Troubleshooting OpenID Connect Issues

The following lists some problems you may encounter when using OpenID Connect.

• An Access Token denied error is displayed in the browser, with a response code of 404

  This is the result of a newly installed certificate that has not been registered in the following file:

  TIBCO_HOME\tibcojre64\JavaVersion\lib\security\cacerts

  Register the certificate in the cacerts file, then restart the TIBCO Host (tibcohost).

• The Identity Provider's login does not display

  This can occur if the Redirect URI specified in the shared resource does not match the Redirect URI specified when your application was registered with the Identity Provider. For Microsoft Active Directory Federation Services (ADFS), this error appears in the ADFS logs.

• A policy enforcement error is displayed

  A possible cause of this error is that the Microsoft ADFS server and the ActiveMatrix Administrator server are in different time zones. They must be in the same time zone. For Microsoft ADFS, it is possible to change the time zone on both the ADFS server, as well as the ActiveMatrix Administrator server.

• User is re-directed to an error page after successful login

  Occasionally, due to manual intervention or because of some scripts, the network time of the machine where Active Directory Federation Services (ADFS) is hosted, or where WebApp is hosted, may be out of sync and result in authentication failure for a response being too old or from future.

  The machine network time should be synchronized. For Linux, the synchronization must happen with the Network Time Protocol server. For Windows, use the Windows time service. There are standard operating system-level procedures for synchronizing the machine network time.

Copyright © Cloud Software Group, Inc. All rights reserved.