This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
BMC Digital Workplace Advanced
MyIT Service Broker
BMC Digital Workplace Advanced Catalog, DWP Mobile, DWP Advanced, RSSO
What are the best practices to configure RSSO with DWP Advanced and with other Applications?
Prequisites:NOTE: These are prerequisites for DWP Catalog Users only.
If you don't have DWP Catalog, you can skip to step B
Please, make sure that you have performed the below steps in the DWP Catalog prior configuring the RSSO Realm.
Configure the external authentication options using BMC Remedy Mid Tier/Remedy User Tool
The following configuration must be performed using the credentials of the application administrator user, specified in the installation configuration as:
<BMC_DWP_ADMIN>In the following steps, the example
<BMC_DWP_ADMIN>account is the default dwpadmin user.
NOTE: Midtier 19.02 is not compatible with DWP Catalog. Use any other version of Midtier.
- Select AR System Administration > AR System Administration Console.
- Expand Common Server Configuration > General
- Click Server Information.
- On the EA tab at the server level:
- Set External Authentication Server RPC Program Number to 390695:
- Clear the Cross Reference Blank Password check box.
- Ignore the warning to restart the AR System server. You will restart after you configure the tenant settings.
- Click Apply.
- Click Close to return to Common Server Configuration > General.
- Log out of the AR System Administration Console.
To prepare for Remedy ITSM user sync utility
If you will be copying users from an existing Remedy IT Service Management user database, you must modify a tenant configuration setting as the tenant administrator.
In the following steps, the example tenant administrator is email@example.com.
- Log onto the BMC Remedy Mid Tier configured for the BMC Digital Workplace Catalog server as the tenant administrator.
Select AR System Administration > AR System Administration Console.
Expand Tenant Server Configuration > General
Click Server Information.
On the EA tab:
Select the Cross Reference Blank Password check box.
From the Authentication Chaining Mode options, select ARS - AREA.
- Click Apply.
- Click Close to return to Tenant Server Configuration > General.
- Log out of the AR System Administration Console.
- Restart dwpcontroller
A) These are all the things that you need to consider when integrating DWP Catalog/DWP A with RSSO.
Please, note that AR Authentication Type goes last, this means, that SAML, AD, LDAP, Kerberos Authentication methods should always go in front of AR Authentication, when using Chaining Mode only.
2. User ID Transformation must be the same for each and every Authentication Type defined for every single Realm.
If you need any other specific User ID Transformation method, like Upper Case Transformation you need to build jar and make sure that the EmailDomain setting is included and/or make sure that the loginID record matches in DWP C and ITSM.
3. Make sure that hannah_admin record exists on both ends: DWP Catalog and ITSM, on CTM People and User form, with the exact same password.
Also, make sure it has Admin, MyIT Admin, MyIT Super Admin Group List defined (this is set under the User form) and give it a fixed license.
IMPORTANT! Please, note that the loginID should not have the domain on it, i.e. firstname.lastname@example.org
4. For DWP Catalog only: Edit the User record of those users which are going to Administer the DWP Catalog, this is under the DWP Catalog User Form. You can do this either via Midtier or Remedy User Tool.
In the Group List field, put: Administrator, sbe-catalog-admins, first and remove sbe-myit-users from these user’s Group List. You can have more Group List defined, but have to make sure those two go first and in that specific order.
EXTRA - WORKING WITH EXTERNAL AND INTERNAL RSSO SERVERS ON DWP CLUSTERSA)
- If you have 2 DWP or more servers, then you will have t point then to a single database (basically as a cluster); some DWP server(s) will be externally facing and the rest will be internally facing.
- Subsequently, there would be 2 RSSO servers (one external, one internal) with a single database.
- With the RSSO configuration, you should have a single realm with authentication chaining. In this case, there won’t be a need to point to multiple DWPC urls under the Enhanced Catalog Admin.
- On this example, The first one is Kerberos and the fall back will be SAML. So when users access the internal myit server, they would use Kerberos, while external users would authenticate via SAML.
If you have different domains (urls) for DMZ and Intranet, then make sure the servers can talk to each other, and that DWP server in Domain A can be resolved by DWP Server in Domain B and viceversa.
B) Setup a F5 redirection tomorrow so that the DWP Catalog server authenticates against the external RSSO, that way the external URL authentication will work.
B) These are all the things that you need to consider when integrating RSSO with Other Applications
C) Integrate RSSO with DWP Mobile apps.
2.- Create a new Realm for DWP Mobile and follow the below steps.
I. Enable Realm Configuration
In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
- In the Authentication Type field, click KERBEROS.
- Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR System authentication for bypass.
- Enter the Kerberos details. For more information on parameters, see Kerberos authentication parameters
- Click Test to verify the settings.
- Click Enable Chaining Mode to enable authentication chaining and perform the following steps. For more information about the authentications that you can chain with LDAP, see Authentication chaining.
- Click Add Authentication.
- Select the required authentication, it could be: SAML. LDAP, AD, type and enter the authentication details.
- Repeat Step a through Step b to add more authentications for the realm.
- Remember that AR Authentication should go last in the Chain and that the UserID Transformation should match across all the Authentication Methods defined for the Realm.
- Click Save.
NOTE: If you face any issues, collect AR JavaPlugin/RSSO Server-Client/Tomcat/Jetty/DWP logging and submit a case with BMC Support, against the product that is failing .