Configuring Single Sign-On

Infrastructure Management uses the BMC Atrium Single Sign-On (SSO) system to provide single sign-on with authorization and authentication of users. For full information about installing and configuring BMC Atrium SSO, see the online documentation of BMC Atrium Single Sign-On versions 8.0 or 8.1.

The Infrastructure Management Single sign-on feature can be integrated either during installation or post-installation.

The SSO feature can be configured post-installation in one of two ways:

After you integrate SSO and when you launch Infrastructure Management, the BMC Atrium SSO Login dialog box appears. Enter your user name and password, and Infrastructure Management automatically starts.

Note

  • If you start Infrastructure Management and try to log on as a user who is not associated with a valid user group in BMC Atrium SSO, Infrastructure Management displays an error stating "Invalid username/password."
  • If you receive a message that the BMC TrueSight Infrastructure Management Server has restarted, you must close the browser, re-open the browser, and then log back on. See Configuring Infrastructure Management sessions.

Defining users and groups in BMC Atrium SSO

To enable single sign-on, you must first create Infrastructure Management users and user groups in BMC Atrium SSO. The users must be assigned to groups, and groups must be assigned privileges.

Users, user groups, and privileges defined in BMC Atrium SSO are used for Infrastructure Management group mapping.

During installation of Infrastructure Management, the BMC TrueSight Infrastructure Management Server Installer prompts for information that must already be defined in BMC Atrium SSO. The information is the minimum required definition in BMC Atrium SSO. Therefore, before installing Infrastructure Management, perform the following steps:

  • In BMC Atrium Single Sign-on 8.0
    1. Create and define a Searcher user.
    2. Define the SSO amAdmin user and assign full access privileges. (The SSO amAdmin user is automatically created during installation of BMC Atrium SSO.)
    3. Create an Administrative user group and assign full access privileges.
  • In BMC Atrium Single Sign-on 8.1
    1. Create a Searcher user and assign the BmcSearchAdmins group.
    2. Define the SSO amAdmin user and assign full access privileges. (The SSO amAdmin user is automatically created during installation of BMC Atrium Single Sign-On.)
    3. Create an Administrative user group.

The Administrative user group must be created only in BMC Atrium Single Sign-on and must not be created in BMC TrueSight Infrastructure Management. While, integrating BMC TrueSight Infrastructure Management with BMC Atrium Single Sign-on, when prompted, you must select the Administrative user group that you created in BMC Atrium Single Sign-on in step 3.

Configuring Infrastructure Management sessions

BMC Atrium SSO Server has Dynamic Attributes which determine Infrastructure Management sessions.

The following message displays when the configured period of time expires:

Connection to the BMC TrueSight Infrastructure Management Server has been lost. This may be due to a network problem or the server may be unavailable. No new data can be obtained and no actions can be performed. If the problem persists, please re-login or contact your administrator. 

When the session expires, you must relaunch Infrastructure Management and log on again.

Dynamic Attributes can be configured to suit your requirements.

To reconfigure Dynamic Attributes

  • In BMC Atrium SSO 8.0 console
    1. Log on to the BMC Atrium SSO console.
    2. Navigate to Configuration > Global > Session > Dynamic Attributes
    3. Edit the default setting values as required:
      • Maximum Session Time — Maximum period of time in minutes, after which a session expires. The default setting is 120 minutes. Accepts a value of 1 or higher.
      • Maximum Idle Time — Maximum period of time in minutes, after which an idle session expires. The default setting is 30 minutes. Accepts a value of 1 or higher.

      • Maximum Caching Time — Maximum interval in minutes, before which cached session information is refreshed. The default setting is 3 minutes. Accepts a value of 0 or higher.

        The maximum caching time must always be less than the maximum idle time.

      • Active User Sessions — Maximum number of concurrent sessions allowed per user. The default setting is 5 sessions.
    4. Save and log off the BMC Atrium SSO console.
    5. Launch Infrastructure Management and log on to the BMC Atrium SSO Login window.
      The new configuration will be effective in the next new session.
  • In BMC Atrium SSO 8.1 console
    1. Log on to the BMC Atrium SSO console.
    2. Click Edit Server Configuration and edit the default setting values as required:
      • Maximum Session Time — Maximum period of time in minutes, after which a session expires. The default setting is 120 minutes. Accepts a value of 1 or higher.
      • Maximum Idle Time — Maximum period of time in minutes, after which an idle session expires. The default setting is 90 minutes. Accepts a value of 1 or higher.

      • Maximum Caching Time — Maximum interval in minutes, before which cached session information is refreshed. The default setting is 3 minutes. Accepts a value of 0 or higher.

        The maximum caching time must always be less than the maximum idle time.

      • Active User Sessions — Maximum number of concurrent sessions allowed per user. The default setting is 5 sessions.
    3. Save and log off the BMC Atrium SSO console.
    4. Launch Infrastructure Management and log on to the BMC Atrium SSO Login window.
      The new configuration will be effective in the next new session.

  Creating new users in BMC Atrium SSO

New users can be created only when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system.

Note

When integrating a BMC TrueSight Infrastructure Management Server with an external system such as SSO or LDAP for authentication, ensure that the same user name does not exist in both the external system and the BMC TrueSight Infrastructure Management Server. If the same user exists in both the external system and the BMC TrueSight Infrastructure Management Server, user group associations defined in Infrastructure Management are considered.

To create a new user

  • In BMC Atrium Single Sign-On 8.0 Admin console
    1. Sign onto BMC Atrium Single Sign-On.
    2. Navigate to the User page: Access Control > BmcRealm > Subjects tab > User
    3. Click New. Each of the fields marked with an asterisk is a required field.
    4. In the ID field, enter a unique identifier for the new user.
      This value is used as the user ID when the user logs in. 
    5. Enter the user's last name and full name.
    6. Enter an initial default password (which the user changes) and confirm this default
      password.
    7. In the User Status field, verify that the Active radio button is selected (default).
    8. Click OK.

The name attributes (First, Full, and Last) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product.

  • In BMC Atrium Single Sign-On 8.1 Admin console
    1. Log on to BMC Atrium SSO Admin Console, click Edit BMC Realm.
    2. Select the User tab.
    3. Click New.
    4. In the ID field, enter a unique identifier for the new user.
      This value is used as the user ID when the user logs in.
    5. Enter the user's last name and full name.
    6. Enter the password and confirm this password.
    7. In the Status field, verify that the Active radio button is selected (default).
    8. Click Save.

Assigning users to user groups in BMC Atrium SSO

Perform the following steps to assign users to user groups:

  • In BMC Atrium Single Sign-On 8.0 Admin console
    1. In BMC Atrium Single Sign-On, navigate to the Group tab: Access Control > BmcRealm > Subjects tab > Group
    2. Click on the group name.
    3. The Edit Group page displays showing the Universal ID details.
    4. Click the User tab.
    5. Select users from the list of Available users.
    6. Click Add.
    7. Alternatively, you can add all of the users by clicking Add All.
    8. Click Save to save the changes, Reset to reset to the default or (Back to Subjects* to return to the Group page. 

Multiple users can be assigned to a group from the Group page. The membership change is immediately put into effect.

  • In BMC Atrium Single Sign-on 8.1 Admin console
    1. In BMC Atrium Single Sign-On, click Edit BmcRealm and select the Groups tab.
    2. Select the group name and click Edit.
    3. Select users from the Available Users list.
    4. Click Add.
    5. Alternatively, you can add all of the users by clicking Add All.
    6. Click Save to save the changes. 

Multiple users can be assigned to a group from the Group page. The membership change is immediately put into effect.

Note

Any changes made to an SSO user are not reflected in an active Infrastructure Management session. The user must log out and log back on for the changes to take effect.

Assigning privileges in BMC Atrium SSO

Perform the following steps to assign privileges in BMC Atrium SSO:

  1. In BMC Atrium SSO, navigate to Access Control > BmcRealm.
  2. On the Privileges tab, select the group name.
    The Group - Properties page is displayed.
  1. Select the appropriate option from the available privileges, which are listed as follows:
    • Read and write access only for policy properties
    • Write access to all log files
    • Read access to all log files
    • Read and write access to all configured Agents
    • Read and write access to all realm and policy properties
    • Read and write access to all log files
  2. Click Save.
    The privileges are implemented immediately.

Deleting Web Agent entries in BMC Atrium SSO

Perform the following steps to delete Web Agent entries on the BMC Atrium SSO Server when the BMC TrueSight Infrastructure Management Server is uninstalled:

  • In BMC Atrium SSO 8.0
    1. In BMC Atrium Single Sign-On, navigate to Access Control > /Top Level Realm.
    2. Click the Agents tab.
    3. Click the J2EE tab. 
      A list of the Agents that are registered on the Single Sign-On server displays.

    4. Identify the two Agents corresponding to your BMC TrueSight Infrastructure Management Server host.
      Search for the following patterns:

      /@<BMC TrueSight Infrastructure Management Server Host>:<Port>
      /admin@<Infrastructure ManagementServer Host>:<Port>
    5. Mark the Agents to delete by selecting their corresponding checkboxes.
    6. Click Delete.
  • In BMC Atrium SSO 8.1
    1. On BMC Atrium Single Sign-On Console, click Edit BMC Realm.
    2. Click Agents Details
      A list of the Agents that are registered on the Single Sign-On server displays.

    3. Identify the two Agents corresponding to your BMC TrueSight Infrastructure Management Server host.
      Search for the following patterns:

      /@<BMC TrueSight Infrastructure Management Server Host>:<Port>
      /admin@<Infrastructure ManagementServer Host>:<Port>
    4. Mark the Agents to delete by selecting their corresponding checkboxes.
    5. Click Delete.

Disabling BMC Atrium SSO integration

You can disable the integration between Infrastructure Management and BMC Atrium Single Sign-on (SSO) integration by using the Infrastructure Management pw CLI command. To disable the BMC Atrium SSO, perform the following steps:

  1. Run the pw sso config --disable command. For more information about the pw sso config command, see pw-sso-config
  2. After the command is executed successfully, run the pw sso load command.

Removing BMC Atrium SSO integration

You can remove the BMC Atrium Single Sign-on (SSO) integration by using the Infrastructure Management pw CLI command. To remove the BMC Atrium SSO, perform the following steps:

Note

 If you have already disabled the BMC Atrium SSO, perform Step 3 only.

  1. Run the pw sso config --disable command. For more information about the command, see pw-sso-config.
  2. After the command is executed successfully, run the pw sso load command.
  3. After the command is executed successfully, run the pw sso unregister command. For more information about the command, see pw-sso-unregister.

Related topic

BMC Atrium Single sign-on integration configuration

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*