PingDirectory

Troubleshooting the Consent Service

This section provides general guidelines for troubleshooting the Consent Service and any connection issues.

When evaluating the configuration:

  • Make sure that the Consent Service is enabled.

  • Make sure that the Consent Service base distinguished name (DN) exists.

  • Make sure that the Consent Service’s service account has the correct permissions.

  • If the Consent Service should accept bearer tokens, make sure that:

    • One or more access token validators are configured correctly.

    • The identity mappers for the access token validators are configured correctly.

    • The authorization servers are configured correctly to issue tokens that the Consent Service can accept. Check the audience, privileged-consent-scope, and unprivileged-consent-scope properties of the Consent Service configuration.

  • If privileged users are defined, make sure that the members of the Lightweight Directory Access Protocol (LDAP) group are specified by the Consent Service configuration’s privileged-users-group-dn property.

  • If there are applications that allow individuals to manage their own consents, make sure that the system is properly configured to map actor and subject DNs. Check the Consent Service configuration’s consent-record-identity-mapper property.