Skip to Content
This is the latest documentation for BMC Helix Network Management (formerly known as Netreo).

 

Configuring SAML 2.0 and Azure Active Directory for User Management

This page explains how to configure BMC Helix Network Management to use Azure Active Directory for user management when using SAML 2.0 for SSO logins to Azure Active Directory.

To use Active Directory (LDAP) without SAML 2.0, see Configuring Active Directory (LDAP) for User Management.

Once SAML 2.0 is enabled, you will only be able to log in to BMC Helix Network Management using Azure Active Directory usernames and passwords (except for the default BMC Helix Network Management administrator local account). To log in to BMC Helix Network Management using the default administrator local account, use the username/password “omnicenter/administrator,” which will indicate to BMC Helix Network Management that you wish to bypass Active Directory. This is useful if your Active Directory server is down or unreachable.

Warning

Warning: If SAML 2.0 is enabled and you delete the preconfigured BMC Helix Network Management local account "administrator", you will not have access to BMC Helix Network Management if your Active Directory server becomes unreachable.Type your warning message here.

Configuring BMC Helix Network Management to use Azure Active Directory and SAML 2.0 for user management requires you to make configuration changes in Azure Active Directory in your Microsoft Azure account before configuring BMC Helix Network Management.

Procedure

To perform the procedure below, you will need administrative access to both BMC Helix Network Management and your Microsoft Azure account. It is recommended to have both open in separate tabs in your browser as you perform the steps below, switching back and forth between them as needed.

