IDAM
Most frequently encountered messages / known issues document
Amendment History
Version Date Comment By
0.1 20-Dec-2012 Initial version Madhusudan
Kappaganthula SharePoint location https://wss2.bp.com/DCT/functions/teams/DIESSL/IDAM/Operational%20Processes/Forms/AllItems.aspx? RootFolder=%2fDCT%2ffunctions%2fteams%2fDIESSL%2fIDAM%2fOperational%20Processes%2fBP%20IDA M%20Project%2fKnowledge%20Articles&View=%7b4AEC76D3%2d9D79%2d49E1%2dB04E%2dBC55A52CBC 16%7d
Table of Contents
1 ABOUT... 3
2 REFERENCES ... 3
3 DETAILS THAT HELP IN FASTER RESOLUTION OF SUPPORT TICKETS ... 3
4 MESSAGES ... 3
4.1 HPDIA0200WAUTHENTICATION FAILED - INVALID USER NAME, PASSWORD OR CERTIFICATE... 3
4.1.1 Root cause ... 4
4.1.2 Resolution ... 5
4.2 BPIDAM RESOURCE NOT FOUND... 6
4.2.1 Root cause ... 6
4.2.2 Resolution ... 7
4.3 CERTIFICATE AUTHENTICATION FAILURE... 7
4.3.1 Root cause ... 7
4.3.2 Resolution ... 8
4.4 HPDIA0205W-THE USER'S ACCOUNT HAS EXPIRED... 8
4.4.1 Root cause ... 8
4.4.2 Resolution ... 8
4.5 PAGE CANNOT BE DISPLAYED OR NETWORK TIMEOUT ERRORS... 8
4.5.1 Root cause ... 9
4.5.2 Resolution ... 9
4.6 HPDIA0119WAUTHENTICATION MECHANISM IS NOT AVAILABLE... 9
4.6.1 Root cause ... 10
4.6.2 Resolution ... 10
4.7 LOGIN SCREEN FROM PARTNER ORGANIZATION... 10
4.7.1 Root cause ... 11
4.7.2 Resolution ... 11
4.8 AUTHORIZATION ERROR... 12
4.8.1 Root cause ... 13
4.8.2 Resolution ... 13
4.9 SAML ERROR -GENERICPOCAUTHENTICATIONDELEGATEPROTOCOL... 13
4.9.1 Root cause ... 14
4.9.2 Resolution ... 14
4.10 DOWNTIME OF TARGET APPLICATION... 14
4.10.1 Root cause ... 15
4.10.2 Resolution ... 16
4.11 BROWSER CONFIGURATION TO ACCEPT COOKIES... 16
4.11.1 Root cause ... 16
1 About
This document contains the most frequently encountered IDAM messages/errors while trying to authenticate via IDAM. Steps to respond are also documented.
2 References
BP password self service URL (only for BP1 NT accounts) https://selfhelp.bpglobal.com
3 Details that help in faster resolution of support tickets
The following details, when provided in the Remedy ticket, will help in faster resolution. NT ID of the user
Name of the application that the user tried to login (e.g., Fieldglass) URL that the user tried to invoke
Error screen with URL visible in the address bar of the web browser
4 Messages
4.1 HPDIA0200W Authentication failed - invalid user name, password or certificate
Applicability
Custom (bespoke) IDAM integration
4.1.1 Root cause
This screen can appear due to any of the following reasons -
1. Trying to authenticate using incorrect login ID and password combination (i.e., manual typographic errors while entering user ID and/or password)
2. Trying to authenticate via IDAM immediately after a password reset in BP1 Active Directory
3. Trying to authenticate using a non-BP issued digital certificate or an expired certificate
4. User re-joined work recently (after a prolonged leave) and the corresponding NT ID isn’t activated properly due to manual or technical failures
5. User’s password contains non-UTF-8 characters
6. User employment category gets modified in BP1 Active Directory – e.g., from contractor to BP employee. Also called Distinguished Name (DN) change issue
7. User moved from one location to another – e.g., from Houston to Chicago and this info is updated against the user profile in BP1 Active Directory. Also called Distinguished Name (DN) change issue
8. User’s NT ID does not exist in the IDAM repository – i.e., (1) user’s profile may have been created without using the BP standard provisioning tool (Tivoli Identity Manager) OR (2) user’s profile creation in IDAM repository using TIM failed due to unexpected technical reasons OR (3) User tried to access an IDAM integrated application within 1 hour of obtaining new NT credentials
4.1.2 Resolution
Following matrix lists the course of action to the corresponding root cause.
