Troubleshooting the SSO feature

Description—When a user accesses the SSO sign-on page (using the link on the BMC Defender Server logon window or when redirected to the SSO provider from the BMC Defender Server logon window), the browser indicates that the page is not reachable.

Likely cause—The SSO provider URL is incorrectly configured on the System > Logins > SSO tab. Verify that the hostname and optional port number are correct. Verify that the SSO provider certificate is valid.

Description—When a user accesses the SSO sign-on page (using the link on the BMC Defender Server logon window or when redirected to the SSO provider from the BMC Defender Server logon window), a short error message is displayed on the SSO logon window with instructions to contact the administrator.

Likely cause—This error usually indicates that the client ID or redirect URL configured on the System > Logins > SSO tab does not match the values configured in the SSO provider.

Description—The user can access the SSO logon window but the user name and password entered by the user consistently fails with a logon failure.

Likely cause—This error indicates that the user is not registered with the SSO provider or with active directory. The administrator should check the credentials of the user and the user's password. This error is not due to any incorrect configuration at the BMC Defender Server but is solely an issue with the SSO provider and Active Directory services.

Description—The error URL is the BMC Defender Server and the SSO platform (and browser) is successfully reconnected with the BMC Defender Server. When BMC Defender Server attempts to use the SSO token to verify authentication, that particular step of the process fails.

Likely cause—This error almost always indicates that the client secret key does not match the value configured at the SSO provider. The administrator should get a new client secret key from the SSO provider and input that key into the BMC Defender Server by using the System > Logins > SSO tab.

Description—The user successfully logs onto the system. But the special error page is displayed.

Likely cause—This message indicates all parts of the ADFS authentication were proper and successful but the user who logged into the system is not a user that exists on the System > Logins > Users tab. Normally, no user is permitted access to the system unless the user exists on the System > Logins > Users tab and the user has a valid access (such as admin or user) assigned. This adds extra security to the system by requiring the BMC Defender Server administrator total control over who has access to the server data.

Description—This occurs only if Logon Screen Type is set to Normal / Link to SSO Provider on the System > Logins > SSO tab.

Likely cause—This is normal behavior. The SSO provider logs the user back onto the system. The SSO authentication server grants access to the BMC Defender Server for a limited time (typically one hour) and that authentication is granted until the end-user explicitly logs off the system. The BMC Defender Server administrator can change this behavior on the System > Logins > SSO tab by setting the value of Logon Screen Type to Auto-Redirect to SSO Provider.

Description—This can occur only if the Auto-Redirect to SSO Provider logon screen type is configured on the System > Logins > SSO tab.

Likely cause—When the user is automatically redirected to the SSO server, then this can make it difficult to get to any part of BMC Defender Server if the SSO provider is incorrectly configured or fails. The user can always access the local login interface using the following special URL:

https://(bmcdefenderserver)/s-cgi/web.exe?local-login