This documentation supports the 9.1 version of Remedy Single Sign-On.

To view the latest version, select the version from the Product version menu.

Troubleshooting IdP metadata issues

You might encounter the following issues when you import identity provider (IdP) metadata to Remedy Single Sign-On.

IssueDescriptionWorkaround

Issue with the certificate

When you use the Remedy SSO server as an IdP, the server must be able to provide metadata to service providers (SPs) that are part of the circle of trust.

The following error usually indicates that the certificates from the IdP are not stored in the truststore of the Remedy SSO server hosting the SP:

libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main]
ERROR: COTManager.createCircleOfTrust:
com.sun.identity.plugin.configuration.ConfigurationException: 
Unable to create configuration of component "LIBCOT" for realm "/BmcRealm".

Go to https://sample.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp to check the configuration of the IdP.

If the Remedy SSO server is correctly configured, the server returns an XML document, which is the metadata for the IdP.

XML metadata size is too large

When using SAML 2.0 authentication in Remedy SSO, you may encounter an error when using the Remedy SSO Admin Console to import the metadata file. The default maximum size for importing the metadata XML file is 32 KB. If you try to import a file that is greater than 32 KB, an error occurs.

Increase the maximum size allowed by adding the init parameter max.request.size for CertServlet in the web.xml file. Assign a value that will allow the size of your metadata file.

Issue with IdP encryption

When using SAML 2.0 authentication with a remote IdP in Remedy SSO, you may encounter the following issue:

BMCSSG1771E: Invalid response received from IdP (Failed to decrypt data.)

When you check the details for the failed login on the More Information tab, the following XML message appears:

AES526: xenc:EncryptionMethod Algorithm. 
(For more information on Encyption Algorithms, see http://www.w3.org/2001/04/xmlenc#aes256-cbc)

The following error is logged in the Remedy SSO server debug log file:

ERROR: FMEncProvider.decrypt: Failed to decrypt data.com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException:Illegal key size

The encryption selected by the IdP requires the unlimited strength policy files. Perform the following steps to install these files.

  1. Shut down all Remedy SSO integrated products.
  2. Stop Remedy SSO.
  3. If you have not done so already, go to http://java.sun.com/javase/downloads/index.jsp and download the archive that contains the unlimited strength policy files.
  4. Extract the contents of the files.
  5. Make a backup copy of the currently installed strong strength policy files.
  6. Copy the unlimited strength policy files into the Remedy SSO JVM.
An invalid response error message

When you use SAML 2.0 authentication with a remote IdP in Remedy SSO, you might get the following error message:

BMCSSG1771E: Invalid response received from IdP (Invalid Status code in Response).


When you click the Details tab for more information, the following status message appears:

<samlp:Status>
	<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
	</samlp:StatusCode>
</samlp:Status>

You might encounter this issue if the SP specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context.

Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism.

Best Practice

We recommend that you use the Default Authentication Context selection of Password.

Issue with Tomcat

When Tomcat is started, the following option causes the X-XSRF-TOKEN header to be missing in requests:

Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
Do not use the option while starting Tomcat.


Was this page helpful? Yes No Submitting... Thank you

Comments