BMC Software Webinars 2013(0214)-AtriumSSO · Contributors: John Stamps, Murali Balijepally, Karl Miller, Rahul Vedak, Volodymyr Zaporozhets BMC Software Webinars 2013 Atrium

An introductionVincent Lasfargues – Atrium Customer EngineeringContributors: John Stamps, Murali Balijepally, Karl Miller, Rahul Vedak, Volodymyr Zaporozhets

BMC Software Webinars 2013Atrium Single Sign On (Atrium SSO)

© Copyright 2/15/2013 BMC Software, Inc 2

Agenda

1. What is Single Sign‐On?

2. Why use Single Sign‐On?

3. Atrium SSO ‐ Architecture overview

4. Atrium SSO ‐ Features

5. Deployment considerations

6. Typical installation use cases and best practices

7. Examples: typical installation, Kerberos & SAML v2 IdP

8. A few important notes

9. Q&A


What is Single Sign‐On?

A mechanism that allows users to enter their credentials (usually a user ID and password) once to get authenticated with multiple related but independent software systems.

- The user logs in only once

- The user is authenticated to multiple applications within the Enterprise

- From 1 application to the other, the user does not have to authenticate again As long as the session is valid

- Federated authentication allows SSO authentication between Enterprises Enables SSO across business partners’ applications


Use case 1 ‐ Better Customer Experience - Users only have to remember one UserID & password for multiple applications

Why use Single Sign‐On?Better Customer Experience

Before After

Benefits to Enterprise- Fewer tickets: Lower administration cost and effort- Improved Security: Single password encourages better behavior


Use case 2 ‐ Proper cross‐product launch- For BMC Solutions that include multiple products, user can navigate one application and another in a seamless fashion

Before After

Consistent user login experience- BMC Applications have a single common login page

Why Use Atrium Single Sign‐On: BMC ContextProper Cross‐product Launch


Use case 3 ‐ Single point of integration- for SSO enabled BMC products to the Enterprise SSO

- Without Atrium SSO: BMC Applications must integrate directly with the Enterprise SSO

– Feasibility depends on the application and the Enterprise SSO– When feasible, it requires configuration for each application– The user will benefit of SSO from fewer SSO enabled applications.

- With Atrium SSO installed: The BMC applications are easily configured to work with Atrium SSO The BMC applications support ‐ through Atrium SSO ‐multiple authentication technologies.

Atrium SSO then offers a single point of integration and bridge to Enterprise SSO systems– Allows integration with a larger set of Enterprise SSO systems– Quick initial configuration and centralized re‐configuration

Why Use Atrium Single Sign‐On: BMC ContextSingle Point of Integration


Atrium Single Sign‐On ArchitectureExample of How it Works


LDAPv3/Active Directory

Certificates (CAC)

RSA SecurID Authentication Engine 5.x, 6.x, and 7.x

BMC Remedy AR System since 7.6.04

Kerberos v5

3rd party SSO integration/federation through- SAML v2

Atrium Single Sign‐On ‐ FeaturesSupported Authentications


Atrium Single Sign‐On is part of the BMC Atrium Shared Components- BASC: Atrium CMDB, AI, AR system & Atrium SSO- No separate license is required for using Atrium SSO

=> Atrium SSO is FREE for qualified BMC customers

Download Atrium SSO from BMC’s EPD:

Atrium Single Sign‐On – Deployment ConsiderationsLicensing


Supported Operating Systems- Windows Server 2003 (and above)- Solaris 10 (and above)- Red Hat Enterprise Linux 5 (and above)

Supported Web/Application Servers- Tomcat 6.x (Atrium SSO installation embeds it)

Java Support- Java SE 6 and above Java 7 is required for IPv6 support (Atrium SSO 8.1)

For latest information on Product compatibility, please visit BMC Solution and Product Availability and Compatibility Utility at:

https://docs.bmc.com/docs/display/public/sso80/Checking+the+compatibility+matrix+for+system+requirements+and+supported+configurations

Atrium Single Sign‐On – Deployment ConsiderationPlatform Requirements


Atrium Single Sign‐On – Deployment ConsiderationProduct/Solution Compatibility with Atrium SSO v8.0 & 8.1

Application Supported Since(Application Version)

1 BMC Dashboards 7.6.03

2 BMC Analytics 7.6.05

3 BMC ProactiveNet Performance Management

9.0

4 BMC Remedy AR System Server(including BMC CMDB & ITSM Suite)

7.6.04

5 BMC IT Business Management Suite 7.6.04

6 Remedy OnDemand 2012.01

7 8.1: Atrium Orchestrator (BAO) 7.7


Atrium Single Sign‐On – NotesIntegration with BMC Products/Solution

1. Supported BMC applications include an SSO agent.- Easy configuration

2. The Atrium SSO options are set during the installation. - The BMC application is configured to work with Atrium SSO once the

installation is complete

3. Already deployed systems can be configured to leverage SSO using BMC utilities


Atrium SSO – Typical deployment use cases – Version 8.1

Starting from scratch ‐ Fresh AR & SSO deployment:1. Install Atrium SSO first2. Install AR

– Fill in the information about the Atrium SSO server/LB3. Install the Mid Tiers

– Fill in the information about the Atrium SSO server/LB

AR systems are already deployed ‐ Configure SSO on deployed AR systems:1. Install Atrium SSO2. Run the AR‐SSO integration utility.3. Run the Mid Tier‐SSO integration utility.


Typical Production Architecture ‐ High Availability

Each component is fronted by a Load Balancer (LB)

- Atrium SSO Cluster behind a LB- Mid Tiers behind a LB

- AR Servers group behind a LB

- Replicated DBs


Atrium SSO Best practices

Dedicated Dual Core system for the SSO server- Performance- Resources stability => Availability

Atrium SSO footprint- HD space: ~700 MB - RAM: ~1 GB

Deploy with the embedded Tomcat- Ease of deployment and configuration- Better test coverage

Cluster of SSO servers and a Load Balancer- High Availability- Scalability

Always use Fully Qualified Domain Names (FQDN)


Installation Demo (Video)

The following Installation Video will cover:

1. SSO server, AR and Mid Tier installation

2. The step by step configuration for AR and MT to leverage SSO


Installation Demonstration


Atrium SSO and Kerberos

Windows Desktop SSO- Used to integrate Atrium SSO with Active Directory so no userID & password re‐entry is required.

Atrium SSO – Kerberos basic configuration steps1. Register Atrium SSO server as a service in the Domain2. Generate a “keytab”‐file3. Configure Atrium SSO4. Configure browsers (IE/Firefox)

Important Note:- NTLM v2 is not supported!


Kerberos – ASSO integration – Service User account setup 1/3






Kerberos – ASSO integration – Keytab file generation 1/3






Kerberos – ASSO integration – Kerberos module definition 1/5










Kerberos – ASSO integration – Browser configuration 1/3






Kerberos – ASSO integration – Testing 1/4








Atrium SSO and Kerberos


Atrium SSO & IdP Integration via SAML V2

Integrate Atrium SSO with remote identity providers (IdP)- Ping Federate, SiteMinder, etc…

The following slides will cover the basic configuration steps:1. Create a Local Service Provider within Atrium SSO server2. Exchange certificates between Atrium SSO and IdP3. Restart the servers.4. Configure the remote IdP to work with Atrium SSO5. Configure Atrium SSO as a remote service provider for remote IdP6. Configure the Agent(s) to leverage the federated IdP

7. Test login with a federated user


SAML v2 Integration – 1/19


Edit the BMC Realm – 2/19


Add a Local Service Provider – 3/19


Configure & save the SP – 4/19


SP Created – 5/19


Exchange certificates – 6/19


Log into the IdP console – 7/19


Edit the IdP BMC Realm – 8/19


Add a Local IdP – 9/19


Configure & Save the local IdP – 10/19


Local IdP created – 11/19


Add the SP as a Remote SP in the IdP – 12/19


Import the remote SP’s Metadata – 13/19


Done with the IdP – Back to the Atrium SSO server

Create a test user (Demo/8chars passwd) - and we are done with the IdP …

Now back to our Atrium SSO server …


Add the IdP as a Remote IdP in Atrium SSO server – 14/19


Import the remote IdP’s Metadata – 15/19


Remote IdP created, remove the AR user store – 16/19


Configure the agent for federation – 17/19


Edit the Agents – 18/19


Edit the Agent login and logout URIs & save ‐ 19/19


Test the configuration – Login with a Federated User

Now the configuration is complete- Test login with our federated “Demo” user


Atrium SSO integrated with an IdP via SAML v2


Atrium Single Sign‐On – Important NotesAuthorization

Authentication is NOT Profile or User Mgmt; For a given user, each BMC Product/Solution still manages details (authorization)- Roles, Permissions- Locale, etc.


Atrium Single Sign‐On – Important NotesAtrium SSO and OpenAM

Atrium Single Sign‐On is based on open source OpenAM- OpenSSO developed originally by Sun Microsystems- Now available as OpenAM and supported by ForgeRock. - Atrium SSO 8.1.00 is based on OpenAM 9.5.4- No additional license of OpenAM in order to use Atrium SSO

BMC Atrium SSO supports a sub‐set of the OpenAM features

BMC Atrium SSO features

OpenAM featuresAdditional functionalities (unsupported)


Atrium Single Sign‐On – Important NotesSupported Configurations

BMC Atrium SSO certifies a subset of platforms and technologies supported by OpenAM

- BMC Atrium Single Sign‐On is certified on the configurations explicitly stated in the Help section (https://docs.bmc.com/docs/display/public/sso80/Home)

- Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment will be addressed at BMC’s discretion.


Wiki Helphttps://docs.bmc.com/docs/display/public/sso80/Home

BMC Communities – Discussion forumhttps://communities.bmc.com/communities/community/bmcdn/bmc_atrium_and_foundation_technologies/atrium_sso

Background on OpenAMhttp://en.wikipedia.org/wiki/OpenAM

Technical Enablement https://docs.bmc.com/docs/display/NP/BMC+Atrium+SSO

Atrium Single Sign‐On Additional Resources


Learn more at www.bmc.com

Documents

BMC Software Webinars 2013(0214)-AtriumSSO · Contributors: John Stamps, Murali Balijepally, Karl Miller, Rahul Vedak, Volodymyr Zaporozhets BMC Software Webinars 2013 Atrium