Password Reset application troubleshooting - SSO
Diagnostic log
In a basic configuration, log events are printed to the SSO diagnostic log (since v. 9.1.0). Filter the log events with password-reset
web application name.
Sample event:
2022-10-04 16:15:31,775 password-reset com.ubisecure.sso.password.reset.BeginResetServlet WARN BeginResetServlet.prepareNextPhase(): error.account.not-found ; username=asko INVALID: NOTFOUND: javax.naming.NameNotFoundException: com.ubisecure.ubilogin.directory.spi.StatusException: INVALID: NOTFOUND: javax.naming.NameNotFoundException: javax.naming.NameNotFoundException
404 Page Not Found
A page not found error indicates that the steps described in Password Reset application installation have not been completed.
HTTP Status 500 – Internal Server Error
Check diagnostic log if it contains some of the log entries shown below.
password-reset ... java.lang.IllegalStateException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
- SSO server certificate is not trusted by the Java Runtime Environment in which the Password Reset application is run. Check Add Server Certificate to Java Trust Store.
password-reset ... java.lang.IllegalStateException: Invalid response: {"error":"unauthorized_client"} for grant_type=...
- Depending on the shown grant_type
http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp
→ No Unregistered SMS OTP method allowed to Password Reset applicationhttp://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp
→ No Unregistered SMTP OTP method allowed to Password Reset application- Otherwise → The password method contains an invalid value X in the configuration parameter password.reset.grantTypes
- Depending on the shown grant_type
User was found but the account is invalid
The user account may not have the required account attribute set, such as mail which should contain the email address where the email would be sent, or mobile which should contain the mobile number where the SMS message would be sent. Check that the attribute is set.
With Ubilogin Directory as the user account directory, verify that the user account has the password method activated.
Ensure the correct method is being used during password reset by specifying the method name in the query string. For example: https://idp.example.com/password-reset?method=password.1