DWP C-How to Integrate DWP Advanced/Catalog/Mobile with RSSO?

Version 6
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Digital Workplace Advanced


    COMPONENT:

    MyIT Service Broker


    APPLIES TO:

    BMC Digital Workplace Advanced Catalog, DWP Mobile, DWP Advanced, RSSO



    QUESTION:

    What are the best practices to configure RSSO with DWP Advanced and with other Applications?


    ANSWER:

     

    Prequisites:

    NOTE: These are prerequisites for DWP Catalog Users only. 
    If you don't have DWP Catalog, you can skip to step B 

    Please, make sure that you have performed the below steps in the DWP Catalog prior configuring the RSSO Realm.  



    Configure the external authentication options using BMC Remedy Mid Tier/Remedy User Tool

      
     The following configuration must be performed using the credentials of the application administrator user, specified in the installation configuration as:   <BMC_DWP_ADMIN>In the following steps, the example   <BMC_DWP_ADMIN> account is the default   dwpadmin user.  

     

      
      Log onto the BMC Remedy Mid Tier configured for the    BMC Digital Workplace Catalog server as the application administrator.  
     
      NOTE: Midtier 19.02 is not compatible with DWP Catalog. Use any other version of Midtier. 
      
      
       
    1. Select AR System Administration > AR System Administration Console.
    2.  
    3. Expand Common Server Configuration > General
    4.  
    5. Click Server Information.
    6.  
    7. On the EA tab at the server level:
      
       
    • Set External Authentication Server RPC Program Number to 390695:
    •  
    • Clear the Cross Reference Blank Password check box.
      
     
      
      
       
    •  
    • Ignore the warning to restart the AR System server. You will restart after you configure the tenant settings.
    •  
    • Click Apply.
    •  
    • Click Close to return to Common Server Configuration > General.
    •  
    • Log out of the AR System Administration Console.
      
       

     

       



    To prepare for Remedy ITSM user sync utility

        

    If you will be copying users from an existing Remedy IT Service Management user database, you must modify a tenant configuration setting as the tenant administrator.
    In the following steps, the example tenant administrator is hannah_admin@domain.com.
     

       
        
    1. Log onto the BMC Remedy Mid Tier configured for the  BMC Digital Workplace Catalog server as the tenant administrator.
    2.   
    3. Select AR System Administration > AR System Administration Console.

    4.   
    5. Expand Tenant Server Configuration > General

    6.   
    7. Click Server Information.

    8.   
    9. On the EA tab:

            
            
      • Select the Cross Reference Blank Password check box.

      •     
      • From the Authentication Chaining Mode options, select ARS - AREA.

         

      •    
    10.  
           
        
    • Click Apply.
    •   
    • Click Close to return to Tenant Server Configuration > General.
    •   
    • Log out of the AR System Administration Console.
    •   
    • Restart dwpcontroller
    •  
       
     
      https://docs.bmc.com/docs/digitalworkplaceadvanced/35/configuring-bmc-remedy-single-sign-on-integration-for-bmc-digital-workplace-catalog-771814045.html?src=search 
     
     
     
     
     
      A) These are all the things that you need to consider when integrating DWP Catalog/DWP A with RSSO. 
     
      
      
      1. Enable   Chaining Mode for each and every    Realm defined in the    RSSO Admin Console, and make sure that you have    AR Authentication Type for all of them.    Enable AR authentication for bypass, too.  
     
    Please, note that    AR Authentication Type goes last, this means, that    SAML,    AD,    LDAP,    Kerberos    Authentication methods should    always go in front of    AR Authentication, when using    Chaining Mode only.  
     
      User-added image 
      
      
      NOTE: You don't need to enable    Chaining Mode if    AR Authentication Type is the only method that is being used. Just make sure that    RemoveEmailDomain Option is set on   User ID transformation option. 
      
     
      
      
      User-added image 
      
      
        
      
     
    2.   User ID Transformation must be the same for each and every    Authentication Type defined for every single    Realm.  
         
      
      NOTE: It is a must having    RemoveEmailDomain as an    Option. If you have    LDAP,    Kerberos,    AD,    SAML with   upper case loginID's, then use the attached jar file:    uidtransformDomainaLowercase.jar, to get an additional    User ID Transformation Method > RemoveDomainandlowercase.
      
