Single sign-on with RSA SecurID Access is failing intermittently

4 years ago

Originally Published: 2017-06-01

Article Number

000049994

Applies To

RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router

Issue

End users are occasionally unable to login with single sign-on (SSO) to applications.
The error following error is displayed when this occurs:

Application appears to be improperly configured. Contact your Administrator for assistance.

Retrying the login attempt eventually works.

Cause

During a login session, all messages related to the session must be forwarded by the load balancer to the same identity router (IDR). IDRs do not share end user session information with other IDRs. See Load Balancer Requirements for information about session persistence.

Intermittent SSO failures are typically caused when session persistence is not being done by the load balancer. This could be due to a load balancer configuration problem or some other reason.

Resolution

To resolve this issue,

Check your load balancer configuration to ensure it is set for session persistence, as described in Load Balancer Requirements. If you have a NetScaler load balancer, see Netscaler Load Balancing Configuration for RSA Via Access IDR Cluster.
Check that your IDRs and the load balancer as well, all have their time synchronized to an NTP server. Depending on the method used by your load balancer for session persistence, a time of day discrepancy between it and the IDRs could hinder it from recognizing existing sessions. See How to check if NTP is working on your RSA SecurID Access Identity Router.
If session duration is too short, it can also force users to re-authenticate frequently. Check how to Configure Session and Authentication Method Settings to set Session Duration for User Sessions.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles