Troubleshooting
Enabling debug logging
To help with troubleshooting or monitoring, you can turn on activity logging for PingFederate, the PingOne Protect IdP Adapter, or both.
About this task
This task is optional. You can use logging for troubleshooting or analytics.
Learn more about logging in Enabling debug messages and console logging in the PingFederate documentation.
Steps
-
Open the
<pf_install>/pingfederate/server/default/conf/log4j2.xml
file for editing. -
To log activity for PingFederate and all adapters:
-
Find the following section in the file:
<AsyncRoot level="INFO" includeLocation="false"> <!-- <AppenderRef ref="CONSOLE" /> --> <AppenderRef ref="FILE" /> </AsyncRoot>
-
Change
INFO
toDEBUG
.The following code snippet shows
DEBUG
in bold for visibility:<AsyncRoot level="DEBUG" includeLocation="false"> <!-- <AppenderRef ref="CONSOLE" /> --> <AppenderRef ref="FILE" /> </AsyncRoot>
-
Optional: To see the adapter activity in the console and the log file, remove the comment tags (
<!--
and-->
) that surround theCONSOLE
line:<AsyncRoot level="INFO" includeLocation="false"> <AppenderRef ref="CONSOLE" /> <AppenderRef ref="FILE" /> </AsyncRoot>
-
-
To log activity relating to the PingOne Protect IdP Adapter, do one of the following.
You can use this information with a third-party log analysis tool to monitor for important events, such as when a sign-on event has a high-risk Result.
Choose from:
-
To log activity for the PingOne Protect IdP Adapter and its HTTPS and component activity, add the following line:
<Logger name="com.pingidentity.adapters.pingone.risk" level="DEBUG"/>
-
To log activity for the adapter’s HTTPS activity and other components but not the adapter itself, add the following line:
<Logger name="com.pingidentity.adapters.pingone.risk.shade" level="DEBUG"/>
-
To log activity for the PingOne Protect IdP Adapter but not its HTTPS or component activity, add the following lines:
<Logger name="com.pingidentity.adapters.pingone.risk" level="DEBUG"/> <Logger name="com.pingidentity.adapters.pingone.risk.shade" level="INFO"/>
-
-
Save the file.
Troubleshooting information
The following information addresses technical situations that you might encounter after setting up the PingOne Protect Integration Kit.
Situation | Information | ||
---|---|---|---|
Using the Risk Provider with PingFederate 11.3 results in the following error: Refused to load https://apps.<PingOne regional domain>/signals/sdk/pong.css?body=H0kaJgZiVxYYAC0DFghGXkdwQwNFRkdLMgFVRgIEGy9PDhApCgoLA0BXCEkU&e=2 because it does not appear in the style-src directive of the Content Security Policy. |
Update the HTML form template in HTML pages implementing ContentSecurityPolicy restrictions might require updating the For example, PingFederate 11.3 has updated default templates with strict CSP settings. To use the <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-$CSPNonce'; style-src 'self'; img-src 'self'; font-src 'self';" /> Updated line: <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-$CSPNonce'; style-src 'self' https://apps.<PingOne regional domain>; img-src 'self'; font-src 'self';" />
|
||
Include Device Profile is selected in the adapter configuration, but the device profile does not affect the risk result or appear in the response from PingOne Protect. |
When this setting is enabled, it is possible for an error to prevent the device profile from reaching PingOne Protect. Because PingOne Protect considers the device profile to be optional, it still successfully returns a Result to the adapter. The adapter logs a warning in the PingFederate error log about the missing device profile and returns a To address the problem generating or sending the device profile, review the steps in Integrating device profiling. Make sure you have completed the correct set of steps (authentication page versus web application) and completed the steps exactly as described. |
||
Authentication fails, and the log files show a NullPointerException. |
Prior to release 1.0.3 of the PingOne Protect Integration Kit, there were cases where a NullPointerException occurred if the flow involved an X.509 certificate. Verify that you are using version 1.0.3 or higher. |