     
    If you need any other specific    User ID Transformation method, like    Upper Case Transformation you need to build jar and make sure that the    EmailDomain setting is included and/or make sure that the    loginID record matches in DWP C and ITSM.  
     
     
      User-added image 
      
      
       IMPORTANT! This file needs to be place under    <TomcatInstallDirectory>/webapps/rsso/WEB-INF/lib/ and requires a    Tomcat restart 
      
     
     
    3.   Make sure that     hannah_admin record exists on both ends:    DWP Catalog and   ITSM, on    CTM People and    User form, with the exact same password.  
    Also, make sure it has    Admin, MyIT Admin,    MyIT Super Admin  Group List defined (this is set under the    User form) and give it a    fixed license.   
     
      IMPORTANT! Please, note that the    loginID should not  have the domain on it, i.e. hannah_admin@domain.com  
     
     
     
    4.    For DWP Catalog only: Edit the    User record of those users which are going to Administer the DWP Catalog, this is under the    DWP    Catalog User Form. You can do this either via    Midtier or    Remedy User Tool.  
     
    In   the Group List field, put:     Administrator,    sbe-catalog-admins, first and remove    sbe-myit-users from these user’s    Group List. You can have more    Group List defined, but have to make sure those two go first and in that specific order.  
     
     
     
      
      
        
      

    EXTRA - WORKING WITH EXTERNAL  AND INTERNAL RSSO SERVERS ON DWP CLUSTERS

               A)  
       
    1. If you have 2 DWP or more servers,  then you will have t point then to a single database (basically as a cluster); some DWP server(s) will be externally facing and the rest will be internally facing.
    2.  
    3. Subsequently, there would be 2 RSSO servers (one external, one internal) with a single database.
    4.  
    5. With the RSSO configuration, you  should have a single realm with authentication chaining. In this case, there won’t be a need to point to multiple DWPC urls under the Enhanced Catalog Admin. 
    6.  
    7.  On this example, The first one is Kerberos and the fall back will be SAML. So when users access the internal myit server, they would use Kerberos, while external users would authenticate via SAML.
      
     
      If you have different domains (urls) for DMZ and Intranet, then make sure the servers can talk to each other, and that DWP server in Domain A can be resolved by  DWP Server in Domain B and viceversa.
      
                      B)    Setup a F5 redirection tomorrow so that the DWP Catalog server authenticates against the external RSSO, that way the external URL authentication will work.  
        
       
     
     
     
      B) These are all the things that you need to consider when integrating RSSO with Other Applications 
      
      
      1. Please, go to this section     BMC Remedy SSO for other BMC applications under the following document:  
      
         
        
      
      And make sure that you perform all the steps for every application listed.
      

     

      
     
      C) Integrate RSSO with DWP Mobile apps.
      
     
      Prerequisites: 
      
      
      1.-    Create new DNS entries for DWP for Mobile Applications, one for DWP A and one for DWP C. Your Network Team should be able to assist you.  
    2.-    Create a new Realm for DWP Mobile and follow the below steps.  
      
      

    I. Enable Realm Configuration

      
       
      
           In the left navigation panel of the Add Realm or Edit Realm page, click Authentication. 
       
        
    1. In the Authentication Type field, click KERBEROS.
    2.   
    3. Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR System authentication for bypass.
    4.   
    5. Enter the Kerberos details. For more information on parameters, see Kerberos authentication parameters
    6.   
    7. Click Test to verify the settings.
    8.   
    9. Click Enable Chaining Mode to enable authentication chaining and perform the following steps. For more information about the authentications that you can chain with LDAP, see Authentication chaining.
    10.   
    11. Click Add Authentication.
    12.   
    13. Select the required authentication, it could be: SAML. LDAP, AD,  type and enter the authentication details.
    14.   
    15. Repeat Step a through Step b to add more authentications for the realm.
    16.   
    17. Remember that AR Authentication should go last in the Chain and that the UserID Transformation should match across all the Authentication Methods defined for the Realm.
    18.   
    19. Click Save.
    20.  
       
      
       NOTE: If you face any issues, collect AR JavaPlugin/RSSO Server-Client/Tomcat/Jetty/DWP logging and submit a case with BMC Support, against the product that is failing . 
      

     


    Article Number:

    000163989


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles