Setting up OpenID authentication in Remedy SSO


You can configure the Remedy Single Sign-On (Remedy SSO) server to authenticate TrueSight Presentation Server users using an OpenID authentication mechanism.

The following topics help you to perform the OpenID configuration tasks in Remedy SSO and create an authorization profile in the TrueSight console :


Related topics

Setting up the Remedy SSO server

Configuring tenants in Remedy SSO

To enable multi-tenancy in Presentation Server

Managing-authorization-profiles
Role-based access

OpenID Authentication

  • This authentication is supported only with TrueSight Presentation Server version 11.3.02 and later.
  • The TrueSight REST API calls are not supported for OAuth users.

Before you begin

Configuring OpenID in Remedy SSO

  1. In the left navigation pane of the Add Realm or Edit Realm page, click Authentication.
  2. In the Authentication Type field, click OIDC.

  3. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR authentication for bypassing other authentication methods.

  4. (Optional) Click Enable Chaining Mode and perform the following steps to enable authentication chaining. For more information about the authentications that you can chain with OIDC, see Authentication chaining.

    1. Click Add Authentication.
    2. Select the required authentication type and enter the authentication details.
    3. Repeat steps a through b to add more authentications for the realm.
  5. To import OpenID Connect Provider information, click Import.

  6. Complete the OIDC Discovery URL field, and click Import. The following fields get prepopulated: 

  7. Configure the remaining fields on the Authentication tab:

  8. Click Add Authentication.
  9. In the Authentication Type field, click LOCAL.
  10. Enter the LOCAL details. For more information on parameters, see LOCAL authentication parameters.
  11. Create users and user groups for the LOCAL authentication. 
    The users in LOCAL should be exactly same as the OAuth users.
  12. Associate users to the user groups.
  1. Click Save.


Important Information

Add the LOCAL authentication entry below the OIDC authentication entry, and do not promote or move the LOCAL entry above the OIDC entry.

Configuring an OAuth provider using Google OAuth

Do the following:

  1. Log in to Google project, go to Credentials > Create Credentials > OAuth Client ID.

    google_project.png
  2. Select Web Application application type, and click Create.
  3. Save the Client ID and Secret information of the credentials in a notepad. You will need these details later.
  4. Provide the name for your OAuth 2.0 client.
  5. Provide the URIs for the Authorised JavaScript origins, and Authorised redirect URIs as shown in the following example:
    • Authorised JavaScript origins: https://<rsso_host_FQDN>:<rsso_port>
    • Authorised redirect URIs: https://<rsso_host_FQDN>:<rsso_port>/rsso/redirect

  6. Select the OAuth consent screen tab to view the scope and branding information. 

    In this step, you can decide whether to grant your application the requested access. The consent window that shows the name of your application and the Google API services that it is requesting permission to access with the authorization credentials and a summary of the scopes of access to be granted. You can consent to grant access to one or more scopes requested by your application or refuse the request.

  7. Log in to the Remedy Single Sign-On server using the Admin user, select the Realm tab.
  8. Create a new realm or edit the existing one. 
  9. Under the Authentication tab, select OIDC, and click on Import to get the OIDC provider information. 

  10. Open the following URL: 

    https://accounts.google.com/.well-known/openid-configuration

    The page will have the pre-populated URL information. For the remaining fields, set the values as explained below:

    • Scope: Provide the email
    • Client ID & secret information: Use the information saved from Step 3.
    • User ID field name: sub
    • Prompt: Retain the default value
    • User ID transformation: None
  11. Click Save.
  12. For the successful TrueSight Operations Management authorization login, you will need OIDC user group information. 
  13. If you have created new realm and not using default (*) realm, create authorization profile for new realm with appropriate user group and roles mapping.
  14. Log in to TrueSight console using the Google ID and validate. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*