BMC Defender Active Directory Federation Services (ADFS) plug-in (deprecated)

(Deprecated with version 6.2)

This section provides a detailed description of the BMC Defender Active Directory Federation Services (ADFS) plug-in. This plug-in is an optional set of files and executables added to the BMC Defender Server that enables you to log in to the BMC Defender Server using Microsoft ADFS single sign-on components.

Related topic

Security-plug-ins-and-adapters

The Microsoft ADFS system can be on Windows Server operating systems to provide you with sign-on access to applications located across organizational boundaries. To use the BMC software described here, your organization must have ADFS as a system component, installed on a server accessible through the network to BMC Defender Server and users.

Note

For information about the ADFS system itself (including the detailed configuration of that Microsoft system), consult Microsoft documentation.

The System > Logins > ADFS tab provides special capabilities to configure the BMC Defender client and enable single-sign-on capability. For detailed information about this tab and its configuration, see Using-BMC-Defender-Active-Directory-Federation-Services-ADFS-plug-in. For Installation instructions, see Installing-BMC-Defender-Active-Directory-Federation-Services-ADFS-plug-in.

Background information

ADFS uses the OAuth 2.0 authorization framework to furnish authentication to the BMC Defender Server, as documented in RFC 6749. The OAuth 2.0 authorization framework enables a third-party application (in this case the BMC Defender Server) to obtain limited access to an HTTP service, either on behalf of a resource owner (the Active Directory administrator) by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application (the BMC Defender Server and user) to obtain access on its own behalf.

ADFS supports various client types. The BMC Defender Server uses confidential client authentication requiring a Client ID and Client Secret to be created at the ADFS implementation, and then manually transfers to the BMC Defender Server (typically through a copy and paste operation).


These values are essential to the operation and security of the system flow, presented in the following data flow:

  1. The user signs in through the ADFS server logon page.
  2. If the user credentials are accepted, the browser redirects back with the authorization code.
  3. The browser sends the authorization code to the BMC Defender Server.
  4. The BMC Defender Server communicates with the ADFS server and sends the authorization code.
  5. The ADFS server sends the identity back to the BMC Defender Server, which validates and logs the user into the BMC Defender Server web interface.

ADFS_plugin.png

System requirements

The BMC Defender ADFS plug-in requires the following elements:

  • Administrative logons to ADFS and the BMC Defender Server—The installation and configuration procedure requires privileged access to these two components, needed to configure the ADFS resources and the BMC Defender client parameters.
  • Microsoft ADFS version 10 or equivalent—A configured and working copy of Microsoft ADFS Version 10.0 or equivalent is required. The administrator must be able to add and configure Application Groups of the ADFS software. As illustrated previously, the ADFS Server must be accessible to the browser and the BMC Defender Server installation.
  • BMC Defender Server version 5.8.3 or higher—An installation of BMC Defender Server version 5.8.3 or later is required. This particular version of BMC Defender Server is necessary to support the ADFS plug-in. BMC administrators can easily upgrade to this version by obtaining the latest BMC Defender Service Pack.
  • BMC Defender Apache TLS adapter—The ADFS plug-in requires installation and configuration of the BMC Defender Apache TLS Server. This plug-in is required. You can obtain it from BMC Defender along with the installation instructions.

Additionally, this version of the ADFS adapter requires that each BMC Defender user, granted either local access or access using ADFS, be registered in the System > Logins > Users screen. The BMC administrator must register every ADFS user that is granted access to the BMC Defender system and assign the role and access of the user (such as admin, user, guest) using the BMC Defender Server logon interface.

Notes

  • Failure to register the user on the BMC Defender System > Logins > Users screen presents you with an error screen: You Are Not Registered On This System. This message indicates that the BMC Defender user has successfully logged into BMC but is not listed on the System > Logins > Users screen.
  • Registering the user is a necessary requirement to using any BMC Defender Server screens. No user can access any part of BMC Defender without first assigning the user his or her system access level.

The only required component of the system is the configuration screen. Other information on the BMC Defender Server can be found in the standard user manual, including operation and application notes that might be of assistance in using the system.

This section contains information about the following topics:


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*