Control-M supports the following methods to authenticate Control-M users:

  • Control-M: Authenticates individual users that are created manually within Control-M, as described in Creating an Internal User.

  • Identity Provider (IdP): Authenticates multiple external users with one configuration, instead of creating multiple individual internal users in Control-M, as described in Configuring Authentication with an IdP. In addition IdP supports Single Sign-on (SSO) and Multi-factor Authentication (MFA). You must configure MFA on your identity provider. You can configure authentication to one IdP.

If you are using both local and external authentication, BMC recommends that you create local usernames that are unique and do not duplicate existing external usernames.

Configuring Authentication with an IdP

This procedure describes how to configure authentication with an Identity Provider (IdP) for all Control-M users. This enables you to authenticate multiple external users with one configuration, instead of creating multiple individual internal users in Control-M.


  1. From the icon, select Configuration.

    The Configuration domain appears.

  2. From the drop-down list, select System Settings.

    The System Settings pane appears.

  3. From the Identity Provider (IdP) drop-down, select the SAML 2.0 checkbox.

  4. Copy the following field values by clicking , and paste each value in your IdP application configuration.

    • Single Sign-On URL: Defines the IdP URL or SAML Endpoint, where Control-M redirects users to sign in.

    • Audience URI (Service Provider Entity ID): Defines the Service Provider URI that is used for verification.

    • Signing Certificate: Defines the certificate that ensures that messages are coming from the expected IdP and Service Providers. The SAML certificate is used to sign SAML requests, responses, and assertions from the service to the connected applications. This parameter is only required if you enable the single sign-out on the IdP.

  5. Copy the Single Sign-On URL value and paste it in the Single Logout URL field in your IdP application configuration and replace the string idpresponse with logout at the end of the Single Logout URL.

  6. From your IdP, you need to define the ExternalIDPGroups attribute.

    The attribute value must be the group names defined in the IdP (case-sensitive).

  7. From your IdP, generate the XML metadata file and do one of the following:

    • Click Select File and browse for the XML metadata file on your machine.

    • In the XML Metadata for SAML Service Provider field, type the XML metadata file endpoint URL.

    If you disable SAML 2.0, you cannot remove the XML metadata file.

  8. After you have completed this procedure, you must map the groups from the IdP to rolesClosed An authorization entity that grants permissions to associated users to access different functionality., as described in Adding a Role.

    All Control-M users that connect to Helix Control-M are now authenticated with SAML 2.0. Automation APIClosed A set of programmatic interfaces that provides developers and DevOps engineers access to the capabilities of Helix Control-M within the modern application release process. is authenticated via tokensClosed An authorization entity, required during Agent installation, which enables you to connect the Agent to your Helix Control-M backend.. Internal users are not managed in IdP mode. Emergency users are assigned to Admin roles and are listed in the Emergency Users list.

  9. Log in with the Emergency URL (<tenant_name>-emergency), copy the Admin role, and update it with groups from your IdP, as described in Adding a Role.

  10. Add new roles or update existing roles with groups from your IdP.