I have an answer from BMC: AREA SSO. It amounts to a mid-tier authentication module and a plug-in that eliminate the presentation of the login form. Authentication occurs on the customer side. The customer delivers a URL with the login information and a security token to onbmc.com. The AREA SSO components on the onbmc side validate the authenticity of the URL originating from the customer side and containing the login ID.
Unfortunately the BMC AREA SSO module isn't the correct answer to SAML and you have been given poor advice.
The "encrypted token" solution is highly insecure as effectively you have a token that is no more than an encrypted username. To put this into context, it's less secure than giving people a password. If someone discovers the key, which could be achieved through brute force using their own token, they can login as anyone. I can't think of any serious online business using such a system, and I note Salesforce offer a SAML implementation.
SAML and OpenID use a far more complex methodology for delivering SSO, and they exist because encrypted tokens are not an accepted good solution.
SSO Plugin for BMC ITSM
Thank you. I was very interested to learn about this product. I have watched the "video walkthrough" and one thing is not clear to me - how would this plugin work in a hosted solution where the BMC mid tier does not have access to our corporate Active Directory server? During our project, our implementers became rather frustrated with us when we would not give them access, from the Internet, to our Active Directory. Who would do that?
Your points about security are excellent. Not to challenge, but to discuss - we certainly considered the risks of the AREA SSO solution we were given. One aspect swayed us in the direction of using it, namely the level of risk associated with the data, which is relatively low. I mean to say that BMC is not an HR or a payments system. So, while we would prefer something more secure, we are content enough in the meantime, and the current solution is working quite well for us.
Starting with the point about security, you are correct that the ITSM data is not hugely personal, however if you consider what could be in the database, it is a security risk. There will be people's usernames, telephone extensions, IP addresses, workstation names, versions of hardware/software; with something like the version of your firewall and perhaps a CR telling me when you plan to implement a hot fix to work around some security issue, an attacker would be pleased to exploit the issue before the CR is implemented.
On the subject of your AD, there are a number of ways:
* Some companies providing RemedyOnDemand services will run a VPN tunnel from the organisation's Windows network to the OnDemand service, so the organisation making use of it can either use SSO over the VPN, or login manually over the Internet.
* Another good solution would be to use Microsoft ADFS (running in the organisation's network) to achieve SSO for those logged into a Windows Domain, without the need for a VPN. SSO Plugin has been fully tested with ADFS2 and clients are using it today.
One of the assumptions we have discovered is that SSO is easy; anyone can do it. It's true that a good developer could implement a solution, and the very best will provide something secure. However, such a solution would be a bespoke solution and wouldn't be backed by 24x7x365 support and a team of experts. BMC's energies are focused on ITSM, because that's what they do; BMC do not focus on SSO. And JSS do not focus on ITSM (well, not officially :-), we do nothing but integrations and SSO.
In the event you are using the "encrypted token" non-solution, you may want to think about what's in your database and whether you'd make it public given the choice. If you believe it is private data, it's time to install a real SSO solution.