATTRIBUTE NAME field on the Authentication Settings page. BMC Helix Network Management will fall back to this attribute if the standard NameID cannot be determined. In most AD FS configurations using the claim rules described in Part 3, this field can be left blank.

You are finished configuring BMC Helix Network Management to use AD FS and SAML 2.0 for user login. All current users must log out and log back in again using their Active Directory credentials.

Troubleshooting

SAML Assertion Inspection

If, after configuring BMC Helix Network Management to use AD FS and SAML 2.0, you find that your users are unable to log in, use the following approaches to diagnose the issue.

Check the AD FS Event Logs

AD FS logs all authentication events to the Windows Event Log. To access these logs:

  1. On the AD FS server, open Event Viewer.
  2. Navigate to Applications and Services Logs >> AD FS >> Admin.
  3. Look for warnings or errors that coincide with failed login attempts.
  4. Common issues logged here include certificate mismatches, endpoint URL mismatches, and failures in claim rule evaluation.

Use a SAML Tracer Browser Extension

Capture and inspect the raw SAML assertion being sent from AD FS to BMC Helix Network Management by using a SAML tracer browser extension (available for Chrome and Firefox). This lets you verify that:

  • The NameID is being sent correctly.
  • The group claims attribute Name (the SAML <Attribute Name="..."> value) matches the configuration in BMC Helix Network Management's ATTRIBUTE NAME field.
  • The group claim values (AD group names) match the configuration in the BMC Helix Network Management access level fields.
  • The Audience (Entity ID) and Destination (ACS URL) values in the assertion match the BMC Helix Network Management service URLs.

Common Issues

SymptomLikely CauseResolution

Login redirects to AD FS but returns an error.

ACS URL mismatch.

Verify that the Relying party SAML 2.0 SSO service URL in the AD FS Relying Party Trust exactly matches the ACS (CONSUMER) URL in BMC Helix Network Management.

AD FS returns an error indicating the SAML request must be signed.

AD FS is configured to require signed SAML AuthnRequests for the relying party trust.

Disable the signed-request requirement for this relying party trust. BMC Helix Network Management sends unsigned SAML AuthnRequests.

AD FS authenticates successfully, but BHNM shows "access denied" or assigns the wrong access level.

Group claim attribute Name or value mismatch.

Use a SAML tracer to verify the group attribute Name and values in the assertion. Make sure the ATTRIBUTE NAME in BHNM matches the SAML <Attribute Name="..."> value, and the access level values match the AD group names exactly (case-sensitive).

Certificate error during SAML validation.

The wrong certificate was exported, or the certificate has been rolled over.

Re-export the current primary token-signing certificate from AD FS and update the X509 CERTIFICATE STRING in BHNM. Run Get -AdfsCertificate -CertificateType Token-Signingon the AD FS server to identify the current primary certificate.

AD FS returns "Relying party trust not found."

Entity ID mismatch.

Verify that the Relying party trust identifier in AD FS exactly matches the AUDIENCE (ENTITYID) URI shown in BMC Helix Network Management.

Authentication still fails after the Entity ID is configured correctly.

An additional AD FS identifier may be required.

Add the BMC Helix Network Management login URL (for example, https://<your-bhnm-server>/fw/index.php) as an additional identifier in the AD FS Relying Party Trust alongside the standard Entity ID/Audience value.

Users authenticate but are not mapped to any access level.

"Token-Groups – Unqualified Names" not returning expected group names.

Verify group membership in Active Directory. Run whoami /groups as the user to see their group memberships. Make sure the AD group names used in the BHNM access level fields match exactly.

Verifying AD FS Configuration Values

Retrieve the key AD FS configuration values by using PowerShell on the AD FS server:

# Federation Service Identifier (used as ENTITY ID in BHNM)
Get-AdfsProperties | Select-Object -ExpandProperty Identifier

# SAML 2.0 SSO Endpoint (used as LOG IN URL in BHNM)
Get-AdfsEndpoint | Where-Object { $_.Protocol -eq "SAMLSSOService" } | Select-Object FullUrl

# Token-Signing Certificate Thumbprint (to verify you exported the right cert)
Get-AdfsCertificate -CertificateType Token-Signing | Where-Object { $_.IsPrimary -eq $true } | Select-Object Thumbprint

# Relying Party Trust details (to verify endpoints and identifiers)
Get-AdfsRelyingPartyTrust -Name "BMC Helix Network Management SAML"

Using BMC Helix Network Management SaaS in a Sandbox Environment

If you intend to use AD FS and SAML 2.0 to manage users in a BMC Helix Network Management SaaS sandbox environment, make sure that you configure a CNAME in your DNS for the domain of the users logging in before attempting to use SAML.

Appendix: Concept Mapping from Azure AD to AD FS

If you are familiar with the Azure Active Directory SAML configuration for BMC Helix Network Management, the following table maps Azure AD concepts to their AD FS equivalents.

Azure AD Concept

AD FS Equivalent

Enterprise Application

Relying Party Trust

Azure AD SAML Toolkit

Add Relying Party Trust Wizard (Claims Aware, manual data entry)

Basic SAML Configuration → Identifier (Entity ID)

Relying Party Trust → Identifiers tab

Basic SAML Configuration → Reply URL (ACS URL)

Relying Party Trust → SAML 2.0 SSO service URL (set during wizard)

Basic SAML Configuration → Sign on URL

Not separately configured; the SAML 2.0 SSO service URL (set during wizard) serves this purpose

Basic SAML Configuration → Logout URL

NA (BMC Helix Network Management provides only local logout; no SAML SLO)

Attributes & Claims → Group claim

Claim Issuance Rules → "Send LDAP Attributes as Claims" with Token-Groups

Group Object ID (GUID)

AD Group Name (unqualified, via Token-Groups – Unqualified Names)

SAML Certificates → Download Certificate (Base64)

AD FS Management → Service → Certificates → Export Token-Signing Certificate (Base-64)

Set up panel → Azure AD Identifier

AD FS Federation Service Identifier (Get-AdfsProperties \| Select Identifier)

Set up panel → Login URL

AD FS SAML 2.0 SSO Endpoint (typically https://<adfs-fqdn>/adfs/ls)

Set up panel → Logout URL

None (BMC Helix Network Management only provides local logout; use the BHNM Single Logout URL to end the BHNM session)

Test this application (Azure)

AD FS Event Viewer logs + SAML tracer browser extension

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Network Management