Password Reset application troubleshooting - SSO

Diagnostic log

In a basic configuration, log events are printed to the SSO diagnostic log (since v. 9.1.0). Filter the log events with password-reset web application name.

Sample event:

2022-10-04 16:15:31,775 password-reset com.ubisecure.sso.password.reset.BeginResetServlet WARN BeginResetServlet.prepareNextPhase(): error.account.not-found ; username=asko INVALID: NOTFOUND: javax.naming.NameNotFoundException: com.ubisecure.ubilogin.directory.spi.StatusException: INVALID: NOTFOUND: javax.naming.NameNotFoundException: javax.naming.NameNotFoundException

404 Page Not Found

A page not found error indicates that the steps described in Password Reset application installation have not been completed.

HTTP Status 500 – Internal Server Error

Check diagnostic log if it contains some of the log entries shown below.

  • password-reset ... java.lang.IllegalStateException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
  • password-reset ... java.lang.IllegalStateException: Invalid response: {"error":"unauthorized_client"} for grant_type=...
    • Depending on the shown grant_type
      • http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp → No Unregistered SMS OTP method allowed to Password Reset application
      • http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp → No Unregistered SMTP OTP method allowed to Password Reset application
      • Otherwise → The password method contains an invalid value X in the configuration parameter password.reset.grantTypes

User was found but the account is invalid

The user account may not have the required account attribute set, such as mail which should contain the email address where the email would be sent, or mobile which should contain the mobile number where the SMS message would be sent. Check that the attribute is set.

With Ubilogin Directory as the user account directory, verify that the user account has the password method activated.

Ensure the correct method is being used during password reset by specifying the method name in the query string. For example: https://idp.example.com/password-reset?method=password.1