Sl Root cause Action
1 Incorrect ID and password combination
Ensure that the entered ID and password combination is correct and free from typographical errors
2 Authenticating via IDAM immediately after a password reset in BP1 Active Directory (AD)
Password reset occurs on ‘write’ domain controllers of AD. IDAM communicates with the ‘read’ domain controllers of AD. In view of time needed to replicate data between ‘write’ and ‘read’ domain controllers of AD, It is recommended to try authentication after 1 to 4 hours of changing the password of your BP1 account
3 Using a non-BP issued digital certificate or an expired certificate
You should use only the certificates issued by BP, where your NT ID is listed against the common name
You should obtain a new certificate if your current one is expired. You can check the expiry date by opening the certificate and checking the ‘Valid To’ timestamp
4 User rejoining – account reactivation issues
Verify with BP Service Desk whether they have activated your ‘TAM account’. If they can see an ‘active’ status for your TAM account and you still cannot access, raise a Remedy request against “BP IDAM Access Manager” (steps described in IDAM Remedy ticketing guide)
5 Password containing non-UTF-8 characters
All the IDAM login pages are modified to support UTF-8 characters. If for some reasons your password isn’t allowed, change it via the BP password self service
Sl Root cause Action
URL
6 Employment category modified A weekly process is followed to update the IDAM repository, so that such changes are reflected. Raise a Remedy request against “BP IDAM Access Manager” (steps described in IDAM Remedy ticketing guide)
7 Location transfer A weekly process is followed to update the IDAM repository, so that such changes are reflected. Raise a Remedy request against “BP IDAM Access Manager” (steps described in IDAM Remedy ticketing guide)
8 NT ID does not exist in the IDAM repository
End user will not be able to identify if this is the case. If all the above options do not help resolve the issue, raise a Remedy request against “BP IDAM Access Manager” (steps described in IDAM Remedy ticketing guide)
4.2 BPIDAM resource not found Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
4.2.1 Root cause
“Discussion bar” enabled in the user’s web browser. This is illustrated in the following screen.
4.2.2 Resolution
Disable discussion bar by clicking the ‘x’ symbol before it.
Close the existing browser window, reopen a new browser window and invoke the application
4.3 Certificate authentication failure Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
4.3.1 Root cause
4.3.2 Resolution
Use a valid digital certificate OR Login using your NT ID and password
4.4 HPDIA0205W - The user's account has expired Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
Users could sometimes see an account expired message.
4.4.1 Root cause
Tivoli Identity Manager deactivates accounts in Tivoli Access Manager due to certain business reasons, e.g., user not completing the TIM challenge/response process – i.e., ID revalidation on time.
4.4.2 Resolution
1. Contact BP Service Desk to get your account re-activated
4.5 Page cannot be displayed or network timeout errors Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
Following screens are examples of “page cannot be displayed” or “network timeout” errors.
4.5.1 Root cause
This error will be seen when there is a network connectivity issue.
4.5.2 Resolution
1. Verify whether you are able to connect to the network – e.g., Google or MSN 2. Verify if you are using any network proxy that is restricting access to certain sites 3. If you are able to connect to other websites but not IDAM, verify if there are any
issues with your iLink/iRAS connection
4. If your network, proxy and iLink connections are working as expected but still you can’t view the IDAM login page, check whether this issue is widespread (e.g., other personnel from your project or location cannot access). If the issue is widespread, raise a priority 1 issue against IDAM, by contacting BP SMC
4.6 HPDIA0119W Authentication mechanism is not available Applicability
Custom (bespoke) IDAM integration
4.6.1 Root cause
This error will be seen when the IDAM Virtual Directory Server is unable to respond to user authentication requests (e.g., service unavailable).
4.6.2 Resolution
Raise a priority 1 incident against IDAM, by contacting BP SMC
4.7 Login screen from partner organization Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
Most of the applications integrated with IDAM for single sign on (SSO) are hosted external to BP, managed by partner organizations
Users should not see any login screen from the partner organizations when using IDAM SSO
4.7.1 Root cause
Incorrect bookmark – Users should not use the bookmarking facility provided by web browsers. Every IDAM SSO request is uniquely identified at the backend. If you bookmark using web browser’s default functionality, certain session parameters get saved, which will be rejected by the IDAM system at a later point of time due to security considerations
Broken integration – If the partner organization fails to validate the digital signature delivered by BP as part of SSO request, users will see a login screen from partner organization
4.7.2 Resolution
Get your profile created in the target application repository by contacting your application helpdesk or application manager or designated point of contact from the partner organization
IDAM will not have privileges to create user profiles in target application repositories
4.8 Authorization error Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
User profile must exist in BP IDAM and at target application repository for a successful user authorization. Following screens are examples which indicate that user profile is not available in target application repository.
4.8.1 Root cause
When user profile doesn’t exist in target application repository, users will see an “unauthorized message” from the target application
4.8.2 Resolution
Get your profile created in the target application repository by contacting your application helpdesk or application manager or designated point of contact from the partner organization
IDAM will not have privileges to create user profiles in target application repositories
4.9 SAML error - GenericPocAuthenticationDelegateProtocol Applicability
Custom (bespoke) IDAM integration
4.9.1 Root cause Browser cache corruption
4.9.2 Resolution
Close all web browser tabs/windows which contain other IDAM integrated apps open (e.g., MTM, ASD, TalentOnline, Unity, etc).
Clear the browser cache & temporary internet files Invoke the application SSO URL afresh
Login at the IDAM login screen in a reasonable interval of time (<2 mins) from opening the login window
Raise a ticket against IDAM if the above steps were followed but issue persists
4.10 Downtime of target application Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
IDAM SSO could succeed, but if the target application is experiencing availability issues at partner organization (either scheduled or unscheduled), users will not be able to view the required functionality.
4.10.1 Root cause
Target application is experiencing planned/unplanned service unavailability at partner organization.
4.10.2 Resolution
Contact your application representative
IDAM will not be able to advise on remedial measures in such a case
4.11 Browser configuration to accept cookies Applicability
Custom (bespoke) IDAM integration
Federated Single Sign On (e.g., using SAML)
IDAM uses cookies for user authentication. These cookies don’t remember where you’ve been on the internet, or gather information that can be used to send you marketing materials.
4.11.1 Root cause
Cookies disabled on user’s web browser.
4.11.2 Resolution
Enable cookies in your web browser
