Troubleshooting OpenID Connect Issues

The following lists some problems you may encounter when using OpenID Connect with ActiveMatrix BPM.

  • An Access Token denied error is displayed in the browser, with a response code of 404

    This is the result of a newly installed certificate that has not been registered in the following file:

    TIBCO_HOME\tibcojre64\JavaVersion\lib\security\cacerts

    Register the certificate in the cacerts file, then restart the TIBCO Host (tibcohost).

  • The Identity Provider's login does not display

    This can occur if the Redirect URI specified in the shared resource does not match the Redirect URI specified when your application was registered with the Identity Provider. For Microsoft Active Directory Federation Services (ADFS), this error appears in the ADFS logs.

  • A policy enforcement error is displayed

    A possible cause of this error is that the Microsoft ADFS server and the ActiveMatrix Administrator server are in different time zones. They must be in the same time zone. For Microsoft ADFS, it is possible to change the time zone on both the ADFS server, as well as the ActiveMatrix Administrator server.

  • User is redirected to an error page after successful login

    Occasionally, due to manual intervention or because of some scripts, the network time of the machine where Active Directory Federation Services (ADFS) is hosted, or where the web application is hosted, may be out of sync. This could result in authentication failing because the response is either too old or from the future.

    To rectify this error, the machine network time should be synchronized. For Linux, the synchronization must happen with the Network Time Protocol server. For Windows, use the Windows time service. There are standard operating system-level procedures for synchronizing the machine network time.