DWP Advanced-How to Integrate DWP Advanced/Catalog/Mobile with RSSO?

Version 24
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Digital Workplace Advanced


    COMPONENT:

    MyIT Service Broker


    APPLIES TO:

    BMC Digital Workplace Advanced Catalog, DWP Mobile, DWP Advanced, RSSO



    QUESTION:

    What are the best practices to configure RSSO with DWP Advanced and with other Applications?


    ANSWER:

     

    READ ME FIRST:

       
       
    • You don't need to enable Chaining Mode if AR Authentication Type is the only method that is being used.
    •  
    • RSSO URL must be the RSSO Server FQDN and not a SERVER ALIAS - this applies for all the application's rsso-agents.properties, AR Server's rsso.cfg and RSSO Admin BackChannel URL 
    •  
    • RemoveEmailDomain Option is no longer needed when the ignore-tenant=true is set on Midtier, DWP, SmartIT and the rest of the applications.
    •  
    • Remove the last / from the Backchannel URL under the RSSO Admin Console  - General Tab / Server Configuration
       
      

    DWP CATALOG CONFIGURATION STEPS     

      

       
    Please, make sure that you have performed the below steps in the DWP Catalog prior configuring the RSSO Realm.

      

    Default user ID Transformation is: None
     

      

    Configure the external authentication options using BMC Remedy Mid Tier/Remedy User Tool

      


     The following configuration must be performed using the credentials of the application administrator user, specified in the installation configuration as: <BMC_DWP_ADMIN>In the following steps, the example <BMC_DWP_ADMIN> account is the default dwpadmin user.

      

    Log onto the BMC Remedy Mid Tier configured for the  BMC Digital Workplace Catalog server as the application administrator.

    NOTE: Midtier 19.02 is not compatible with DWP Catalog. Use any other version of Midtier.

     

      
       
    1. Select AR System Administration > AR System Administration Console.

    2.  
    3. Expand Common Server Configuration > General

    4.  
    5. Click Server Information.

    6.  
    7. On the EA tab at the server level:

      
       
    • Set External Authentication Server RPC Program Number to 390695:

    •  
    • Clear the Cross Reference Blank Password check box.

      


     

      
       
    •  
    • Ignore the warning to restart the AR System server. You will restart after you configure the tenant settings.

    •  
    • Click Apply.

    •  
    • Click Close to return to Common Server Configuration > General.

    •  
    • Log out of the AR System Administration Console.

      
       

     

       


    To prepare for Remedy ITSM user sync utility

       

     

       

    If you will be copying users from an existing Remedy IT Service Management user database, you must modify a tenant configuration setting as the tenant administrator.
    In the following steps, the example tenant administrator is hannah_admin@domain.com.

     

       
        
    1. Log onto the BMC Remedy Mid Tier configured for the  BMC Digital Workplace Catalog server as the tenant administrator.

    2.   
    3. Select AR System Administration > AR System Administration Console.

    4.   
    5. Expand Tenant Server Configuration > General

    6.   
    7. Click Server Information.

    8.   
    9. On the EA tab:

            
            
      • Select the Cross Reference Blank Password check box.

      •     
      • From the Authentication Chaining Mode options, select ARS - AREA.

         

      •    
    10.  
       

       
        
    • Click Apply.

    •   
    • Click Close to return to Tenant Server Configuration > General.

    •   
    • Log out of the AR System Administration Console.

    •   
    • Restart dwpcontroller

    •  
       



    https://docs.bmc.com/docs/digitalworkplaceadvanced/35/configuring-bmc-remedy-single-sign-on-integration-for-bmc-digital-workplace-catalog-771814045.html?src=search


     

       

    These are all the things that you need to consider when integrating DWP Catalog/DWP A with RSSO.

      
      

    1. Enable Chaining Mode for each and every Realm defined in the RSSO Admin Console, and make sure that you have AR Authentication Type for all of them. Enable AR authentication for bypass, too.
     

      

    Please, note that AR Authentication Type goes last, this means, that SAML, AD, LDAP, Kerberos Authentication methods should always go in front of AR Authentication, when using Chaining Mode only.

      


    2. User ID Transformation must be the same for each and every Authentication Type defined for every single Realm.
       

      

    NOTE:  If you have LDAP, Kerberos, AD, SAML with upper case loginID's, then use the attached jar file: uidtransformDomainaLowercase.jar, to get an additional User ID Transformation Method > RemoveDomainandlowercase. -- This is not officialy supported--

      


    If you need any other specific User ID Transformation method, like Upper Case Transformation you need to build jar. Make sure the loginID record matches across DWP C and ITSM.


    User-added image

     

      

     IMPORTANT! This file needs to be place under <TomcatInstallDirectory>/webapps/rsso/WEB-INF/lib/ and requires a Tomcat restart

      



    3. Make sure that  hannah_admin record exists on both ends: DWP Catalog and ITSM, on CTM People and User form, with the exact same password.
    Also, make sure it has Admin, MyIT Admin, MyIT Super Admin  Group List defined (this is set under the User form) and give it a fixed license

     

      

    IMPORTANT! Please, note that the loginID should not  have the domain on it, i.e. hannah_admin@domain.com

      




    4. For DWP Catalog only: Edit the User record of those users which are going to Administer the DWP Catalog, this is under the DWP Catalog User Form. You can do this either via Midtier or Remedy User Tool.
     

      

    In the Group List field, put: Administrator, sbe-catalog-admins, first and remove sbe-myit-users from these user’s Group List. You can have more Group List defined, but have to make sure those two go first and in that specific order.

      

     

      

    EXTRA - WORKING WITH EXTERNAL  AND INTERNAL RSSO SERVERS ON DWP CLUSTERS

      

          

      
       
    1. If you have 2 DWP or more servers,  then you will have t point then to a single database (basically as a cluster); some DWP server(s) will be externally facing and the rest will be internally facing.

    2.  
    3. Subsequently, there would be 2 RSSO servers (one external, one internal) with a single database.

    4.  
    5. With the RSSO configuration, you  should have a single realm with authentication chaining. In this case, there won’t be a need to point to multiple DWPC urls under the Enhanced Catalog Admin. 

    6.  
    7.  On this example, The first one is Kerberos and the fall back will be SAML. So when users access the internal DWP server, they would use Kerberos, while external users would authenticate via SAML.

      


    If you have different domains (urls) for DMZ and Intranet, then make sure the servers can talk to each other, and that DWP server in Domain A can be resolved by  DWP Server in Domain B and viceversa.

      

                      Alternative:
                      B)  Setup a F5 redirection tomorrow so that the DWP Catalog server authenticates against the external RSSO, that way the external URL authentication will work.

      

     

      

     

      

    These are all the things that you need to consider when integrating RSSO with Other Applications

       

    1. Please, go to this section BMC Remedy SSO for other BMC applications under the following document:
     

      

    https://docs.bmc.com/docs/display/dwpadv1902/Configuring+BMC+Remedy+Single+Sign-On+integration+for+BMC+Digital+Workplace+Catalog

      

    And make sure that you perform all the steps for every application listed.

      

     

      

     

      

    Integrate RSSO with DWP Mobile apps.

      


    Prerequisites:
     

      

    1.- Create new DNS entries for DWP for Mobile Applications, one for DWP A and one for DWP C. Your Network Team should be able to assist you.
    2.- Create a new Realm for DWP Mobile and follow the below steps.

     

      

    I. Enable Realm Configuration

      
       


     In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.

       
        
    1. In the Authentication Type field, click KERBEROS.

    2.   
    3. Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR System authentication for bypass.

    4.   
    5. Enter the Kerberos details. For more information on parameters, see Kerberos authentication parameters

    6.   
    7. Click Test to verify the settings.

    8.   
    9. Click Enable Chaining Mode to enable authentication chaining and perform the following steps. For more information about the authentications that you can chain with LDAP, see Authentication chaining.

    10.   
    11. Click Add Authentication.

    12.   
    13. Select the required authentication, it could be: SAML. LDAP, AD,  type and enter the authentication details.

    14.   
    15. Repeat Step a through Step b to add more authentications for the realm.

    16.   
    17. Remember that AR Authentication should go last in the Chain and that the UserID Transformation should match across all the Authentication Methods defined for the Realm.

    18.   
    19. Click Save.

    20.  
       


    NOTE: If you face any issues, collect AR JavaPlugin/RSSO Server-Client/Tomcat/Jetty/DWP logging and submit a case with BMC Support, against the product that is failing .


    Check these other KA on RSSO Integration

    000145017 - SmartIT RSSO
    000147399 - AR Server RSSO
    000142047 - Midtier RSSO  - for TOMCAT 8.0 and beyond..
    000172660 - BMC RSSO - malformed Back channel URL throws "Error: Could not register consumer 'ar_plugin' at server 'https://<rsso_server>:<port>/rsso/" - Cannot logon into MidTier after RSSO Upgrade (18.08)

     

      

     


    Article Number:

    000163989


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles