Troubleshooting

Enabling debug logging

To help with troubleshooting or monitoring, you can turn on activity logging for PingFederate, the PingOne Protect IdP Adapter, or both.

About this task

This task is optional. You can use logging for troubleshooting or analytics.

For general information about logging, see Enabling debug messages and console logging in the PingFederate documentation.

Steps

Open the <pf_install>/pingfederate/server/default/conf/log4j2.xml file for editing.

To log activity for PingFederate and all adapters:

Find the following section in the file:

<AsyncRoot level="INFO" includeLocation="false">
	<!-- <AppenderRef ref="CONSOLE" /> -->
	<AppenderRef ref="FILE" />
</AsyncRoot>

Change INFO to DEBUG.

The following code snippet shows DEBUG in bold for visibility:

<AsyncRoot level="DEBUG" includeLocation="false">
	<!-- <AppenderRef ref="CONSOLE" /> -->
	<AppenderRef ref="FILE" />
</AsyncRoot>

Optional: To see the adapter activity in the console and the log file, remove the comment tags (<!-- and -→) that surround the CONSOLE line:
```
<AsyncRoot level="INFO" includeLocation="false">
	<AppenderRef ref="CONSOLE" />
	<AppenderRef ref="FILE" />
</AsyncRoot>
```

To log activity relating to the PingOne Protect IdP Adapter, do one of the following.

You can use this information with a third-party log analysis tool to monitor for important events, such as when a sign-on event has a high-risk Result.

Choose from:
- To log activity for the PingOne Protect IdP Adapter and its HTTPS and component activity, add the following line:
  <Logger name="com.pingidentity.adapters.pingone.risk" level="DEBUG"/>
- To log activity for the adapter’s HTTPS activity and other components but not the adapter itself, add the following line:
  <Logger name="{logging-class}.shade" level="DEBUG"/>
- To log activity for the PingOne Protect IdP Adapter but not its HTTPS or component activity, add the following lines:
  <Logger name="com.pingidentity.adapters.pingone.risk" level="DEBUG"/> <Logger name="com.pingidentity.adapters.pingone.risk.shade" level="INFO"/>
Save the file.

Troubleshooting information

The following information addresses technical situations that you might encounter after setting up the PingOne Protect Integration Kit.

Situation Information

Using the Risk Provider with PingFederate 11.3 results in the following error:

Refused to load https://apps.<PingOne regional domain>/signals/sdk/pong.css?body=H0kaJgZiVxYYAC0DFghGXkdwQwNFRkdLMgFVRgIEGy9PDhApCgoLA0BXCEkU&e=2 because it does not appear in the style-src directive of the Content Security Policy.

Update the HTML form template in $PF_HOME/server/default/conf/templates.

HTML pages implementing ContentSecurityPolicy restrictions might require updating the style-src CSP settings when adding the signals-sdk JavaScript file to the page. Update style-src to include the https://apps.<PingOne regional domain> host name.

For example, PingFederate 11.3 has updated default templates with strict CSP settings. To use the signals-sdk JavaScript file with PingFederate 11.3 default templates, update the following line in the template’s CSP settings:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-$CSPNonce'; style-src 'self'; img-src 'self'; font-src 'self';" />

Updated line:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-$CSPNonce'; style-src 'self' https://apps.<PingOne regional domain>; img-src 'self'; font-src 'self';" />

For more information on your PingOne regional domain, see IP address and domain reference in the PingOne documentation.

Include Device Profile is selected in the adapter configuration, but the device profile does not affect the risk result or appear in the response from PingOne Protect.

When this setting is enabled, it is possible for an error to prevent the device profile from reaching PingOne Protect.

Because PingOne Protect considers the device profile to be optional, it still successfully returns a Result to the adapter. The adapter logs a warning in the PingFederate error log about the missing device profile and returns a Success result to the authentication policy. As a result, the process succeeds but no device profile information is available.

To address the problem generating or sending the device profile, review the steps in not used in this IK. Make sure you have completed the correct set of steps (authentication page versus web application) and completed the steps exactly as described.

Authentication fails, and the log files show a NullPointerException.

Prior to release 1.0.3 of the PingOne Protect Integration Kit, there were cases where a NullPointerException occurred if the flow involved an X.509 certificate. Verify that you are using version 1.0.3 or higher.