Troubleshooting information

The following information addresses technical situations that you might encounter after setting up the PingOne Protect Integration Kit.

Situation Information

Using the Risk Provider with PingFederate 11.3 results in the following error:

Refused to load https://apps.<PingOne regional domain>/signals/sdk/pong.css?body=H0kaJgZiVxYYAC0DFghGXkdwQwNFRkdLMgFVRgIEGy9PDhApCgoLA0BXCEkU&e=2 because it does not appear in the style-src directive of the Content Security Policy.

Update the HTML form template in $PF_HOME/server/default/conf/templates.

HTML pages implementing ContentSecurityPolicy restrictions might require updating the style-src CSP settings when adding the signals-sdk JavaScript file to the page. Update style-src to include the https://apps.<PingOne regional domain> host name.

For example, PingFederate 11.3 has updated default templates with strict CSP settings. To use the signals-sdk JavaScript file with PingFederate 11.3 default templates, update the following line in the template’s CSP settings:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-$CSPNonce'; style-src 'self'; img-src 'self'; font-src 'self';" />

Updated line:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-$CSPNonce'; style-src 'self' https://apps.<PingOne regional domain>; img-src 'self'; font-src 'self';" />

For more information on your PingOne regional domain, see IP address and domain reference in the PingOne documentation.

Include Device Profile is selected in the adapter configuration, but the device profile does not affect the risk result or appear in the response from PingOne Protect.

When this setting is enabled, it is possible for an error to prevent the device profile from reaching PingOne Protect.

Because PingOne Protect considers the device profile to be optional, it still successfully returns a Result to the adapter. The adapter logs a warning in the PingFederate error log about the missing device profile and returns a Success result to the authentication policy. As a result, the process succeeds but no device profile information is available.

To address the problem generating or sending the device profile, review the steps in Integrating device profiling. Make sure you have completed the correct set of steps (authentication page versus web application) and completed the steps exactly as described.

Authentication fails, and the log files show a NullPointerException.

Prior to release 1.0.3 of the PingOne Protect Integration Kit, there were cases where a NullPointerException occurred if the flow involved an X.509 certificate. Verify that you are using version 1.0.3 or higher.