Configuring user authentication for the Presentation Server in Remedy SSO

After you create or edit and configure the tenant details in Remedy SSO, you must configure the user authentication type. Remedy SSO can be configured to provide one of the following authentication types for the TrueSight Presentation Server:

From the TrueSight console, you can only view the user information. You must perform all modifications to the user information in Remedy SSO. You can do that by cross-launching to Remedy SSO from the TrueSight console.

Related topics

Configuring tenants in Remedy SSO

Managing-authorization-profiles
Role-based access

Before you begin

  • You must have installed Remedy SSO.
  • You must have configured tenants to be used with the TrueSight Presentation Server.

Local User Management authentication

Local Users Management authentication is a simple light-weight user store which is not supposed to be a corporate-wide authentication provider. It is not designed as a high performance authentication provider to support group policies, password expiration, and so on. It allows creating realm specific user stores which can be used for different purposes. For example, in multi-tenant environments, it can be used to configure admin privileges for different tenants using different user accounts belonging to appropriate realms. 

Typical use cases for Local User Management authentication:

  • when using local users for applications requiring several user accounts
  • when corporate identity providers are not available
  • for testing purposes

You should consider other authentication types in case you are designing corporate-wide authentication for a high workload.

Note

All local users and groups created after the release of 9.1 SP2 and prior to upgrading to 9.1 SP3 are not assigned to any realm. After the upgrade of Remedy Single Sign-On to 9.1 SP3, a new empty realm is created and all existing local users are moved into it. The administrator can remove local users from this realm and recreate them for the necessary realm if needed.


LDAP/AD authentication

The Remedy SSO server provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Support for LDAP also includes using external Active Directory (AD) servers for authentication. The Active Directory authentication must be configured for the enterprise environment.

SAMLv2 authentication

Note

  • The TrueSight REST API calls are not supported for SAML users.
  • Service Provider (SP) and Identity Provider (IdP) initiated SAML logins are supported.

You can configure the Remedy Single Sign-On (Remedy SSO) server to authenticate users through SAMLv2 authentication. SAML V2.0 is implemented by forming a Circle of Trust that comprises a Service Provider (SP) and an Identity Provider (IdP).

The SP hosts and protects the services that the user accesses. Remedy SSO is configured as an SP for BMC products. The IdP authenticates users and provides details of the authentication information to the SP. 

Kerberos authentication

Kerberos is a trusted third-party authentication service that is used to provide authentication service for all client and server applications by using secret-key cryptography. The clients and servers are collectively referred to as principals. Kerberos uses a database that contains the private keys of clients and servers. The private keys are used to authenticate different clients and servers on a network. Kerberos also generates temporary session keys that are shared between a client and a server to communicate with each other. All communications between a client and server are then encrypted with the temporary session key.

Before configuring the Kerberos authentication, you must create a Service Account in Active Directory and Add an SPN mapping to authenticate the service. A given SPN can be registered on only one account.

Certificate-based authentication

Certificate-based authentication uses the Digital Certificate to identify the users or system resources before granting access. Ensure that the following conditions are met before configuring the certificate-based authentication:

  • Client has a valid Public Key Certificate
  • SSL support is configured for the server
  • Client authentication is configured on the server

OpenID authentication

OpenID authentication

The TrueSight REST API calls are not supported for OAuth users.

OpenID Connect (OIDC) authentication method is built on top of the OAuth 2.0 protocol. Clients use OIDC to check the identity of users. The identification is based on the authentication done at the authorization server.

The following sequence of actions explain the OIDC workflow:

  1. The registered client (Remedy SSO) sends the authorization request to the OIDC provider.
  2. The OIDC authenticates an end user and redirects the authorization code to Remedy SSO.
  3. Remedy SSO sends a request with the authorization code to get the access token from the OIDC.
  4. With the access token, Remedy SSO requests the information about the end user.
  5. OIDC provides information about the end user to Remedy SSO.
  6. Remedy SSO creates a user session.

This section provides the following information for configuring authentication types in Remedy SSO:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*