Troubleshooting IdP metadata issues

You might encounter the following issues when you import identity provider (IdP) metadata to BMC Helix Single Sign-On.


Issue with the certificate

When you use the BMC Helix SSO server as an IdP, the server must be able to provide metadata to service providers (SPs) that are part of the circle of trust.

The following error usually indicates that the certificates from the IdP are not stored in the truststore of the BMC Helix SSO server hosting the SP:

libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main]
ERROR: COTManager.createCircleOfTrust:
Unable to create configuration of component "LIBCOT" for realm "/BmcRealm".

To check the IdP configuration, go to http(s)://{FQDN}/rsso/getmetadata.jsp?tenantName={realmId}. realmId is the ID of realm (realm name) for which you want to view metadata.

If the BMC Helix SSO server is correctly configured, the server returns an XML document, which is the metadata for the IdP.

XML metadata size is too large

When using SAML 2.0 authentication in BMC Helix SSO, you may encounter an error when using the BMC Helix SSO Admin Console to import the metadata file. The default maximum size for importing the metadata XML file is 32 KB. If you try to import a file that is greater than 32 KB, an error occurs.

Increase the maximum size allowed by adding the init parameter max.request.size for CertServlet in the web.xml file. Assign a value that will allow the size of your metadata file.

Issue with IdP encryption

When using SAML 2.0 authentication with a remote IdP in BMC Helix SSO, you may encounter the following issue:

BMCSSG1771E: Invalid response received from IdP (Failed to decrypt data.)

When you check the details for the failed login on the More Information tab, the following XML message appears:

AES526: xenc:EncryptionMethod Algorithm. 
(For more information on Encyption Algorithms, see

The following error is logged in the BMC Helix SSO server debug log file:

ERROR: FMEncProvider.decrypt: Failed to decrypt key size

The encryption selected by the IdP requires the unlimited strength policy files. Perform the following steps to install these files.

  1. Shut down all BMC Helix SSO integrated products.
  2. Stop BMC Helix SSO.
  3. If you have not done so already, go to and download the archive that contains the unlimited strength policy files.
  4. Extract the contents of the files.
  5. Make a backup copy of the currently installed strong strength policy files.
  6. Copy the unlimited strength policy files into the BMC Helix SSO JVM.
An invalid response error message

When you use SAML 2.0 authentication with a remote IdP in BMC Helix SSO, you might get the following error message:

BMCSSG1771E: Invalid response received from IdP (Invalid Status code in Response).

When you click the Details tab for more information, the following status message appears:

	<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>

You might encounter this issue if the SP specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context.

Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism.

Best practice

We recommend that you use the Default Authentication Context selection of Password.

Issue with Tomcat

When Tomcat is started, the following option causes the X-XSRF-TOKEN header to be missing in requests:

Do not use the option while starting Tomcat.
Was this page helpful? Yes No Submitting... Thank you