Troubleshooting configuration for BMC Helix Single Sign-On integration

Narrowing down BMC Helix SSO issues

• Always make sure that the BMC Helix SSO server is able to communicate with the BMC Helix SSO agent's hosts servers.
• 
  
  • Check your DNS/Network/Certificates/Firewalls settings and confirm that communication is bidirectional.
  • NOTE: curl, ping, telnet wget are good commands to check this.
    • Log in to the BMC Helix Digital Workplace server and run: curl -vk https://rsso.domain.com  
      
      Example of a working connection -if SSL is in place, output will be longer, but the output should display something like  * Connected to rssoserver  (xxxxxxx) port 443 (#0)
      This is being executed from BMC Helix Digital Workplace Catalog to BMC Helix SSO. Check from BMC Helix SSO to BMC Helix Digital Workplace Catalog. 
      * About to connect() to http://rssoserver.domain:port/rsso port 8080 (#0)
      *   Trying xxxxx...
      * Connected to rssoserver  (xxxxxxx) port 8080 (#0) 
      > GET /rsso HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host:/rssoserver.domain:port
      > Accept: */*
      >
      < HTTP/1.1 302
      < Location: /rsso/
      < Transfer-Encoding: chunked
      < Date: Mon, 09 Mar 2020 16:25:48 GMT
      <
      * Connection #0 to host rssoserver.domain left intact

• A good practice is testing BMC Helix SSO on a non-ssl protocol first, and then on SSL.
  
  • You should be able to resolve and reach the BMC Helix SSO URL from the BMC Helix Digital Workplace server and vice versa, this includes the load balancer URL, Server alias, and FQDN.
• Remember that localhost URL is not supported, and you need to use Fully Qualified URLs at all times when BMC Helix SSO is in place.
• It is a good practice to have BMC Helix SSO and the other applications running on the latest and greatest available version.
• Running GA versions could lead to some issues.

• If you have enabled Managed Service Provider (MSP) in place, make sure that rsso-agents are configured.
  For more information, see Domain entry page for MSP users.

• Same case for Oauth Authentication and HA deployments.
  For more information, see Setting up end user authentication.

Use this troubleshooting and resolution guide whenever you're having any of the following issues:

• The spinning wheel is displayed when users try to log in to BMC Helix Digital Workplace via BMC Helix SSO.
• Two login pages are displayed when users try to log in to BMC Helix Digital Workplace Catalog via BMC Helix SSO: BMC Helix SSO login page and BMC Helix Digital Workplace Catalog login page.
• End users see "User 'x' has no access to * realm" error message.
• End users see "An invalid domain [.xxxx.com] was specified for this cookie" error message after enabling BMC Helix SSO in BMC Helix Digital Workplace, Mid Tier, or BMC Helix ITSM: Smart IT.
• End users are not able to see BMC Helix Digital Workplace Catalog offerings in BMC Helix Digital Workplace.

Issue scope

• What's the actual problem? (Elaborate on the issue, explain the behavior and mention the error messages you're getting, what are you expecting to see, etc)
• How many users are being affected by this and where (Prod, Test, QA, Go-live)?
• What's the impact of the issue?
• How can this be reproduced? (Frequency)
• Was this ever working? If yes, what changed/happened when things stopped working?

Diagnosing and reporting an issue

Instructions: After you identify the symptoms and scope of the issue, use this troubleshooting guide to help the customer diagnose and resolve the issue or to create a BMC Support case.