9 Replies Latest reply on Mar 13, 2018 4:00 PM by Serena Lambiase

    Issue in integrating BCM Webconsole with Remedy SSO (RSSO)

    Prakash Vasudevarao

      We are having issues with BCM webconsole authenticating with RSSO using SAMLv2. The BCM webconsole directs to RSSO for login (in this case gets the username from SAMLv2 IdP successfully) and after that it comes back to the webconsole login prompt instead of providing the authenticated content. What might be causing in BCM to ignore the successfully authenticated login token and ask to login again with username / password? Has anyone successfully integrated BCM Webconsole with RSSO?

       

      Thanks, Prakash

        • 1. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
          Christophe Truc

          Hello,

           

          The user authenticated through RSSO must be a valid BCM user at the same time, and must have been synchronized through active directory. Otherwise, the BCM system will not be able to determine who has been authenticated. For instance, authenticated user jdoe must exist in BCM as jdoe (login name synchronized through ldap). Are you in this situation?

          • 2. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
            Prakash Vasudevarao

            Yes, the users exists in BCM repository and in fact these are users who currently use java based console for BCM. What must be missing that BCM thinks the user gotten through RSSO is not the same and displays the login window?

             

            Thanks, Prakash

            • 3. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
              Christophe Truc

              There are many possibilities:

              • BCM may not find the user based on the authenticated login name.
              • Multiple users may be found for the authenticated login name.
              • The BCM user may not be enabled.
              • The BCM user may not be synchronized through LDAP.

               

              In any case, the Master log file should help because most of these error cases are printed.

              • 4. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
                Prakash Vasudevarao

                Hi Chris,

                 

                - login name matches from RSSO to BCM

                - only one user found for authenticated login name

                - BCM user is enabled

                - BCM user is not synchonized with LDAP as users are created manually and stored in BCM repository. The RSSO is service provider talks to Identity provider via SAMlV2 and gets the authenticated login name which in turn handed off to BCM

                - there are no errors in the master log - however, following info is in mtxagent.log:

                 

                2018/03/07 14:44:32 Vision64Database             I   [139795508512512] <RSSO> Authentication token has been extracted
                2018/03/07 14:44:32 Vision64Database             I   [139795508512512] The pinned certificate was found
                2018/03/07 14:44:32 Vision64Database             W   [139795508512512] RSSO user matches a non LDAP application administrator (adams.james)
                2018/03/07 14:44:32 AgentActionDB                I   [139795508512512] Service GET '/api/rsso/access' returned 0
                2018/03/07 14:44:32 Server                       D   [139795508512512] JSON Service: /api/rsso/access
                2018/03/07 14:44:32 Server                       D   [139795458148096] Request URL: /api/1/webconsole/info
                2018/03/07 14:44:32 AgentActionDB                I   [139795458148096] Service GET /api/1/webconsole/info do not require authentication
                2018/03/07 14:44:32 AgentActionDB                I   [139795458148096] Invoke local service GET '/api/1/webconsole/info'
                2018/03/07 14:44:32 AgentActionDB                I   [139795458148096] Service GET '/api/1/webconsole/info' returned 0
                2018/03/07 14:44:32 Server                       D   [139795458148096] JSON Service: /api/1/webconsole/info

                 

                Any ideas?

                 

                 

                Thanks, Prakash

                • 5. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
                  Christophe Truc

                  Hello,

                   

                  Unfortunately, this is the root cause. Currently, having the BCM users synchronized through LDAP is a requirement, hence the error message. Is LDAP users synchronization an option in your environment?

                   

                  Chris.

                  • 6. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
                    Prakash Vasudevarao

                    Hi Chris,

                     

                    Yes, but not directly. RSSO is the service provider that talks to Identity Provider F5 which is integrated with Active Directory. The authenticated login name is extracted via SAMLv2 and passed onto RSSO which in turns hands off to multiple consuming applications - like BCM, Remedy mid tier, MyIT/SmartIT etc. All of them works fine except BCM. Why BCM requires it's own LDAP synchronization? Is BCM using to call back LDAP for authentication again and or authorization?

                     

                    Thanks, Prakash

                    • 7. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
                      Christophe Truc

                      Hello Prakash,

                       

                      When RSSO is being used, authentication is delegated to this system. At the same time, BCM is still responsible for managing authorization (who can see and/or manage this object and so forth). For that reason, we decided to strengthen the operation which aim is to match the RSSO authenticated user with the corresponding BCM administrator. This being said, we realize that in your situation, disabling this last verification could be interesting. I can propose to add the possibility to ignore the user synchronization type, which would be configured in the BCM RSSO settings (off by default). This should fix the problem in your environment. If you are interested in this solution, I can check internally if and when the option could be implemented?

                       

                      Chris.

                      • 8. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
                        Prakash Vasudevarao

                        Hi Chris,

                         

                        That would be great since RSSO is the trusted entity and service provider for all BMC applications and hence no more additional checks may be required. Please let me know.

                         

                        Thanks, Prakash

                        • 9. Re: Issue in integrating BCM Webconsole with Remedy SSO (RSSO)
                          Serena Lambiase

                          Thanks for your questions, Prakash Vasudevarao and thanks to Christophe Truc for the information. Prakash Vasudevarao, would you please create an Idea in the BCM community so we can find out if other customers are also interested in this new feature?  This helps us when we are planning for new releases as one data point to understand what features our customers are using and where we should focus our R&D team efforts.  You can add your idea here:  Client Management