This documentation supports the 19.02 version of Remedy Single Sign-On.

To view an earlier version, select the version from the Product version menu.

Troubleshooting log on and log off issues

Log on and log off issues can occur (or appear to occur) that are associated with a URL redirect and normal Identity Provider (IdP) behavior.

Related topics

Automatic IdP logon behavior

With SAMLv2 authentication, an automatic logon can occur after the end user has terminated their single sign-on session. This behavior gives the impression that the user was not logged out.

In SAMLv2 configurations, the IdP caches authentication information within the browser. This information allows the IdP to automatically reauthenticate a user without the user re-entering their credentials.

The effect is that when a user logs off of a SAMLv2 system, a browser refresh can automatically log the user back on to the system.

For example, a user has two browser windows (or tabs) open; one with BMC Remedy Mid Tier and the other with BMC Digital Workplace. If the user logs off from both BMC Remedy Mid Tier and BMC Digital Workplace, the single sign-on session is terminated. If the user just closes the window of BMC Remedy Mid Tier, accesses the BMC Digital Workplace window, and refreshes the browser, then the browser performs the action as though the user is still logged on to the system. What transpired was that a new single sign-on session was created automatically for the user (due to the auto-logon of the IdP).

Workaround: For this type of system, to ensure that the user is permanently logged off, close all browser windows and tabs.

Tomcat 7 and Java 8 incompatibility issue

During log on, if the end user encounters the error, The type java.util.Map$Entry cannot be resolved, it indicates there is a Tomcat 7 and Java 8 incompatibility issue. Some older Tomcat 7 versions (7.0.33 or previous) use the old ecj.jar, which causes issues while compiling codes on Java 8.

Workaround: Use Java Runtime Environment (JRE) 7 for Tomcat 7, or use Tomcat 7.0.50 and later).

Internet Explorer 8 or earlier does not support Remedy Single Sign-On Admin Console interface

When you access the Remedy SSO Admin Console by using Internet Explorer 8 or earlier, the browser displays a blank page with some Javascript errors. This is because Remedy SSO uses AngularJS, which does not support IE8 or previous IE versions.

Workaround: Open Remedy SSO by using Internet Explorer 9 or later, or use other browsers such as Chrome or Firefox.

Redirection loop on Remedy SSO log on

If Remedy SSO is configured for SAML authentication and the end user is accessing a BMC application for the first time, the end user might encounter a redirection loop error.

Workaround: The following table provides the steps for resolving the error.

TaskStepInstruction
1.

Check the following three instances of the application URL host part.

Confirm if the user accesses the application URL using the full qualified hostname, and make sure that the application hostname is in the domain name which is specified in Remedy SSO Admin Console (General > Basic > Cookie Domain).

If the step does not resolve the error, go to the next step.

2.

Check the contents of WEB-INF/classes/rsso-agent.properties file.

Ensure that the value of 'sso-service-url' property is the URL of Remedy SSO server and whether it is accessible from the application server node (i.e. where agent is deployed).

  • If agent only communicates with a single Remedy SSO server, ensure that the value is simply a URL. In this case, the value can NOT be in the format <domain>:<URL>.
  • You can use curl to test network connectivity from application server node to Remedy SSO server URL.

If the step does not resolve the error, go to the next step.

3.

Look into the Remedy SSO agent log file, reproduce the issue, and check if you see some new logs. For example:

"java.lang.IllegalArgumentException: 
Argument is a null: 'cookieName'"

If you see such a log but have no problem in connecting from application server node to Remedy SSO server URL using curl, it is probably a proxy issue of Tomcat on application server node.

Go to the next step.

4.Check if any proxy is enabled on tomcat for outgoing network connection.
  1. Check tomcat/bin/setenv.sh, or other tomcat scripts used during startup. For example, catalina.sh, or tomcat service configuration for proxy options.

  2. If proxy is enabled, ensure that the Remedy SSO server hostname is added to http.nonProxyHosts configuration.

5.

Check if the Remedy SSO server is under https and the integrated application is under http.

Clear the "Enable secure cookie" option or secure the integrated application by https.

Exceeding the maximum number of simultaneous logins

If you are logging in to an application and if the following error message displayed, you have exceeded the number of simultaneous session (logins) that are allowed.

Exceeded session quota limit

As a Remedy SSO administrator, increase the number of allowed sessions for end users in the Session Quota field. For more information, see Configuring realms.

Was this page helpful? Yes No Submitting... Thank you

Comments