Troubleshooting IdP metadata issues

When you use the BMC Helix SSO server as an IdP, the server must be able to provide metadata to service providers (SPs) that are part of the circle of trust.

The following error usually indicates that the certificates from the IdP are not stored in the truststore of the BMC Helix SSO server hosting the SP:

libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main]
ERROR: COTManager.createCircleOfTrust:
com.sun.identity.plugin.configuration.ConfigurationException: 
Unable to create configuration of component "LIBCOT" for realm "/BmcRealm".

To check the IdP configuration, go to http(s)://{FQDN}/rsso/getmetadata.jsp?tenantName={realmId}. realmId is the ID of realm (realm name) for which you want to view metadata.

If the BMC Helix SSO server is correctly configured, the server returns an XML document, which is the metadata for the IdP.

When using SAML 2.0 authentication in BMC Helix SSO, you may encounter an error when using the BMC Helix SSO Admin Console to import the metadata file. The default maximum size for importing the metadata XML file is 32 KB. If you try to import a file that is greater than 32 KB, an error occurs.

When using SAML 2.0 authentication with a remote IdP in BMC Helix SSO, you may encounter the following issue:

BMCSSG1771E: Invalid response received from IdP (Failed to decrypt data.)

When you check the details for the failed login on the More Information tab, the following XML message appears:

AES526: xenc:EncryptionMethod Algorithm. 
(For more information on Encyption Algorithms, see http://www.w3.org/2001/04/xmlenc#aes256-cbc)

The following error is logged in the BMC Helix SSO server debug log file:

ERROR: FMEncProvider.decrypt: Failed to decrypt data.com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException:Illegal key size

The encryption selected by the IdP requires the unlimited strength policy files. Perform the following steps to install these files.

1. Shut down all BMC Helix SSO integrated products.
2. Stop BMC Helix SSO.
3. If you have not done so already, go to http://java.sun.com/javase/downloads/index.jsp and download the archive that contains the unlimited strength policy files.
4. Extract the contents of the files.
5. Make a backup copy of the currently installed strong strength policy files.
6. Copy the unlimited strength policy files into the BMC Helix SSO JVM.

When you use SAML 2.0 authentication with a remote IdP in BMC Helix SSO, you might get the following error message:

BMCSSG1771E: Invalid response received from IdP (Invalid Status code in Response).

When you click the Details tab for more information, the following status message appears:

<samlp:Status>
	<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
	</samlp:StatusCode>
</samlp:Status>

You might encounter this issue if the SP specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context.

Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism.

When Tomcat is started, the following option causes the X-XSRF-TOKEN header to be missing in requests:

Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true