Password application troubleshooting - SSO

Diagnostic log

In a basic configuration, log events are printed to the SSO diagnostic log (since v. 9.1.0). Filter the log events with password web application name.

Sample event:

2022-10-04 16:15:31,775 password com.ubisecure.ubilogin.password.change.ChangeServlet WARN CredentialsChange.change INVALID: VALIDATE: com.ubisecure.ubilogin.directory.spi.StatusException: INVALID: VALIDATE


403 Page Not Found

A page not found error indicates that the steps described in Password application installation - SSO#Enable Password Web Application have not been completed.

HTTP Status 500

An exception containing the following line

javax.servlet.ServletException: com.ubisecure.saml2.sp.ServiceProviderException: CONFIG_ERROR: VirtualHostManager failed to resolve host

indicates that the application has not been activated successful.

HTTP Status 500

An exception containing the following line

javax.servlet.ServletException: com.ubisecure.saml2.sp.ServiceProviderException: CONFIG_ERROR: ServiceProvider: no identity provider

indicates that the identity provider metadata is not found, check Password application installation - SSO#Ubisecure Password Service Provider Activation

HTTP Status 500

An exception containing the following line

com.ubisecure.saml2.core.SAMLValidationException: Invalid property: Subject: SubjectConfirmation: REQUESTER, REQUESTDENIED


indicates that the parameter netmask needs to be set correctly in web.xml. An example configuration follows:

<servlet>
       <servlet-name>ServiceProviderServlet</servlet-name>
       <servlet-class>com.ubisecure.saml2.sp.servlet.ServiceProviderServlet</servlet-class>
       <init-param>
       <param-name>listener-class</param-name>
       <param-value>com.ubisecure.ubilogin.password.change.LoginEventListener</param-value>
       </init-param>
      <init-param>
                          <param-name>netmask</param-name> 
                          <param-value>0.0.0.0</param-value>
       </init-param>
       <load-on-startup>0</load-on-startup>
</servlet>

User not found

If the user definitely exists, verify that the user has the nominated authentication method activated.

Ensure the correct method is being checked by specifying the method name in the query string. For example: https://idp.example.com/password/reset?method=password.1

LDAP problem

If LDAPS connection is needed, logs will show this in debug level:

Caused by:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unwilling
To Perform] [Root exception is LDAPException: Unwilling To Perform (53)
Unwilling To Perform

LDAPException:
Server Message: 00002077: SvcErr: DSID-03190E49, problem 5003
(WILL_NOT_PERFORM), data 0

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.