Password application troubleshooting - SSO
Diagnostic log
In a basic configuration, log events are printed to the SSO diagnostic log (since v. 9.1.0). Filter the log events with password web application name.
Sample event:
2022-10-04 16:15:31,775 password com.ubisecure.ubilogin.password.change.ChangeServlet WARN CredentialsChange.change INVALID: VALIDATE: com.ubisecure.ubilogin.directory.spi.StatusException: INVALID: VALIDATE
403 Page Not Found
A page not found error indicates that the steps described in Password application installation - SSO#Enable Password Web Application have not been completed.
HTTP Status 500
An exception containing the following line
javax.servlet.ServletException: com.ubisecure.saml2.sp.ServiceProviderException: CONFIG_ERROR: VirtualHostManager failed to resolve host
indicates that the application has not been activated successful.
HTTP Status 500
An exception containing the following line
javax.servlet.ServletException: com.ubisecure.saml2.sp.ServiceProviderException: CONFIG_ERROR: ServiceProvider: no identity provider
indicates that the identity provider metadata is not found, check Password application installation - SSO#Ubisecure Password Service Provider Activation.Â
HTTP Status 500
An exception containing the following line
com.ubisecure.saml2.core.SAMLValidationException: Invalid property: Subject: SubjectConfirmation: REQUESTER, REQUESTDENIED
indicates that the parameter netmask needs to be set correctly in web.xml. An example configuration follows:
<servlet> <servlet-name>ServiceProviderServlet</servlet-name> <servlet-class>com.ubisecure.saml2.sp.servlet.ServiceProviderServlet</servlet-class> <init-param> <param-name>listener-class</param-name> <param-value>com.ubisecure.ubilogin.password.change.LoginEventListener</param-value> </init-param> <init-param> <param-name>netmask</param-name> <param-value>0.0.0.0</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet>
User not found
If the user definitely exists, verify that the user has the nominated authentication method activated.
Ensure the correct method is being checked by specifying the method name in the query string. For example: https://idp.example.com/password/reset?method=password.1
LDAP problem
If LDAPS connection is needed, logs will show this in debug level:
Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unwilling To Perform] [Root exception is LDAPException: Unwilling To Perform (53) Unwilling To Perform LDAPException: Server Message: 00002077: SvcErr: DSID-03190E49, problem 5003 (WILL_NOT_PERFORM), data 0