This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

AD FS issues

The following are the possible issues with AD FS server when you have configured AD FS as Identity Provider (IdP). You can view the event logs on the AD FS sever for troubleshooting the integration with BMC Atrium Single Sign-On.  You can find the AD FS event logs for identifying the errors at the following location on the AD FS server.

  1. On the AD FS server, open the AD FS 2.0 Management application.
  2. On Event Viewer, navigate to Application and Services Logs and open AD FS 2.0 Admin logs.

Authentication issues

  1. Issue: AD FS IdP is prompting for a password using Kerberos desktop logon.

    When integrating with AD FS, users are prompted for a username and password instead of being logged on automatically using their domain-based logon. You might encounter this issue if the BMC Atrium Single Sign-On administrator has set the Comparison Type value to exact instead of minimum in the Local Service Provider editor in the BMC Atrium SSO Admin Console.

    Resolution: Contact the BMC Atrium Single Sign-On administrator. The BMC Atrium Single Sign-On administrator must set the Comparison Type value to minimum instead of exact in the Local Service Provider editor in the BMC Atrium SSO Admin Console.

  2. Issue: When you use SAMLv2 authentication with remote IdP in BMC Atrium Single Sign-On, you might get the following error message:

    BMCSSG1771E: Invalid response received from IdP (Invalid Status code in Response).

    When you click the Details tab for more information, the following status message appears:

    <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
    </samlp:StatusCode>
    </samlp:Status>

    You might encounter this issue if the Service Provider (SP) specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context.

    Resolution: Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism. BMC recommends that you use Default Authentication Context selection of Password.

  3. Issue: More than one claim based on SamlNameIdentifierClaimResource

    BMC Atrium Single Sign-On login fails and provides following error when you have created more than one claim rule in AD FS Console.

    The Federation Service could not fulfill the token-issuance request. More than  one claim based on SamlNameIdentifierClaimResource was produced after the issuance  transform rules were applies for relying party 'microsoft:identityserver:atriumsso-sp'. See event 500 with the same Instance ID for claims after application of issuance transform rules. 

    User Action 
    Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.

    Resolution

    Delete the first claim rule that was added while Configuring Party Trusts. For more information about claim rules, see End-to-end-steps-for-configuring-SAMLv2-with-AD-FS.

  4. Issue: Requested Authentication Method is not supported on the STS.
    Root cause of this error could be due to forms authentication being disabled in the intranet zone by default.
    Resolution:
    You must enable forms authentication by following these steps:

    a. Log on to the AD FS server as an administrator.
    b. Open the ADFS management wizard.
    c. Click Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.
     d. In the Intranet tab, select Form Based Authentication.

  5. Issue: Illegal key size error
    Atrium SSO throws next exception in debug.log file during login. The error is as follows:

    FMEncProvider.decrypt: Failed to decrypt data.

    com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException: Illegal key size

    Original Exception was java.security.InvalidKeyException: Illegal key size

                    at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.decryptToByteArray
                    (XMLCipher.java:1572)

                    at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.decryptElement
                    (XMLCipher.java:1431)

    Resolution:

    Ensure that the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files are added to Java that is running Atrium SSO server (<SSO_HOME>\jdk\jre\lib\security).

SP signature issues

  1. The AD FS server does not have the correct signature for authenticating sp.

    Resolution: Reimport the SP metadata to get the correct certificate for the Relying party trusts. 

    Signature issue.jpg

  2. The AD FS server is not configured with the signing certificate for sp.

    Resolution: Reimport the SP metadata to get the correct certificate for the Relying party trusts.

    signature issue2.jpg

Hostname issue

The hostname value specified on the AD FS server does not match the value specified in the BMC Atrium SSO Tenant Console.

hostname issue.jpg

Resolution: Either change the name specified in the BMC Atrium SSO Tenant Console to match the value on the AD FS server, or the update the value on the AD FS server.

To update the value in the AD FS server, log on to the AD FS console, edit the Federation Service Properties, and update the Federation Service Identifier as shown in the following illustration.

last issue.jpg

 

Note

You may refer the below sites for AD FS issues not related to BMC Atrium Single Sign-On.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*