Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
Troubleshoot SAML Authentication
Errors in the CMS UI error log
[https-jsse-nio-8449-exec-1] SamlLoginUtils - Failed to get SAML configuration
If you are running CMS UI in standalone mode, check that the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.
If you are running CMS UI in embedded mode, check that the UCMDB server started successfully.
IDP Endpoint could not be null
If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.auth.idp property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.
If you are running CMS UI in embedded mode, check that the setIDPEndpointForSAMLAuthentication method in JMX console is configured correctly.
Username claim type could not be null
If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.auth.username.claimtype property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.
If you are running CMS UI in embedded mode, check that the setSAMLClaimTypeContainingUserName method in JMX console is configured correctly.
Request issuer could not be null
If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.auth.request.issuer property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.
If you are running CMS UI in embedded mode, check that the setAuthRequestIssuer method in JMX console is configured correctly.
Response issuer could not be null
If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.response.issuer property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.
If you are running CMS UI in embedded mode, check that the setSamlResponseIssuer method in JMX console is configured correctly.
UI Error Messages
"Could not extract IdP authenticated user from SAML Response. The assertion cannot be used before …" or "Could not extract IdP authenticated user from SAML Response. The assertion cannot be used after..."
This issue occurs when the system time on the AD FS server and on the UCMDB Server or CMS UI server is incorrectly skewed. The AD FS server system clock must be set to a time later than that of the UCMDB Server or CMS UI server. If this is not the case, you must set a time skew to offset the time difference. The time skew is measured in seconds.
You can set the time skew by using the setSamlTimeSkew method in JMX console and the mam.server.sso.saml.time.skew property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).
By default, the time skew is 0.
For example, if the value of the setSamlTimeSkew method is 60, the AD FS server system clock can be up to 60 seconds earlier than the system clock on the UCMDB Server or CMD UI server.
Login Issues
I configured AD FS but the browser is redirected back to the AD FS login page when I try to log in
This issue occurs when you fail to log in to AD FS.
To resolve this issue, follow these steps:
- Check whether the AD FS public key was imported to the <CMS UI>/conf/server.truststore file. The alias of this public key must be the same as that in the setIdpCertificateAlias method in JMX console and in the mam.server.sso.saml.auth.certificate.alias property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).
- Check the value in the Relying party identifiers field under the Identifiers tab of the Relying Trust Party in AD FS. This value must be the same as that in the setAuthRequestIssuer method in JMX console and in the mam.server.sso.saml.auth.request.issuer property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).
Tip The values may not match due to an additional slash ("/") at the end of the identifier.
I configured AD FS but I receive a "no permission" error when I try to log in
This issue occurs when you do not have permission to log in to the UCMDB Server.
To resolve this issue, go to UCMDB Server and create a group for your user profile. The group ID should be set in the setSamlUserDefaultGroup method in JMX console and in the mam.server.sso.saml.auth.default.group property in the saml_configuration.properties file (in the <CMS UI home>/conf directory). The two value must be same.
You can also create a group with the same name as the group in AD FS. For example, you belong to a group named "Domain users" in ADFS, and the domain name is "samltest.com". In this situation, you would create a group named "samltest\Domain users". When you next log in, you will be added to the group.
Tip Do not forget to set a profile for the group.
I have logged in using the AD FS login page, but a blank page is displayed in UCMDB Server or CMS UI, and an external user named "NULL" is created in UCMDB Server
First, check the server.truststore file (in the <CMS UI home>/conf directory) to make sure that the IDP token_signing certificate was successfully imported.
Then, check the Claim Issuance Rules to make sure that all three rules (CommonName, Group, NameID) are configured correctly.
Logout Issues
I can log in with SAML authentication, but when I click the Logout button I am logged in again
This issue occurs when you fail to log out from AD FS.
To resolve this issue, follow these steps:
- Check your UCMDB private key in the server.keystore file (in the <CMS UI>/conf/ directory). The private key alias must be the same as that in the setSamlLogoutCertAlias method in JMX console and in the mam.server.sso.saml.logout.certificate.alias property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).
- Open the Signature tab of the Relying Trust Party in AD FS to check whether your UCMDB public key was imported.
-
Open the Edit Claim Issuance Policy window of the Relying Trust Party in AD FS to check that three rules are added.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to cms-doc@microfocus.com.
Help Topic ID:
Product:
Topic Title:
Feedback: