This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
BMC Digital Workplace Advanced
MyIT Service Broker
BMC Digital Workplace Advanced Catalog, DWP Mobile, DWP Advanced, RSSO. Meant for DWP 19.02 and beyond
What are the best practices to configure RSSO with DWP Advanced and with other Applications?
DWP Configuration Steps
From DWP 20.08 and beyond, installer will ask you if you want to enable RSSO and RSSO Server details.
For now follow below steps:
Create rsso-agent.properties with the RSSO details. See KA 000159409
Enable RSSO on DWP Database
DWP CATALOG CONFIGURATION STEPS
Login as Demo or equivalent (dwpadmin) onto BMC Digital Workplace Catalog AR Server using Midtier/User Tool,]
You must have run the configure rsso script which is under </dwpcatalog>/sb/configure_rsso
Example of the details you should've provided
Click on the image to enlarge
Restart DWP Catalog Service
Run ITSM user sync utility
Run user_group_sync.sh to sync ITSM with DWP Catalog and create a cronjob for this, too.
Consider the following when integrating DWP Catalog/DWP A with RSSO
1. Enable Chaining Mode for each and every Realm defined in the RSSO Admin Console, and make sure that you have AR Authentication Type for all of them. Enable AR authentication for bypass, too.
Please, note that AR Authentication Type goes last, this means, that SAML, AD, LDAP, Kerberos Authentication methods should always go in front of AR Authentication, when using Chaining Mode only.
2. User ID Transformation must be the same for each and every Authentication Type defined for every single Realm.
NOTE: If you have LDAP, Kerberos, AD, SAML with upper case loginID's, then use the attached jar file: uidtransformDomainaLowercase.jar, to get an additional User ID Transformation Method > RemoveDomainandlowercase. -- This is not officialy supported--
If you need any other specific User ID Transformation method, like Upper Case Transformation you need to build jar. Make sure the loginID record matches across DWP C and ITSM.
IMPORTANT! This file needs to be place under <TomcatInstallDirectory>/webapps/rsso/WEB-INF/lib/ and requires a Tomcat restart
3. Make sure that hannah_admin record exists on both ends: DWP Catalog and ITSM, on CTM People and User form, with the exact same password. This user needs Admin, MyIT Admin, MyIT Super Admin permissions. You will have to add this under ITSM User form.
IMPORTANT! Please, note that the loginID should not have the domain on it, i.e. email@example.com
4. For DWP Catalog only: Edit the User record of those users which are going to Administer the DWP Catalog, this is under the DWP Catalog User Form. You can do this either via Midtier or Remedy User Tool.
In the Group List field, put: Administrator, sbe-catalog-admins, first and remove sbe-myit-users from these user’s Group List. You can have more Group List defined, but have to make sure those two go first and in that specific order.
EXTRA - WORKING WITH EXTERNAL AND INTERNAL RSSO SERVERS ON DWP CLUSTERS
- If you have 2 DWP servers (or more), then you will have to point them to a single database (basically as a cluster); some DWP server(s) will be externally facing and the rest will be internally facing.
- Subsequently, there would be 2 RSSO servers (one external, one internal) with a single database.
- You can also use a single RSSO server, having two aliases (internal and external) and configure loadbalancer/dns rules to redirect traffic as desired.
- With the RSSO configuration, you should have a single realm with authentication chaining. In this case, there won’t be a need to point to multiple DWPC urls under the Enhanced Catalog Admin.
- On this example, The first one is Kerberos and the fall back will be SAML. So when users access the internal DWP server, they would use Kerberos, while external users would authenticate via SAML.
- If you have different domains (urls) for DMZ and Intranet, then make sure the servers can talk to each other, and that DWP server in Domain A can be resolved by DWP Server in Domain B and viceversa.
- NOTE: Most of MSP and oAuth issues have been resolved on 19.11 and beyond versions.
Setup a F5 redirection so that the DWP Catalog server authenticates against the external RSSO, that way the external URL authentication will work.
Integrating RSSO with Other Applications
1. Please, go to this section BMC Remedy SSO for other BMC applications under the following document:
And make sure that you perform all the steps for every application listed.
Integrating RSSO with DWP Mobile apps.
1.- Create new DNS entries for DWP for Mobile Applications, one for DWP A and one for DWP C. Your Network Team should be able to assist you.
2.- Create a new Realm for DWP Mobile and follow the below steps.
I. Enable Realm Configuration
In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
In the Authentication Type field, click SAML.
Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR System authentication for bypass.
Enter the SAML details.
Click Test to verify the settings.
Remember that AR Authentication should go last in the Chain and that the UserID Transformation should match across all the Authentication Methods defined for the Realm.
NOTE: If you face any issues, collect AR Java Plugin / RSSO Server-Client/Tomcat/Jetty/DWP logging and submit a case with BMC Support, against the product that is failing .
000183979 - DWP Catalog - RSSO Troubleshooting / Changing RSSO Default logging directory for more details