For TSCO, via RSSO is there any way to assign local RSSO groups to LDAP users?

Version 4
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Capacity Optimization


    COMPONENT:

    Capacity Optimization


    APPLIES TO:

    TrueSight Capacity Optimization 11.0



    QUESTION:

    We want to be able to authenticate in TrueSight Capacity Optimization (TSCO) and TrueSight Presentation Server (TSPS) user the passwords defined in LDAP but using user to group membership defined within RSSO itself.  Typically in RSSO you must chose to either use LDAP users + LDAP groups or local RSSO users + local RSSO groups.  But, there is a configuration that will allow the use of LDAP users with local RSSO group -- as long as LDAP does not define any groups of its own.


    ANSWER:

    There is a configuration available in RSSO that will allow user authentication to be done via an LDAP user's password but have that LDAP user be effectively assigned to local groups defined within RSSO (which could then be used to assign Roles in both TSPS and TSCO).  This configuration only works in an environment where RSSO don't retrieve any group definitions or membership from LDAP -- if LDAP has groups defined (and those memberships are read into RSSO) then this configuration doesn't work but if LDAP doesn't provide any group information then this configuration can be used.

    One requirement for this configuration is that both the locally defined RSSO users and LDAP users need to be defined with the same name in a case sensitive way.  So, if my user Search and definition is using the sAMAccountName field and that is all caps in LDAP (MPASKA) then when one defines the user account in RSSO it also needs to be defined in all caps.

    The attached RSSO_assigning_local_groups_to_LDAP_users_via_chaining.docx document describes how to implement the proposed solution to assign groups to LDAP users via local RSSO.

    This is leveraging the "Authorization Chaining" functionality implemented for SAML authentication where SAML provides the authentication but then doesn't provide a list of groups.  Instead of using the SAML authentication as the base of the chain we are using LDAP here and then leveraging the chain to assign groups to the LDAP users that pass authentication.

    When using this configuration it will likely be necessary to automate the creation of local RSSO users using the importUserDataIntoRSSO utility that is available as part of the RSSO product.  Rather than creating the RSSO user input file via the exportUserDataFromASSO command the file can be created from an external source (or manually) and then the user accounts can be imported into RSSO via the import script.  Information regarding how to use the import script is available here: https://docs.bmc.com/docs/display/btco110/Migrating+internal+user+data+from+Atrium+Single+Sign-On+to+Remedy+Single+Sign-On


    Article Number:

    000145432


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles