Connect with Remedy - Remedy Single Sign-On Webinar Q&A

Version 1
    Share:|

    ________________________________________________________________

     

    Q: Does RSSO support using the same user in mid-tier, i.e.: no need for login, but using developer studio a password is required?

     

    A: Yes. RSSO supports integration with mid-tier. Once user login RSSO he/she can use same user in mid-tier. If the same user in AR user form has a password, the password is required when he use developer studio

    ________________________________________________________________

     

    Q: Is there any plans for additional authentication methods like Kerberos in the future?

     

    A: Yes (via SAML)

    ________________________________________________________________

     

    Q: Does the RSSO work with Smart IT/MyIT?  Universal Client and the apps?

     

    A: Yes it does.

    ________________________________________________________________

     

    Q: Does this SSO web app need a local user store (like the AR User Store in BMC Atrium SSO) or it checks the users directly with the AR Server?

     

    A: RSSO does not have a local user store. It delegates user authentication to an identity provider, e.g. SAML IdP or AR. If AR authentication is used for RSSO, it checks the users directly with AR server.

    ________________________________________________________________

     

    Q: Does RSSO allow us to manipulate the login ID before sending to the IdP, so that we can facilitate unique

     

    A: RSSO supports user id transformation after getting the user Id from the IdP and map it to Remedy AR user login id

    ________________________________________________________________

     

    Q: Where is this AREAPlugin REST API/SSO configuration process documented?

     

    A: In general, it's configured during installation using installer UI (AREA conf). In case of need of the manual change / setup - there is two places: 1 - new text file with the RSSO URL and 2 - change in pluginsvr.xml

    ________________________________________________________________

     

    Q: If IIS is used as front-end webserver, and connection to tomcat is going via AJP using the isapi_redirect plugin. Is this supported by RSSO?

     

    A: IIS with tomcat for RSSO server is not tested. It might work.

    ________________________________________________________________

     

    Q: Just to clarify - So do the SSO WebApps need standalone infrastructure? Can we leverage existing mid-tier

     

    A: you can leverage the same web server as midtier

    ________________________________________________________________

     

    Q: What DB type can you use with SSO WebApp?

     

    A: you can use the same DB instance as your AR server - currently MSSQL, Oracle and Db2 are supported

    ________________________________________________________________

     

    Q: Repeat unanswered question:  Where is this AREAPlugin REST API/SSO configuration process documented?

     

    A: Details should be in RSSO docs.  In general, it's configured during installation using installer UI (AREA conf). In case of the manual change / setup - there is two places: 1 - Conf/rsso.cfg file with the RSSO URL specified and 2 - change in pluginsvr.xml

    ________________________________________________________________

     

    Q: Will this work with JBOSS MidTier or only on Tomcat?

     

    A: We haven't tested it with JBOSS - not sure.   It is not certified, but should work. The RSSO agent deployed on MidTier is a standard JEE filter which does not use any specific web server API

    ________________________________________________________________

     

    Q: so this is an improvement from ASSO correct? because I have not found user id transformation in ASSO

     

    A: ASSO also support user id transformation as I know

    ________________________________________________________________

     

    Q: Does this app require SSL in order to work?

     

    A: If RSSO is configured to use SAML authentication, it’s likely SSL is required (for example, ADFS requires it), but if only AR authentication is used, SSL is not required. In general SSL should be enabled on Load Balancer in front of RSSO server nodes, not on tomcats where RSSO server are deployed

    ________________________________________________________________

     

    Q: Is there any way to leverage RSSO for web service authentication? 

     

    A: For now it's only for end-users.

    ________________________________________________________________

     

    Q: The documentation states the following "The Apache Tomcat server that BMC Remedy Single Sign-On uses cannot be shared with any product that integrates with BMC Remedy Single Sign-On." But the presentation states it is possible

     

    A: Yes you can use the same tomcat as mid-tier. The documentation containing this installation topic will be fixed soon: https://docs.bmc.com/docs/display/public/brid90/Perform+BMC+Remedy+Single+Sign-On+Installation

    ________________________________________________________________

     

    Q: Are user sessions in the SSO WebApp tenant specific?

     

    A: Assuming ‘tenant’ here means ‘realm’, the answer is yes. A user session in RSSO is associated with a specific tenant/realm.

    ________________________________________________________________

     

    Q: is it possible to handle guest users?

     

    A: If the IdP (e.g. AR) allows guest user, RSSO will allow guest user login

    ________________________________________________________________

     

    Q: How is tenants and several IDP handled if the url to mid-tier/AR Server is the same for all tenants?

     

    A: There are two ways for agent to identify tenant, either according to different hostname of URL or different value of a URL parameter. So if the hostname for all tenants are same, you can use query parameter to identify different tenants.

    ________________________________________________________________

     

    Q: You keep mentioning DB for state etc.  Is this the same DB as AR is installed or ?

     

    A: It doesn't matter - all you need is jdbc-accessible DB. It may be or may not be the same - it's up to you

    ________________________________________________________________

     

    Q: I think this was not answered: Are user sessions in the SSO WebApp tenant specific?

     

    A: RSSO operates by 'realm' concept.  You can map it to the AR-tenant using different domain names for tenants

    ________________________________________________________________

     

    Q: Can you access mid-tier with sso even if you have a password in the user form?

     

    A: Yes.

    ________________________________________________________________

     

    Q: On DB replication, can the SSO Web App automatically re-direct to replicated DB, or is this a manual step?

     

    A: RSSO doesn't handles the DB replication, like the ASSO does. If you will need it, it should be configured at the DB level  outside the RSSO

    ________________________________________________________________

    ________________________________________________________________

     

    Q: do you have in mind to take care also the authorization features provided by SAML?

     

    A: At the moment RSSO is only authentication provider, regardless of the protocol used

    ________________________________________________________________

     

    Q: is there any documentation on how to do automatic sign in using Certificate based authentication or Windows NT authentication, rather than asking them to manually login again

     

    A: RSSO doesn't support certificate-based authentication and Kerberos out of the box at the current release, but you can configure RSSO to use ADFS and configure ADFS to use certificate based authentication or Kerberos. In this way user can sign in automatically.

    ________________________________________________________________

     

    Q: If SSO fails with Smart IT/MyIT in the app, does it send them to a login page?

     

    A: If user fails to login in Smart IT/MyIT app, user will be redirected to login page

    ________________________________________________________________

     

    Q: FIPS 140-2 certified?

     

    A: No. You may use Atrium SSO for FIPS.

    ________________________________________________________________

     

    Q: For HA you recommend 'database replication'. Does this mean that your HA is dependent on the speed your database can fail over to your secondary replicated DB?

     

    A: Yes, in general. But we have a limited amount of data to replicate - so, not sure that this will be an issue in most cases

    ________________________________________________________________

     

    Q: Does it support attribute mapping? For example. if the IdP returns an email address, can the SSO WebApp find the respective user in Remedy by querying the email address field?

     

    A: RSSO supports mapping an attribute to user id and it can then be mapped to Remedy AR user login id. But it does not support map attribute to any other attribute such as email address field in AR user form

    ________________________________________________________________

     

    Q: I understand that RSSO does not do the replication and the DB does.  The question was will we need to manual change something in the SSO Webapp to point to the replicated DB?

     

    A: RSSO runs on the JDBC and JDBC connection is configured per server. So it depends on your DB configuration. If you will have clustered DB, which allows "transparent" addressation - no. If it will be two totally separated DBs - yes

    ________________________________________________________________

     

    Q: Tenants and several IDP again. If the ITSM server send email notification, how can RSSO differ the tenants and IDP to use?

     

    A: Good question - we haven't tested this scenario exactly. I think it depends on the URL in e-mail. If it's in the "full" form (with the tenant sub-domain) - it will be no difference

    ________________________________________________________________

     

    Q: If using RSSO in a multidomain company, how to specify the cookie domain?

     

    A: The application URL and RSSO server URL have to be in the same domain. If there is a common domain for multiple domains of the company, you can specify that common domain as cookie domain.

    ________________________________________________________________

     

    Q: Yes, but I mean mapping the other way around. Can another Remedy attribute (in addition to the user id) be used in the mapping?

     

    A: Currently this is not supported

    ________________________________________________________________

     

    Q: We are on 8.1.2 of ARS platform. Since RSSO is standalone, can we install 9.0 version of RSSO and use it with 8.12 ARS and Smart IT 1.2

     

    A: Yes. Current version of RSSO 9.0.01 is certified for both ARS 8.1 and 9.0/9.0.01

    ________________________________________________________________

     

    Q: what user transformation options are there?

     

    A: Several simple options OOTB, e.g. to upper case, to lower case, remove email domain, etc. In upcoming RSSO 9.1 release, RSSO support custom transformation plugin so you can implement your own transformation.

    ________________________________________________________________

     

    Q: Can we use the same realm for both Mid-Tier and MyIT/Smart IT or they need different realms?