  1. In BMC Helix Network Management:
    1. Log in to BMC Helix Network Management as a user with the SuperAdmin access level.
    2. From the main menu, select Administration >> Users >> Authentication Settings.
    3. On the Authentication Settings page, in the Authentication panel, in the TYPE field, use the pull-down menu to select SAML (2.0). The SAML configuration options now appear.
    4. At this point, you will need to configure the Active Directory settings in your Azure account. Leave this page open and return when instructed.
  2. In Azure:
    1. Log in to your Microsoft Azure account.
    2. Click on your Azure Active Directory service. (If you have not already added this service to your Azure account, you must do so before continuing.)
    3. On the Azure Active Directory service management page, from the Manage menu on the left, select Enterprise Applications.
    4. On the All applications page, click New application at the top to add a new application.
    5. From the Azure AD Gallery, select the Azure AD SAML Toolkit. (You can use the search field to find this application quickly.)
    6. In the side panel that opens:
      1. In the Name field, change the name to something more easily identifiable (e.g., "BMC Helix Network Management Services SAML" or a similar name).
      2. Click the Create button to add the new application to your Azure Active Directory service.
      3. You are taken to the Overview page of your new application.
    7. On the Overview page under Getting Started, click on step 2: Set up single sign-on.
    8. On the Single Sign-On page, click SAML to open the SAML-based Sign-On page.
  3. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the AUDIENCE (ENTITYID) URI field.
  4. In Azure:
    1. On the SAML-based Sign on page, in the Basic SAML Configuration panel, click Edit.
    2. In the Basic SAML Configuration side panel that opens:
      1. In the "Identifier (Entity ID)" section of the edit area, click Add identifier.
      2. In the new empty field that appears, paste the value that you copied from BMC Helix Network Management.
      3. Select the checkbox to make that value the default.
      4. Delete the previous default value, leaving only the value pasted from BMC Helix Network Management.
  5. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the ACS (CONSUMER) URL field.
  6. In Azure:
    1. In the Basic SAML Configuration side panel:
      1. In the "Reply URL (Assertion Consumer Service URL)" section of the edit area, click Add reply URL.
      2. In the new empty field that appears, paste the value that you copied from BMC Helix Network Management.
  7. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the SINGLE LOGOUT URL field.
  8. In Azure:
    1. In the Basic SAML Configuration side panel:
      1. In the "Sign on URL" section of the edit area, paste the value that you copied from BMC Helix Network Management.
      2. Edit the "logout" portion of the pasted value to "login".
      3. In the "Logout URL" section of the edit area, again paste the value you copied from BMC Helix Network Management (leave it unedited).
      4. Click Save at the top of the side panel.
      5. On the SAML-based Sign-on page, the configuration values will be updated in the Basic SAML Configuration panel.
    2. On the SAML-based Sign on page, in the Attributes & Claims panel, click Edit.
    3. On the Attributes & Claims page, click Add a group claim.
    4. In the Group Claims side panel that opens:
      1. Select the All groups radio button.
      2. Click the down arrow to open the Advanced Options area.
      3. Click the checkbox next to "Customize the name of the group claim"
      4. In the Name field, enter an easily identifiable name for your group (for example, something like BHNM_Groups). Then copy the value that you entered.
      5. Click Save.
  9. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the ATTRIBUTE NAME field, paste the value that you copied from Azure.
  10. In Azure:
    1. Navigate back to your Azure Active Directory service management page.
    2. From the Manage menu on the left, select Groups.
      1. We will now create four new primary Active Directory groups to match the BMC Helix Network Management user types (User, Power User, Administrator, and SuperAdmin). If you require more granular organization for your Active Directory user groups, you can add subgroups to any primary group. Users in a subgroup will be logged in at the primary group access level.
      2. For each BMC Helix Network Management user type:
        1. On the All groups page, click New group.
        2. On the New Group page:
          1. In the Group name field, enter an appropriate name for this group (such as BHNM_Users, BHNM_Power_Users, etc.).
          2. Click Create.
        3. On the All groups page, locate your new group and click on it.
          1. On the group management page, from the Manage menu on the left, select Members.
          2. On the Members page, select Add members.
          3. In the Add members side panel that appears, select the members to add to the group.
          4. Click Select.
    3. Navigate back to the All groups page and:
      1. Locate the group that contains the basic BMC Helix Network Management Users.
      2. In the Object ID column, copy the object ID for that group.
  11. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the BMC Helix Network Management Access Levels area, in the USER field, paste the value that you copied from Azure.
  12. In Azure:
    1. On the All groups page:
      1. Locate the group that contains the BMC Helix Network Management Power Users.
      2. In the Object ID column, copy the object ID for that group.
  13. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the BMC Helix Network Management Access Levels area, in the POWER USER field, paste the value that you copied from Azure.
  14. In Azure:
    1. On the All groups page:
      1. Locate the group that contains the BMC Helix Network Management Administrator users.
      2. In the Object ID column, copy the object ID for that group.
  15. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the BMC Helix Network Management Access Levels area, in the ADMIN field, paste the value that you copied from Azure.
  16. In Azure:
    1. On the All groups page:
      1. Locate the group that contains the BMC Helix Network Management SuperAdmin users.
      2. In the Object ID column, copy the object ID for that group.
  17. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the BMC Helix Network Management Access Levels area, in the SUPERADMIN field, paste the value that you copied from Azure.
  18. In Azure:
    1. Navigate back to the SAML-based Sign on page for your application.
    2. On the SAML-based Sign-on page, in the SAML Certificates panel, download either the Base64 or Raw certificate (your choice; BMC Helix Network Management will accept either).
    3. Open the downloaded certificate in a basic text editor (one that does not add hidden formatting to the text) and copy the contents of the certificate.
  19. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the Identity Provider Configuration panel, paste the contents of the certificate into the X509 CERTIFICATE STRING field.
  20. In Azure:
    1. On the SAML-based Sign on page, in the Set up "your application" panel, copy the value from the Azure AD Identifier field.
  21. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the Identity Provider Configuration panel, in the ENTITY ID field, paste the value that you copied from Azure.
  22. In Azure:
    1. On the SAML-based Sign on page, in the Set up "your application" panel, copy the value from the Login URL field.
  23. In BMC Helix Network Management:
    1. On the Authentication Settings page, in the Identity Provider Configuration panel, in the LOG IN URL field, paste the value that you copied from Azure.
    2. For the INCLUDE SUBJECT IN REQUEST field, switch the selector to OFF.
    3. Click Save.
  24. You are finished configuring BMC Helix Network Management to use Active Directory and SAML 2.0 for user login.

All current users must log out and log back in again using their Active Directory credentials.

Troubleshooting

Authentication Settings

If, after configuring BMC Helix Network Management to use Active Directory and SAML 2.0, you find that your users are unable to log in, Azure provides a tool to test your authentication settings and determine whether they work and, if not, where the problem lies. To access the tool, follow the steps below.

  1. Log in to your Microsoft Azure account.
  2. On the Microsoft Azure homepage, under Azure services, click Active Directory.
  3. On the Azure Active Directory service management page, from the menu on the left, under Manage, select Enterprise applications.
  4. On the All applications page, locate the SAML application you want to test, then click its name.
  5. On your application's Overview page, click Set up single sign-on.
  6. On the SAML-based Sign on page, at the top, click Test this application.
  7. In the side panel that opens:
    1. Select the radio button for how you would like to test the settings.
    2. Click Test sign in.

The test generates an XML response that contains information about the data being passed to BMC Helix Network Management during sign-on.

The primary information to check for errors are the values found on the SAML-based Sign on page (from where you ran the test) in the Set up "your application" panel. Those values are:

  • Login URL
  • Azure AD identifier
  • Logout URL

Using BMC Helix Network Management SaaS in a Sandbox Environment

If you intend to use Active Directory and SAML 2.0 to manage users in a BMC Helix Network Management SaaS sandbox environment, make sure that you configure a CNAME in your DNS for the domain of the users logging in before attempting to use SAML.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Network Management