Troubleshooting OpenID Connect Issues
The following lists some problems you may encounter when using OpenID Connect.
- An Access Token denied error is displayed in the browser, with a response code of 404
This is the result of a newly installed certificate that has not been registered in the following file:
TIBCO_HOME\tibcojre64\JavaVersion\lib\security\cacerts
Register the certificate in the cacerts file, then restart the TIBCO Host (tibcohost).
- The Identity Provider's login does not display
This can occur if the Redirect URI specified in the shared resource does not match the Redirect URI specified when your application was registered with the Identity Provider. For Microsoft Active Directory Federation Services (ADFS), this error appears in the ADFS logs.
- A policy enforcement error is displayed
A possible cause of this error is that the Microsoft ADFS server and the ActiveMatrix Administrator server are in different time zones. They must be in the same time zone. For Microsoft ADFS, it is possible to change the time zone on both the ADFS server, as well as the ActiveMatrix Administrator server.
- User is re-directed to an error page after successful login
Occasionally, due to manual intervention or because of some scripts, the network time of the machine where Active Directory Federation Services (ADFS) is hosted, or where WebApp is hosted, may be out of sync and result in authentication failure for a response being too old or from future.
The machine network time should be synchronized. For Linux, the synchronization must happen with the Network Time Protocol server. For Windows, use the Windows time service. There are standard operating system-level procedures for synchronizing the machine network time.