     

    A: Yes, a realm can be used for multiple applications. You only need add the hostname of applications in Realm domains

    ________________________________________________________________

     

    Q: Replicated DB implies two separate DBs and not a clustered DB.

     

    A: DB replication is transparent to RSSO. It could be a clustered DB or two separate DBs with replication. RSSO is simply configured to connect to a DB via a jdbc connection URL.

    ________________________________________________________________

     

    Q: If SSO fails with Smart IT/MyIT in the app, does it send them to a login page? In this moment this is not happening to me with Remedy 9 and SSO 9.0.01

     

    A: When you say SSO fails with Smart IT/MyIT in the app, do you mean it fails when user type incorrect credential in the login page, or it fails after user is logged in?

    ________________________________________________________________

     

    Q: This is a challenge we face with a lot of customers right now - they want different authentication mechanisms for the same app URL. This is not possible with Atrium SSO and it looks like it is not possible with this webapp either.

     

    A: They use different query parameter value on the same app URL. RSSO agent can identify the tenant either using the hostname of the app URL or a special query parameter on the URL.

    ________________________________________________________________

     

    Q: Yes, I understand that we can add a parameter that will help the webapp choose the proper tenant and redirect to the proper IdP. But URLs for notifications are generated automatically by the AR Server and an additional parameter cannot be added.

     

    A: Yes, multi-company support using same application URL is in the roadmap

    ________________________________________________________________

     

    Q: Is this in the roadmap?

     

    A: If you are asking multi-company support using same application URL, the answer is yes

    ________________________________________________________________

     

    Q: We never implemented Atrium SSO. We are looking for SSO solution for Smart IT. Which one is better to go. Remedy SSO or Atrium SSO?

     

    A: RSSO is the best way to go

    ________________________________________________________________

     

    Q: What about ADDM?

     

    A: ADDM is not currently supported; planned for future.

    ________________________________________________________________

     

    Q: Does "AR System Authentication" mean any of the existing AR methods? For example we are using AREA, is SSO to AREA supported?

     

    A: No, It's simply a AR authentication with username, password and empty authentication string. If the AREA plugin depends on authentication string to verify login, SSO to AREA is not supported. If you are using LDAP AREA you can use LDAP authentication in upcoming RSSO 9.1 release

    ________________________________________________________________

     

    Q: do you have in mind plugins in order to authenticate users against twitter/facebook/and so forth?

     

    A:OAuth is used by many social media sites for authentication. Current version of RSSO doesn't support it; it's in product backlog though.

    ________________________________________________________________


    Q: Does RSSO support BSM dashboards currently?

     

    A:No. Also there are no plans for RSSO and BSM Dashboard integration.

    ________________________________________________________________

     

    Q: Does RSSO support BNA?

     

    A: No. Different product groups within BMC are actively evaluating RSSO integration with respective product/suite. However current version of Remedy SSO is integrated with following products only - Remedy ITSM/AR Server, Analytics for BSM, BMC My IT, BMC Remedy Smart IT, BMC MyIT Service Broker

    ________________________________________________________________

     

    Q: Atrium SSO is a separate product with separate licensing, Remedy SSO is part of AR System 9.# ?

     

    A: Remedy SSO in not licensed/priced separately and included in your suite license. However it is recommended to check with your BMC Account Manager about your current licenses and availability of RSSO.

    Also from product bundling perspective, RSSO is available as part of AR Server on BMC EPD site.

    ________________________________________________________________

     

    Q: Anyway to participate in these Beta tests?  Or at least stay update on them?

     

    A:BMC regularly announces Beta program for different products via email and wiki (https://communities.bmc.com/community/programs). Send email to customer_programs@bmc.com to join in our BMC Customer Programs.

    ________________________________________________________________

     

    Q: When was this initially released?

     

    A:Remedy SSO was first released as part 9.0 SP1.

    ________________________________________________________________

     

    Q: what is exactly difference between RSSO and ASSO

     

    A: Please see following wiki page for more details on comparison between 2 solutions - https://docs.bmc.com/docs/display/public/itsm90/9.0.01%3A+Service+Pack+1

     

    ________________________________________________________________

     

    Q: Will this Remedy SSO work with existing AR/ITSM Versions like 7.6 or 8.1 ?

     

    A:Remedy SSO is certified with AR 8.1 and 9.0/9.0.01.

    ________________________________________________________________

     

    Q: Will Remedy SSO additional authentications like LDAP or CAC/PIV Cards in the upcoming Remedy SSO releases?

     

    A: LDAP support is in the upcoming RSSO 9.1 release. CAC/PIV or Smart Card support is planned for future..

    ________________________________________________________________