This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Troubleshooting logon and logoff issues

Logon and logoff issues can occur (or appear to occur) associated with URL re-direct and normal Identity Provider (IdP) behavior.

User logs in, but the browser goes into an infinite loop

The user is able to log in, but the browser goes into a infinite loop.

Workaround

This is a not a workaround as the issue is an expected and known behavior.

You must turn on all the loggings and then run either Fiddler (for Mozilla) or iehtppheaders (for IE). These tools capture the traffic and redirections in a session.

Perform the following:

  1. Use a login URL with BMC Atrium Single Sign-On url specified in the FQDN form (i.e. https://sso-server-name.domain-name.com but not just https://sso-server-name).
  2. Check Admin Console >Server Configuration to find whether the cookie name is configured for this domain. i.e. Set to domain-name.com for the example above.

Atrium Single Sign-On login page is not displayed

  1. Check the BMC Remedy Mid Tier configuration.
  2. In the ARSystem\midtier\WEB-INF folder, open web.xml.
  3. Ensure that the BMC Atrium Single Sign-On filters are uncommented.
  4. If the preceding steps do not locate the source of the issue, search for issues in the Apache Tomcat logs in the Mid Tier.

Login page timed out

The login page is set a default timeout of 120 seconds.  Hence when you delay entering your user credentials after the login page is displayed, a 'Login page timed out' error message is displayed.

Workaround

You may set a default for timeout per realm in the configuration file:

AtriumSSO/tomcat/webapps/atriumsso/config/auth/opensso/services/<REALM_NAME>/html/DataStore.xml

In the configuration file, change the 'timeout' parameter value in the line:

<Callbacks length="2" order="1" timeout="120" header="Sign in to Atrium SSO" >

Log in issue using Microsoft Internet Explorer

When you access the BMC Atrium Single Sign-On Admin Console (https://<atsso-hostname>:<port>/atriumsso) for the first time using Microsoft Internet Explorer version 8 or later, the page cannot be displayed.

Because this issue is beyond the scope of the BMC Atrium Single Sign-On product, it is not possible to resolve it. This is a known issue with Microsoft Internet Explorer, and the workaround is to refresh the page for accessing BMC Atrium Single Sign-On Admin Console.

Note

Ensure that the hostname in the URL (atsso-hostname) is properly resolved in the DNS. As an example, add the host name to the hosts file.

Logout page is not displayed when a user logs out

When a user logs out, Atrium Single Sign-On does not display the logout page if the page is not placed in the Atrium SSO domain.

Workaround

Open and edit the web-xml file located in the \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF folder to change the X-FRAME options as follows.

<filter-name>SecureFilter</filter-name>
  <init-param>
        <param-name>X-Frame-Options</param-name>
        <param-value>ALLOW-FROM [domain]</param-value>
  </init-param>

Where,
domain: Domain of the logout page

Chained authentication modules failure for Internet Explorer

When Kerberos is chained together with LDAP or BMC Remedy AR System for authentication and you use Microsoft Internet Explorer (IE) to log on with your credentials, the authentication fails.

  1. From the client side, start the Start Registry Editor (Regedt32.exe).
  2. Find the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  3. Add the following registry values to the key:
    Value Name: DisableNTLMPreAuth
    Data Type: REG_DWORD
    Value: 1

Automatic IdP logon behavior

With SAMLv2 authentication configurations, an automatic logon can occur after you have terminated your single sign-on session. This behavior gives the impression that the user was not logged out.

In SAMLv2 configurations, the IdP caches authentication information within the browser. This information allows the IdP to automatically reauthenticate a user without the user re-entering their credentials.

The effect is that when a user logs off of a SAMLv2 system, a browser refresh can automatically log the user back on to the system.

For example, a user has two browser windows (or tabs) open; one with BMC Remedy Mid Tier and the other with BMC MyIT. If the user logs off from both BMC Remedy Mid Tier and BMC MyIT, the  single sign-on session us terminated. If the user just closes the window of BMC Remedy Mid Tier, accesses the BMC MyIT window, and refreshes the browser, then the browser performs the action as though the user was still logged on to the system. What transpired was that a new single sign-on session was created automatically for the user (due to the auto-logon of the IdP).

Workaround

For this type of system, to ensure that the user is permanently logged off, close all browser windows and tabs.

URL re-direct issues

Logon and logoff issues can occur (typically with a SAMLv2 configuration) when too many URL re-directs happen between the browser and servers during logon and logoff processing.

  1. Capture the HTTP traffic between the browser and servers by using a capture tool such as Fiddler, ieHttpHeaders, or Live HTTP Headers.
  2. Identify potential configuration changes to the reverse proxy, load balancer, or BMC Atrium Single Sign-On.
  3. Modify the configuration:
    • If the re-direct is from https://sample.bmc.com/arsys to https://sample.bmc.com/arsys/ (with a forward slash after arsys), check and modify the agent logon and logoff URL configuration to include the forward slash.
    • If the re-direct is associated with reverse proxy or load balancer where a protocol switch from HTTPS to HTTP occurs (for example, the browser communicates on HTTPS to the reverse proxy, which then communicates to the server using HTTP), configure the reverse proxy or load balancer to include the HTTP AtssoReturnLocation header with the value https://.

      In this case, the agent in the server uses the HTTP protocol for the return address, which causes the re-direct.

IdP-initiated login issue

When IdP-initiated login is implemented, the relay state of the application from the remote IdP machine cannot be determined.

BMC has a limited control on the products from other vendors and the user must consult the vendor's documentation. For example, when a user starts IdP-initiated login using IdPInitiatedSignon.aspx in AD FS side, BMC cannot specify an application to redirect the user after providing the valid credentials.