This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

IdP metadata issues

You may encounter the following issues when importing IdP metadata in BMC Atrium Single Sign-On.

Certificate issue

When using BMC Atrium Single Sign-On server as an Identity Provider (IdP), the server needs to be able to provide the metadata to Service Providers (SP) that are part of the Circle of Trust. The configuration of the IdP can be verified by using this URL with a browser:

https://sample.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp

If the BMC Atrium Single Sign-On server is correctly configured, the server returns an XML document which is the metadata for the IdP.

libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main]
ERROR: COTManager.createCircleOfTrust:
com.sun.identity.plugin.configuration.ConfigurationException: Unable to create configuration of component "LIBCOT" for realm "/BmcRealm".

This error usually indicates that the certificates from the IdP have not been stored into the truststore of the BMC Atrium Single Sign-On server that is hosting the SP.

XML Metadata size issue

When using SAMLv2 authentication in BMC Atrium Single Sign-On, you may encounter this issue when trying to import the metadata file on BMC Atrium SSO Admin Console. 

The default maximum size for importing the metadata XML file is 32 KB. If you try to import the file which is greater than 32 KB, an error occurs.

Resolution

You can increase the maximum size by adding the init-parameter max.request.size for CertServlet in web.xml file and assign a value as per your metadata file size.

IdP Encryption issue

When using SAMLv2 authentication with remote Identity Provider (IdP) in BMC Atrium Single Sign-On, you may encounter the following issue:

BMCSSG1771E: Invalid response received from IdP (Failed to decrypt data.)

When you check the details for failed login in the More Information tab, the following XML message is displayed:

AES526: xenc:EncryptionMethod Algorithm. (For more information on Encyption Algorithms, see http://www.w3.org/2001/04/xmlenc#aes256-cbc)

The following error is logged in the BMC Atrium SSO server debug log file.

ERROR: FMEncProvider.decrypt: Failed to decrypt data.com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException:Illegal key size

Resolution

The encryption selected by the Identity Provider (IdP) requires the unlimited strength policy files to be installed. For more information on installing these files, see Install the unlimited strength policy files.


Invalid response issue

When you use SAMLv2 authentication with remote IdP in BMC Atrium Single Sign-On, you might get the following error message:

BMCSSG1771E: Invalid response received from IdP (Invalid Status code in Response).

When you click the Details tab for more information, the following status message appears:

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
</samlp:StatusCode>
</samlp:Status>

You might encounter this issue if the Service Provider (SP) specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context.

Resolution: Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism. BMC recommends that you use Default Authentication Context selection of Password.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*