000035216 - Single sign-on with RSA SecurID Access is failing intermittently

Document created by RSA Customer Support Employee on Jun 6, 2017Last modified by RSA Customer Support on Apr 24, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000035216
Applies ToRSA Product Set:  RSA SecurID Access
RSA Product/Service Type: Identity Router
IssueEnd users are occasionally unable to login with single sign-on (SSO) to applications.
The error following error is displayed when this occurs:
Application appears to be improperly configured. Contact your Administrator for assistance.

Retrying the login attempt eventually works.
CauseDuring a login session, all messages related to the session must be forwarded by the load balancer to the same identity router (IDR).  IDRs do not share end user session information with other IDRs.   See Load Balancer Requirements for information about session persistence.

Intermittent SSO failures are typically caused when session persistence is not being done by the load balancer.  This could be due to a load balancer configuration problem or some other reason.
ResolutionTo resolve this issue,
  1. Check your load balancer configuration to ensure it is set for session persistence, as described in Load Balancer Requirements.  If you have a NetScaler load balancer, see Netscaler Load Balancing Configuration for RSA Via Access IDR Cluster.
  2. Check that your IDRs and the load balancer as well, all have their time synchronized to an NTP server.  Depending on the method used by your load balancer for session persistence, a time of day discrepancy between it and the IDRs could hinder it from recognizing existing sessions. See How to check if NTP is working on your RSA SecurID Access Identity Router.
  3. If session duration is too short, it can also force users to re-authenticate frequently.  Check how to Configure Session and Authentication Method Settings to set Session Duration for User Sessions.