What options are currently available in CA Business Service Insight related to implementing Single Sign-On and LDAP integration?

CA Business Service Insight 8.3.x and 9.x

Out of the box, BSI contains a LDAP integration feature which can be enabled in the advanced system settings, as shown below:

This feature is documented in the BSI documentation at Active Directory Single Sign-On

It is important to note what this feature does and does not provide

It does:

• Provide password authentication for the user against the password stored in LDAP, as long as the user exists in both BSI and LDAP. This means the user passwords no longer need to be maintained in BSI

It does not:

• Provide SSO where you no longer need to login to BSI. You must still type in the BSI/LDAP username and LDAP password at the BSI login page
• Does not synchronize the LDAP users. The users who need access to BSI must still be created in BSI and there is no out of box feature to delete them when they are no longer in use or to create them automatically. 

In addition to the out of box feature discussed above, BSI provides API calls to allow you to create a custom SSO feature which can synchronize users with LDAP or remove the login page completely. This is discussed in the documentation LDAP Integration

It is important to note that while BSI provides the API calls and the documentation shows a sample script to demonstrate how they can be called, creating your own webpage and .NET application to implement this is a customization and support would only be able to provide assistance with the API calls if you find they are not behaving as documented.

The first sample script you will find in the documentation link above is a VB script which can be run as an integration/translation script from the product itself. This shows how you can actually create and remove the LDAP user automatically. Used in combination with the LDAP lookup feature, this can fully synchronize users with LDAP through the commands like Tools.AddUserByMap map.

The second script gets more complicated. It is sample C# code which calls the BSI API calls which allow a silent login and would allow you to completely bypass the BSI login process and enable a full feature SSO solution. The sample is written in C#, but you could create your own webpage which calls anything you like, provided it is a language that allows server side API calls. C# code must be compiled so this sample script would be compiled in Visual Studio and called from an ASPX file. You would also need to modify the script heavily to suit your environment, such as the hardcoded username and organization name it currently uses, the redirect link, whether you are using HTTPS or HTTP, etc. This is considered customization and is not something support can help with beyond providing this example.