1 of 1 people found this helpful
To improve security, we require a daily login. Some people have reported needing to login multiple times in a day, and IT is looking into this issue.
What is being secured? It is debatable that product documentation should be locked down. There are examples of many software companies that do not require jumping through hoops to get to their product documentation. Why is BMC so different?
I would be fine with once a day, my issue is with the need to log in every 5 minutes.
This has forced me to use an easy password which achieves the opposite results of reducing the security of my credentials.
Other colleagues of mine have reported the same need to login multiple times a day.
Right now, the okra login is only for docs,but it is configured for eventual single login with other areas that need to be more secure.
Wow, every 5 minutes is frequent! Are you allowing cookies to be stored?
Okta, not okra. Yes, I'm on my phone.
Today I had to login about 4-5 times overall (using Chrome), definitely not 5 minutes, but it happens (I just tried and I'm still logged in)
Well... As long it's not Oprah
That's just not going to work. Totally unacceptable. Our apologies to all who are impacted by this issue.
I filed ticket #REQ000001320663 on behalf of Renato on this. Also, I sent a direct email message to the team that can help with Okta issues, pointing them to this thread and asking for some direct assistance.
I can speculate that there is a browser setting that is contributing to the problem, because most customers (and certainly most heavy users internally) have not reported this issue. But it is time for direct help from the SSO team.
I have 6 cookies from bmc.okta.com, of which 3 expires at the end of the session.
Third party cookies are not blocked.
Hmmm I am not sure spreading the frustration to other areas is a great idea. One thing that probably should be taken into consideration... Since a great number of people using these resources are technical in nature and/or are up to eyeballs in technology is that many of us use these resources from multiple computers. It is very common for me to access docs.bmc.com, support.bmc.com, communities.com from at least 4 different machines throughout my day. Once every 24 hours is 4 times every 24 hours for somebody like me.
Wondering... is accessing from different machines what is killing the session? Is there something in the SSO that kills an active session if another computer is used? Maybe that is why some are having and issue while others are not. The also might explain why it is so much more frequent than 24 hours for some of us.?.?.?
Renato Bonomini, do you access docs.bmc.com from multiple machines?
Looks like I was on to something regarding multiple computers.
Below is the snooty sounding response that came back from the dark inner bowls of BMC. My guess is BMC IT. Nobody seems to like them, including other BMCers. Every time I hear/see examples where BMC IT has upset another BMCer it blows my mind that this company is actively selling very expensive products based on the pitch that IT needs to align with the business when it appears that they can't seem to do it themselves.
"no secured system in the work arena will allow 1 day of session validity" and at this time no changes will be made. (Login expiration is correctly configured. No secured system in the work will allow 1 day of session validity.)
"Multiple login is a known issue as we have different apps using different SSO solution. We are already working on that. You cannot have SSO/session active across multiple computers. This is basics of secured system..."
Tell you want. These sites are not being compared to "secured systems in the work area." I don't (and I know I am not alone) view these sites as having the same level of sensitivity as my bank or organization's HR, financial and patient care systems. Yes I want our contract and environment details stored in some of these sites reasonably protected. This UX is being compared to Facebook, Google+, Yahoo, communites.bmc.com and other sites we all use daily. All of these sites that don't make you feel like you are Edward Snowden accessing top secret information.
So again my question is why is BMC's documentation so damn secure. Sure, the competition shouldn't have it. Guess what, THEY DO! You can't tell me that a username and password is keeping SNOW and others from getting to your documentation.
I understand this SSO solution is being setup to work with multiple areas and some of those areas might need more security than docs.bmc.com. I also understand that customer like myself have been asking for SSO across multiple BMC sub-sites so it must sounds like we want it both ways and will never be happy. I am being honest here because I want docs.bmc.com and all other BMC sites to be successful. As it is now this issue or apparently configuration is running the ruining the UX. I think the current approach is destine for failure.
I am very close to just dumping the documentation my team needs to PDF and forgetting about docs.bmc.com.
Linking to my existing thoughts on the topic: https://communities.bmc.com/groups/bmc-product-documentation/blog/2014/02/20/want-to-access-bmc-s-online-technical-documentation-portal-docsbmccom#comment-36156
<ranty pants=partially off>
I admit I am being critical here. Don't get me wrong I am a huge fan of BMC and the tools they make. I critique because I care. I also know that I am not alone in thinking that some parts of BMC need to get their head out 'of a place I won't say to avoid being banned from the Communities' if they want to survive. Every company will have some unhappy customers, people shaking their heads and asking what were they thinking but from what I am seeing on the outside this seems to be an especially large percentage in the case of BMC. Maybe it is purely my perception and is impacted by the people I talk to.?.?.?
I do understand that I have to login quite often when I login to American Express or my online bank websites.
I do fail to understand why it would be the case for the BMC doc wiki. For example when I login to the BMC support website to browse KB, it's most of the time once a day, definitely not as often as the doc wiki, and I browse the KB quite a lot too.
Though I fail to see how you enforce a system security when you piss off users so much that they end up saving their login / password in a web browser because they're "tired" entering it every hour or something...
The thing is that I'm using doc wiki only from one computer, in one web browser and I still have to login every now and then during the day when I answer to the BMC Community. Did BMC IT gave you the timeout? 1 hour? 2 hours?
At least having the timeout would "help". Is it a "soft" or "hard" timeout? Meaning will it timeout even if you go on the doc wiki or will it be reseted if you browse pages?
We do let a timeout of more than 1 day on our internal forums and bugtracker. Why? Because people complained when it was set to less than a day, because they didn't remember their password and ended up not going anymore to our forums and not filling bug reports (or were using emails).
For the forum, we accepted that the session wouldn't be killed if the IP was different (parameter on our forum), because we're using an internal VPN and it was just "welcome to every 5 minutes disconnection party".
For the bug tracker, as it's way more sensitive, we did enforce it because people don't create that many entries and because it's used by customers. Though they don't complain about it since they're not logged out during the day.
I pasted everything except for the very nice Support person stating that was the repose they received.