Troubleshooting IdP metadata issues
You might encounter the following issues when you import identity provider (IdP) metadata to Remedy Single Sign-On.
Issue with the certificate
When you use the Remedy SSO server as an IdP, the server must be able to provide metadata to service providers (SPs) that are part of the circle of trust.
The following error usually indicates that the certificates from the IdP are not stored in the truststore of the Remedy SSO server hosting the SP:
Go to https://sample.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp to check the configuration of the IdP.
If the Remedy SSO server is correctly configured, the server returns an XML document, which is the metadata for the IdP.
|XML metadata size is too large|
When using SAML 2.0 authentication in Remedy SSO, you may encounter an error when using the Remedy SSO Admin Console to import the metadata file. The default maximum size for importing the metadata XML file is 32 KB. If you try to import a file that is greater than 32 KB, an error occurs.
Increase the maximum size allowed by adding the init parameter max.request.size for CertServlet in the web.xml file. Assign a value that will allow the size of your metadata file.
|Issue with IdP encryption|
When using SAML 2.0 authentication with a remote IdP in Remedy SSO, you may encounter the following issue:
When you check the details for the failed login on the More Information tab, the following XML message appears:
The following error is logged in the Remedy SSO server debug log file:
The encryption selected by the IdP requires the unlimited strength policy files. Perform the following steps to install these files.
|An invalid response error message|
When you use SAML 2.0 authentication with a remote IdP in Remedy SSO, you might get the following error message:
You might encounter this issue if the SP specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context.
Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism.
We recommend that you use the Default Authentication Context selection of Password.
|Issue with Tomcat|
When Tomcat is started, the following option causes the X-XSRF-TOKEN header to be missing in requests:
|Do not use the option while starting Tomcat.|