5 Replies Latest reply on Oct 10, 2019 9:31 AM by Greg Michael

    Configuring SAMLv2 in RSSO 18.02

    Greg Michael
      Share This:

      Has anyone had any success in configuring SAMLv2 for idP Initiated Login using RSSO 18.02 in TSO?  We've been tasked with securing our login process for our TSO infrastructure.  We're trying to configure RSSO to utilize SAMLv2.

       

      Some points of note:

      We have a 2-node HA RSSO v18.02 configuration with the URL of RSSO provided through an F5 VIP.

      We aren't allowed to use self-signed certificates.

       

      Some of the questions I'm having difficulty finding answers to:

      Can we use the individual private keys from our RSSO servers? (We have signed certificates for each server, with SAN entries for both nodes and the VIP)

      The name of the key store in the documentation is cot.jks - is this a fixed requirement?

      The name of the alias of the self-signed key in the documentation is sp-signing - is this a fixed requirement?

      Can the key store use a password other than the default 'changeit'?
      Can the key use a password other than the default 'changeit'?

      I see numerous references for the cot.jks key store being located in <tomcat>\rsso\WEB-INF\classes - is this a fixed requirement if I fully qualify the path to the key store file in the general RSSO server configuration?

       

      If there's anyone out there that is using an HA-pair (or cluster) of RSSO servers with SAMLv2 configured, I'd love to see how you've configured your environment.

       

      Thanks!

        • 1. Re: Configuring SAMLv2 in RSSO 18.02
          Aryan Anantwar

          Hi Greg,

           

          Please take a look at the post: How to update BMC Remedy Single Sign On (RSSO) SP Certificate?

          HTH.

           

          Regards,

          Aryan Anantwar

          • 2. Re: Configuring SAMLv2 in RSSO 18.02
            Greg Michael

            Unfortunately, that document does not address my questions.  That document details how to change the certificate.  Actually, it details how to "delete" and "add a new" certificate to the key store.

            Can we use the individual private keys from our RSSO servers? (We have signed certificates for each server, with SAN entries for both nodes and the VIP)

            The name of the key store in the documentation is cot.jks - is this a fixed requirement?

            The name of the alias of the self-signed key in the documentation is sp-signing - is this a fixed requirement?

            Can the key store use a password other than the default 'changeit'?

            Can the key use a password other than the default 'changeit'?

            I see numerous references for the cot.jks key store being located in \rsso\WEB-INF\classes - is this a fixed requirement if I fully qualify the path to the key store file in the general RSSO server configuration?

             

            The document also does not address (at least not with any detail) how to work with an HA RSSO implementation.

            • 3. Re: Configuring SAMLv2 in RSSO 18.02
              Greg Michael

              Just as a FYI to all...
              Per Support and Engineering, TSO does NOT work with SAMLv2 authentication via RSSO in any of the current versions of TSO.  I don't think that this is supposed to be the case, but we confirmed with Engineering that it is not supported.  The documentation does not reflect this incompatibility in both the TSO and RSSO product lines, and this is supposed to be updated to reflect that.

              • 4. Re: Configuring SAMLv2 in RSSO 18.02
                Ranganath Samudrala

                Currently TSO supports only local user and LDAP authentication. SAML support is being developed.

                • 5. Re: Configuring SAMLv2 in RSSO 18.02
                  Greg Michael

                  Since it was not documented in any version of TrueSight Orchestration/BMC Atrium Orchestrator or Remedy Single Sign-On, there was no reason to think that it was not supported.  The documentation details that authentication is handled through either the embedded or an external implementation of RSSO.  There were no indications in the documentation to lead us to believe that any of the forms of authentication available within a Realm would not be compatible with TSO.  Ranganath Samudrala, please ensure that the documentation for both TSO and RSSO are updated to include this incompatibility to prevent other customers from stumbling into this.  Thanks!