×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

To view an earlier version, select the version from the Product version menu.
BMC Helix Single Sign-On 22.1 Troubleshooting

Troubleshooting login and logout issues

This topic provides troubleshooting information about login and logout issues that are associated with a URL redirect and normal identity provider (IdP) behavior.

Related topics

Troubleshooting

Orientation 

IssueDescriptionWorkaround

Automatic IdP login after session ends

With SAML 2.0 authentication, an automatic login can occur after the end user has terminated their single sign-on session. This behavior gives the impression that the user was not logged out.

In SAML 2.0, the IdP caches authentication information within the browser. This information allows the IdP to automatically reauthenticate a user without the user re-entering their credentials. So, when a user logs out of a SAML 2.0 system, a browser refresh can automatically log the user back in to the system.

For example, a user has two browser windows (or tabs) open—one with Remedy Mid Tier and the other with BMC Helix Digital Workplace. If the user logs out of both Remedy Mid Tier and BMC Helix Digital Workplace, the single sign-on session is terminated. If the user just closes the window of BMC Remedy Mid Tier, accesses the BMC Helix Digital Workplace window, and refreshes the browser, then the browser performs the action as though the user is still logged in to the system. A new single sign-on session was created automatically for the user (due to the auto-login of the IdP).

To ensure that the user is permanently logged out, close all browser windows and tabs.


Tomcat 7 and Java 8 incompatibility


During login, if the end user encounters the error, there might be a Tomcat 7 and Java 8 incompatibility issue:

The type java.util.Map$Entry cannot be resolved.

Some older Tomcat 7 versions (7.0.33 or previous) use the old ecj.jar, which causes issues while compiling codes on Java 8.

Use Java Runtime Environment (JRE) 7 for Tomcat 7, or use Tomcat 7.0.50 and later.

Redirection loop when logging in through BMC Helix SSO

If BMC Helix SSO is configured for SAML authentication and the end user is accessing a BMC application for the first time, the end user might encounter a redirection loop error.

Complete the following steps until you resolve the error.

  1. Confirm whether the user accesses the application URL by using the full qualified host name, and make sure that the application hostname is in the domain name which is specified in the BMC Helix SSOAdmin Console (General > Basic > Cookie Domain).
  2. Check the following three instances of the application URL host part:
        • IP address (for example, http://127.0.0.1/arsys).
        • A host name without any domain name (for example, http://midtier:8080/arsys).
        • A host name in a different domain name from the one configured in the Admin UI (for example, in the Admin UI, the cookie domain is onbmc.com, but the application URL is http://midtier.bmc.com:8080/arsys.

  3. Check if the BMC Helix SSO server is under HTTPS and the integrated application is under HTTP.
    Then, clear the Enable secure cookie option, or secure the integrated application by HTTPS.

  1. Check the contents of WEB-INF/classes/rsso-agent.propertiesfile. Ensure that the value of the sso-service-urlproperty is the URL of the BMC Helix SSOserver and whether it is accessible from the application server node (that is, where agent is deployed).
    • If agent communicates with only a single BMC Helix SSO server, ensure that the value is simply a URL. In this case, the value cannot be in the format domain:URL.
    • Use curl to test network connectivity from application server node to the BMC Helix SSO server URL.

  2. Review the BMC Helix SSO agent log file, reproduce the issue, and then look for new logs, for example: "java.lang.IllegalArgumentException: Argument is a null: 'cookieName'"
    If you see such a log but have no problem in connecting from the application server node to the BMC Helix SSOserver URL using curl, it is probably a proxy issue of Tomcat on application server node.
  3. Check if any proxy is enabled on tomcat for outgoing network connection.

    1. Check tomcat/bin/setenv.sh or other tomcat scripts used during startup (for example, catalina.sh or tomcat service configuration) for proxy options.

    2. If proxy is enabled, ensure that the BMC Helix SSO server host name is added to the http.nonProxyHosts configuration.

The maximum number of simultaneous logins is exceeded

If you are logging in to an application and if the following error message displayed, you have exceeded the number of simultaneous session (logins) that are allowed.

Exceeded session quota limit

As a BMC Helix SSO administrator, increase the number of allowed sessions for end users in the Session Quota field. For more information, see Adding and configuring realms.

After end users are successfully authenticated by the identity provider (IdP), the login page appears again

The browser does not recognize the authentication cookie in the following scenarios:

  • You access a resource by using an IP address or a short name.
  • The cookie name and cookie domain are not configured properly.
  • The Enable Secured Cookie setting is enabled on the BMC Helix SSO server, and an integrated application runs on HTTP.
  1. Access resources by using the fully qualified domain name (FQDN).
  2. Configure the cookie name and cookie domain properly.
  3. If an integrated application runs on HTTP, make sure the Enable Secured Cookie setting is disabled.
  4. If an integrated application runs on HTTPS, make sure the Enable Secured Cookie setting is enabled.
User login fails.

A user cannot log in to the integrated BMC product when:

  • BMC Helix SSO is configured for the SAML authentication.
  • A webhook is configured as a part of the login flow.
Ensure that the external system is accessible. For more information about webhooks, see Notifying an external service about user authentication by using a webhook.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Priya Shetye on Feb 27, 2024
troubleshooting reference

Comments

Log in or register to comment.

Troubleshooting IdP metadata issues
Support information
© Copyright 2013 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.