×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.
Remedy Single Sign-On 19.11 Troubleshooting

Troubleshooting login and logout issues


This topic provides troubleshooting information about login and logout issues that are associated with a URL redirect and normal identity provider (IdP) behavior.

Related topics

Troubleshooting

Orientation 

IssueDescriptionWorkaround

Automatic IdP login after session ends

With SAML 2.0 authentication, an automatic login can occur after the end user has terminated their single sign-on session. This behavior gives the impression that the user was not logged out.

In SAML 2.0, the IdP caches authentication information within the browser. This information allows the IdP to automatically reauthenticate a user without the user re-entering their credentials. So, when a user logs out of a SAML 2.0 system, a browser refresh can automatically log the user back in to the system.

For example, a user has two browser windows (or tabs) open—one with Remedy Mid Tier and the other with BMC Digital Workplace. If the user logs out of both Remedy Mid Tier and BMC Digital Workplace, the single sign-on session is terminated. If the user just closes the window of BMC Remedy Mid Tier, accesses the BMC Digital Workplace window, and refreshes the browser, then the browser performs the action as though the user is still logged in to the system. A new single sign-on session was created automatically for the user (due to the auto-login of the IdP).

To ensure that the user is permanently logged out, close all browser windows and tabs.

Tomcat 7 and Java 8 incompatibility

During login, if the end user encounters the error, there might be a Tomcat 7 and Java 8 incompatibility issue:

The type java.util.Map$Entry cannot be resolved.

Some older Tomcat 7 versions (7.0.33 or previous) use the old ecj.jar, which causes issues while compiling codes on Java 8.

Use Java Runtime Environment (JRE) 7 for Tomcat 7, or use Tomcat 7.0.50 and later.

Internet Explorer 8 and earlier does not support the Remedy SSO Admin Console interface

When you access the Remedy SSO Admin Console by using Internet Explorer 8 or earlier, the browser displays a blank page with some Javascript errors. This is because Remedy SSO uses AngularJS, which does not support Internet Explorer 8 and earlier versions.

Open Remedy SSO by using Internet Explorer 9 or later, or use other browsers such as Chrome or Firefox.

Redirection loop when logging in through Remedy SSO

If Remedy SSO is configured for SAML authentication and the end user is accessing a BMC application for the first time, the end user might encounter a redirection loop error.

Complete the following steps until you resolve the error.

  1. Confirm whether the user accesses the application URL by using the full qualified host name, and make sure that the application hostname is in the domain name which is specified in the Remedy SSO Admin Console (General > Basic > Cookie Domain).

    Check the following three instances of the application URL host part:
      • IP address (for example, http://127.0.0.1/arsys).
      • A host name without any domain name (for example, http://midtier:8080/arsys).
      • A host name in a different domain name from the one configured in the Admin UI (for example, in the Admin UI, the cookie domain is onbmc.com, but the application URL is http://midtier.bmc.com:8080/arsys.

  2. Check the contents of WEB-INF/classes/rsso-agent.properties file. Ensure that the value of the sso-service-url property is the URL of the Remedy SSO server and whether it is accessible from the application server node (that is, where agent is deployed).

    • If agent communicates with only a single Remedy SSO server, ensure that the value is simply a URL. In this case, the value cannot be in the format domain:URL.
    • Use curl to test network connectivity from application server node to the Remedy SSO server URL.

  3. Review the Remedy SSO agent log file, reproduce the issue, and then look for new logs, for example:

    "java.lang.IllegalArgumentException:
    Argument is a null: 'cookieName'"

    If you see such a log but have no problem in connecting from the application server node to the Remedy SSO server URL using curl, it is probably a proxy issue of Tomcat on application server node.

  4. Check if any proxy is enabled on tomcat for outgoing network connection.

    1. Check tomcat/bin/setenv.sh or other tomcat scripts used during startup (for example, catalina.sh or tomcat service configuration) for proxy options.

    2. If proxy is enabled, ensure that the Remedy SSO server host name is added to the http.nonProxyHosts configuration.

  5. Check if the Remedy SSO server is under HTTPS and the integrated application is under HTTP.

    Then, clear the Enable secure cookie option, or secure the integrated application by HTTPS.

The maximum number of simultaneous logins is exceeded

If you are logging in to an application and if the following error message displayed, you have exceeded the number of simultaneous session (logins) that are allowed.

Exceeded session quota limit

As a Remedy SSO administrator, increase the number of allowed sessions for end users in the Session Quota field. For more information, see Adding and configuring realms.

After end users are successfully authenticated by the identity provider (IdP), the login page appears again

The browser does not recognize the authentication cookie in the following scenarios:

  • You access a resource by using an IP address or a short name.
  • The cookie name and cookie domain are not configured properly.
  • The Enable Secured Cookie setting is enabled on the Remedy SSO server, and an integrated application runs on HTTP.
  1. Access resources by using the fully qualified domain name (FQDN).
  2. Configure the cookie name and cookie domain properly.
  3. If an integrated application runs on HTTP, make sure the Enable Secured Cookie setting is disabled.
  4. If an integrated application runs on HTTPS, make sure the Enable Secured Cookie setting is enabled.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Olha Horbachuk on Aug 04, 2020
service_pack_3 troubleshooting

Comments

Log in or register to comment.

Troubleshooting IdP metadata issues
Support information
© Copyright 1991 – 2019 BMC Software, Inc.
© Copyright 1991 – 2019 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.