1 Reply Latest reply on Jul 26, 2019 6:40 PM by Betty Neumann

    Design issues with TrueSight support for SAML authentication

    Mariusz Cwiklinski
      Share This:

      Two years ago BMC announced SAML authentication support for TrueSight 11.x.

       

      To enable SAML support in TrueSight you have to create new realm/tenant and configure TrueSight as multi-tenant environment as documented here: https://docs.bmc.com/docs/TSPS/110/configuring-user-authentication-for-the-presentation-server-in-remedy-sso-790478444.h…

       

      Generally BMC ask you to create new realm, so Administrator Console can still work and user can be authenticated in default "*" tenant.

       

      But unfortunately this design has some big flaws with use of REST API in TrueSight:

      1. You cannot use users from SAML enabled tenant because REST API doesn't support SAML authentication
      2. You cannot use admin user from default "*" tenant because you are trying to modify some objects in another tenant and there are built-in tenant restrictions in REST API.

       

      So generally by BMC design you are not able to use some important REST API methods (some of them work though), for example:

      • All TrueSight App Visibility REST API calls do not work
      • TrueSight Infrastructure Policy management REST API (create, update) do not work

       

       

      It looks like BMC didn't address those problems in last two years. So below I propose an idea how this can be solved:

       

      Because some TrueSight components still require LOCAL authentication to work (Administrator Console, REST API, App Visibility still creates local user in SAML enabled tenant) then BMC should redesign the authentication process in Remedy SSO:

      • Create LOCAL_INTERNAL authentication type in Remedy SSO. It will be exactly the same like LOCAL and it will use Local User Management.
      • Authentication chain in default "*" realm/tenant can be setup like this: LOCAL_INTERNAL, SAML, LDAP/LOCAL (to retrieve user groups)
      • All tools that will require LOCAL authentication (Admin console, REST API) will be authenticated in LOCAL_INTERNAL and authentication chain will stop here if authentication in LOCAL_INTERNAL is successful.
      • All users connecting with web browser will not be presented with logon page in Remedy SSO for local authentication and Remedy SSO will skip LOCAL_INTERNAL authentication. Web browser users will go directly to the next authentication in the chain (i.e. SAML and LDAP/LOCAL)

      This way we could use default "*" realm/tenant with SAML and also local authentication will work in "*" tenant. It will solve all cross-tenant REST API restrictions because local user and all TrueSight components will be within the same tenant.

       

       

       

      PS. See also comments under this blog post: New Supported Authentications For Truesight 11.x with Remedy Single Sign-On

       

       

      I would like to here about your experiences with SAML authentication in TrueSight 11.