3 Replies Latest reply on Nov 23, 2017 3:24 AM by Aleksey Vyazovsky

    Remedy SSO configuration issue

    Harry Lee
      Share:|

      I installed Remedy SSO 9.1.03 in QA Remedy midtier server.

      Installation went smooth.

      I configured the general settings.  Some examples would have helped greatly.  for Service Channel.. do I just put the URL of the midtier server?  do I put /rsso at the end?

      I tried to follow all the steps in the guide.

       

      SAMLv2 authentication process - BMC Remedy Single Sign-On 9.1 - BMC Documentation

      A little confusing if HTTPS is required as it says if a load balancer is there, all communication done by http.

      Security planning - BMC Remedy Single Sign-On 9.1 - BMC Documentation

       

      Question

      Remedy SSO requires HTTPS?  If so, is self signed cert ok?

       

      https:// was configured and set up.

      signing cert was created manually and stored on D:\

      We created the realm and set it to SAML

      We imported the ADFS metadata xml file and it set some of the fields properly.

       

      Next had to export the SSL cert for tomcat as a CER file.

      Did the same for the signing certificate.

       

      Had ADFS team import into MMC trusted section.

       

      Tried to add relying partner trust.

      But get an error when using the URL.

      Error: An error occurred during an attempt to read the federation metadata.  Verify that the specified URl or host name is a valid federation metadata endpoint.

      ADFS team can browse to the URL (but have to click on continue to site due to certificate)

       

      Couldn't get past this error.

      So we saved the metadata (from the RSSO realms>View metadata) page as an xml and imported it as a file.

      Went through the next steps.

      Changed hash to SHA-1

      Did the custom claim rule and copied the script from the guide.

      Modified it with the URL (although I didn't know the format it needs)

       

      Then ADFS team exported their certificates

      I imported them using Keystore explorer.

      I wasn't sure if all 3 certificates needed to be exported and imported.  It's not clear.

       

       

      When I browse to the URL/arsys, it just goes the regular remedy midtier login page.

      It doesn't redirect.

       

      if I go to the ADFS login URL and select the Relying partner trust to log in, i get an error.

      Failed to process SAML Message, cause: no SAMLResponse or SAMLRequest query parameter.

       

      Question

      If I install Remedy SSO on the Remedy midtier, do I need to still install the integration to midtier?

       

      Are there anything steps I may have missed or gotten wrong?

       

      Thanks in advance!

        • 1. Re: Remedy SSO configuration issue
          Aleksey Vyazovsky

          Hello Harry

          Could you provide more information which applications you need to integrate with RSSO?

          You mentioned Midtier- you can find the relevant integration topic here

          https://docs.bmc.com/docs/display/rsso91/Integrating

           

          Typically you should use HTTPS for all end-user facing resources which contain sensitive data like authentication tokens or confidential information.

          If you use load-balancers, firewalls, reverse proxies, etc. which communicate with the end-users then in sake of performance you can terminate HTTPS traffic on the load-balancer and use HTTP only for server-to server communications.

          We'll extend the Security Planning topic to explain this more clearly.

           

          Didn't get the question about SAML. Did you face any specific issues configuring this?

           

          Regards, Aleksey

          • 2. Re: Remedy SSO configuration issue
            Harry Lee

            Sorry about the late update.

             

            Couple of things.

            First I didn't realize AR System integration was required.

            So all the integration parts have to be installed.

            I don't think I saw any documentation stating the AR System was a required step.

            I assumed the midtier was the integration needed and that it would do the talking with AR System after integration.

             

            Second, the custom claim rule didn't work for us.

            The custom claim rule in the doc uses UPN.

            the client didn't have a usable upn that would translate into their remedy login id format.

             

            finally figured out a custom claim rule that worked for us.

            c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Name <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Name>"] ( used to be upn)

             

                 => issue(

             

            Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier>",

             

            Issuer = c.Issuer,

             

            OriginalIssuer = c.OriginalIssuer,

             

            Value = c.Value,

             

            ValueType = c.ValueType,

             

               Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format <http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format>"] ="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",

             

               Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier <http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier>"] = "client.com/adfs/trust",

             

               Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier <http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier>"] = "client/*"

            • 3. Re: Remedy SSO configuration issue
              Aleksey Vyazovsky

              Hi We'll update the docs to say that Midtier and AR integration should be done to integrate Remedy with RSSO. Thanks for pointing to this. SAML configuration is specific to your SAML Identity Provider. RSSO documentation provides just an example. So that is true that you need to change the claim rules to meet your IdP specific.

              Regards, Aleksey