Page tree


 

This documentation supports the 22.3 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

To view an earlier version, select the version from the Product version menu.


This topic provides troubleshooting information about login and logout issues that are associated with a URL redirect and normal identity provider (IdP) behavior.

Related topics
IssueDescriptionWorkaround

Automatic IdP login after session ends

With SAML 2.0 authentication, an automatic login can occur after the end user has terminated their single sign-on session. This behavior gives the impression that the user was not logged out.

In SAML 2.0, the IdP caches authentication information within the browser. This information allows the IdP to automatically reauthenticate a user without the user re-entering their credentials. So, when a user logs out of a SAML 2.0 system, a browser refresh can automatically log the user back in to the system.

For example, a user has two browser windows (or tabs) open—one with Remedy Mid Tier and the other with BMC Helix Digital Workplace. If the user logs out of both Remedy Mid Tier and BMC Helix Digital Workplace, the single sign-on session is terminated. If the user just closes the window of BMC Remedy Mid Tier, accesses the BMC Helix Digital Workplace window, and refreshes the browser, then the browser performs the action as though the user is still logged in to the system. A new single sign-on session was created automatically for the user (due to the auto-login of the IdP).

To ensure that the user is permanently logged out, close all browser windows and tabs.



Redirection loop when logging in through BMC Helix SSO

If BMC Helix SSO is configured for SAML authentication and the end user is accessing a BMC application for the first time, the end user might encounter a redirection loop error.

Complete the following steps until you resolve the error.

  1. Confirm whether the user accesses the application URL by using the full qualified host name, and make sure that the application hostname is in the domain name which is specified in the BMC Helix SSOAdmin Console (General > Basic > Cookie Domain).
  2. Check the following three instances of the application URL host part:
        • IP address (for example, http://127.0.0.1/arsys).
        • A host name without any domain name (for example, http://midtier:8080/arsys).
        • A host name in a different domain name from the one configured in the Admin UI (for example, in the Admin UI, the cookie domain is onbmc.com, but the application URL is http://midtier.bmc.com:8080/arsys.

  3. Check if the BMC Helix SSO server is under HTTPS and the integrated application is under HTTP.
    Then, clear the Enable secure cookie option, or secure the integrated application by HTTPS.


The maximum number of simultaneous logins is exceeded

If you are logging in to an application and if the following error message displayed, you have exceeded the number of simultaneous session (logins) that are allowed.

Exceeded session quota limit

As a BMC Helix SSO administrator, increase the number of allowed sessions for end users in the Session Quota field. For more information, see Adding and configuring realms.

After end users are successfully authenticated by the identity provider (IdP), the login page appears again

The browser does not recognize the authentication cookie in the following scenarios:

  • You access a resource by using an IP address or a short name.
  • The cookie name and cookie domain are not configured properly.
  • The Enable Secured Cookie setting is enabled on the BMC Helix SSO server, and an integrated application runs on HTTP.
  1. Access resources by using the fully qualified domain name (FQDN).
  2. Configure the cookie name and cookie domain properly.
  3. If an integrated application runs on HTTP, make sure the Enable Secured Cookie setting is disabled.
  4. If an integrated application runs on HTTPS, make sure the Enable Secured Cookie setting is enabled.


Write a comment...