Troubleshooting IdP metadata issues
You might encounter the following issues when you import IdP metadata to Remedy Single Sign-On.
When you use the Remedy SSO server as an Identity Provider (IdP), the server needs to be able to provide metadata to Service Providers (SP) that are part of the Circle of Trust.
You can check the configuration of the IdP by using the following URL in a browser:
If the Remedy SSO server is correctly configured, the server returns an XML document which is the metadata for the IdP.
libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main] ERROR: COTManager.createCircleOfTrust: com.sun.identity.plugin.configuration.ConfigurationException: Unable to create configuration of component "LIBCOT" for realm "/BmcRealm".
This error usually indicates that the certificates from the IdP are not stored in the truststore of the Remedy SSO server hosting the SP.
XML Metadata size issue
When using SAML 2.0 authentication in Remedy SSO, you may encounter this issue when trying to import the metadata file on Remedy SSO Admin Console.
The default maximum size for importing the metadata XML file is 32 KB. If you try to import the file which is greater than 32 KB, an error occurs.
You can increase the maximum size by adding the init-parameter max.request.size for CertServlet in web.xml file and assign a value as per your metadata file size.
IdP encryption issue
When using SAML 2.0 authentication with remote Identity Provider (IdP) in Remedy SSO, you may encounter the following issue:
BMCSSG1771E: Invalid response received from IdP (Failed to decrypt data.)
When you check the details for failed login in the More Information tab, the following XML message is displayed:
AES526: xenc:EncryptionMethod Algorithm. (For more information on Encyption Algorithms, see http://www.w3.org/2001/04/xmlenc#aes256-cbc)
The following error is logged in the Remedy SSO server debug log file.
ERROR: FMEncProvider.decrypt: Failed to decrypt data.com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException:Illegal key size
The encryption selected by the Identity Provider (IdP) requires the unlimited strength policy files to be installed. Perform the following steps to install the unlimited strength policy files.
- Shut down all Remedy SSO integrated products.
- Stop Remedy SSO.
- If you have not done so already, download the archive that contains the unlimited strength policy files from the following URL: http://java.sun.com/javase/downloads/index.jsp.
- Extract the contents of the files.
- Make a backup copy of the currently installed strong strength policy files.
- Copy the unlimited strength policy files into the Remedy SSO JVM.
Invalid response issue
When you use SAML 2.0 authentication with remote IdP in Remedy SSO, you might get the following error message:
BMCSSG1771E: Invalid response received from IdP (Invalid Status code in Response).
When you click the Details tab for more information, the following status message appears:
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/> </samlp:StatusCode> </samlp:Status>
You might encounter this issue if the Service Provider (SP) specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context.
Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism.
Do not use the following option while starting Tomcat as it causes X-XSRF-TOKEN header missing in requests: