---
title: Troubleshooting authentication policy issues
description: Authentication policies help implement complex authentication requirements. Having a complex policy or multiple policies can result in unintended runtime behaviors. The org.sourceid.util.log.PolicyTreeLogger logger makes it easier to troubleshoot issues.
component: pingfederate
version: 13.0
page_id: pingfederate:administrators_reference_guide:pf_troubleshooting_authentication_policy_issues
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_troubleshooting_authentication_policy_issues.html
revdate: October 8, 2025
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
---

# Troubleshooting authentication policy issues

[Authentication policies](pf_authentication_policies.html) help implement complex authentication requirements. Having a complex policy or multiple policies can result in unintended runtime behaviors. The `org.sourceid.util.log.PolicyTreeLogger` logger makes it easier to troubleshoot issues.

## About this task

Identify and resolve authentication policy issues.

## Steps

1. Enable debug messages for policy trees:

   1. Go to **System > Server > Log Settings**.

   2. Select the **Verbose** checkbox for **Policy Tree**.

   3. Click **Save**.

   4. If PingFederate is running in a clustered environment, replicate the changes on each server node.

2. Repeat the request that demonstrates the authentication policy issue.

   |   |                                                                                            |
   | - | ------------------------------------------------------------------------------------------ |
   |   | This setting is more useful if you clear your previous session cookies before enabling it. |

3. After you have replicated the issue, correlate server log messages using the PF cookie and tracking ID values. Learn more in [Troubleshooting runtime errors](pf_troubleshoot_runtime_errors.html).

   Look for `DEBUG` messages from the `org.sourceid.util.log.PolicyTreeLogger` class.

   ### Example:

   For example, suppose the tracking ID value is `wXzQbS8MfHG40wpsQPiREIenJjc` for a given request. The following server log messages demonstrate the authentication flow.

   ```
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Selector | generalClients | Yes
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Authn Source | idFirst
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Authn Source | idFirst
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Authn Source | idFirst | Rule | Alpha
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Authn Source | idFirst | Alpha
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Authn Source | https://sso.alpha.local:8031
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Authn Policy Tree setting User ID from attribute 'subject' from Source type 'Adapter' and source ID 'idFirst'
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Authn Source | https://sso.alpha.local:8031 | Success
   DEBUG [org.sourceid.util.log.PolicyTreeLogger] Policy 'General clients policy' | Authentication Policy Contract | APC | Finished
   ```

   |   |                                                                                                                                                            |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | For readability, this sample ignores the time stamp and the tracking ID information. In other troubleshooting scenarios, such information can be valuable. |

   Log messages are interpreted as follows:

   1. PingFederate finds an applicable policy named `General clients policy`. The first checkpoint is an OAuth Client Set Authentication Selector instance `generalClients`. PingFederate routes this request to the `Yes` policy path because the client that submits the authorization request matches one of the clients defined authentication selector instance.

   2. PingFederate routes this request to an instance of the Identity First Adapter `idFirst` because that adapter instance is the next authentication source of the `Yes` policy path.

   3. Based on the user's provided user identifier, PingFederate determines that the `Alpha` rule applies and routes this request to the `Alpha` policy path.

   4. PingFederate routes this request to an identity provider (IdP) connection `https://sso.alpha.local:8031` because that IdP connection is the next authentication source of the `Alpha` policy path. PingFederate also populates the `subject` attribute in the AuthnRequest message with the user identifier obtained from the Identity First Adapter instance.

   5. PingFederate receives a valid security token from the IdP `https://sso.alpha.local:8031`. PingFederate routes the request to the `Success` policy path, which ends with an authentication policy contract `APC` and concludes the authentication flow.