Troubleshooting IdP metadata issues
Issue | Description | Workaround |
|---|---|---|
Issue with the certificate | When you use the BMC Helix SSO server as an IdP, the server must be able to provide metadata to service providers (SPs) that are part of the circle of trust. The following error usually indicates that the certificates from the IdP are not stored in the truststore of the BMC Helix SSO server hosting the SP: libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main] ERROR: COTManager.createCircleOfTrust: com.sun.identity.plugin.configuration.ConfigurationException: Unable to create configuration of component "LIBCOT" for realm "/BmcRealm". | To check the IdP configuration, go to http(s)://{FQDN}/rsso/getmetadata.jsp?tenantName={realmId}. realmId is the ID of realm (realm name) for which you want to view metadata. If the BMC Helix SSO server is correctly configured, the server returns an XML document, which is the metadata for the IdP. |
XML metadata size is too large | When using SAML 2.0 authentication in BMC Helix SSO, you may encounter an error when using the BMC Helix SSO Admin Console to import the metadata file. The default maximum size for importing the metadata XML file is 32 KB. If you try to import a file that is greater than 32 KB, an error occurs. | Increase the maximum size allowed by adding the init parameter max.request.size for CertServlet in the web.xml file. Assign a value that will allow the size of your metadata file. |
Issue with IdP encryption | When using SAML 2.0 authentication with a remote IdP in BMC Helix SSO, you may encounter the following issue: BMCSSG1771E: Invalid response received from IdP (Failed to decrypt data.) When you check the details for the failed login on the More Information tab, the following XML message appears: AES526: xenc:EncryptionMethod Algorithm. (For more information on Encyption Algorithms, see http://www.w3.org/2001/04/xmlenc#aes256-cbc) The following error is logged in the BMC Helix SSO server debug log file: ERROR: FMEncProvider.decrypt: Failed to decrypt data.com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException:Illegal key size | The encryption selected by the IdP requires the unlimited strength policy files. Perform the following steps to install these files.
|
An invalid response error message | When you use SAML 2.0 authentication with a remote IdP in BMC Helix SSO, you might get the following error message: BMCSSG1771E: Invalid response received from IdP (Invalid Status code in Response). When you click the Details tab for more information, the following status message appears: <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/> </samlp:StatusCode> </samlp:Status> You might encounter this issue if the SP specifies the Default Authentication Context as Unspecified and the IdP does not have an authentication mechanism to use for this context. | Change the Default Authentication Context to a selection for which the IdP has an authentication mechanism. |
Issue with Tomcat | When Tomcat is started, the following option causes the X-XSRF-TOKEN header to be missing in requests: Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true | Do not use the option while starting Tomcat. |