PingOne Advanced Identity Cloud

Remote proxy troubleshooting

These troubleshooting topics and a testing checklist address common remote proxy issues:

OAuth 2.0 authentication fails

Symptom: 401 Unauthorized when accessing the proxy.

  • Verify the OAuth 2.0 client exists in the receiving tenant.

  • Check that clientId and clientSecret match the OAuth 2.0 client credentials on the receiving tenant.

  • Ensure the OAuth 2.0 client has the client_credentials grant type.

  • Verify tokenEndpointAuthMethod is client_secret_post.

  • Check that the OAuth 2.0 client has the fr:idm:* scope.

Forbidden access

Symptom: 403 Forbidden when querying data.

  • Verify the static user mapping is configured.

  • Check that subject in the static user mapping matches the OAuth 2.0 clientId.

  • Ensure roles include internal/role/openidm-admin.

Proxy not found

Symptom: 404 Not Found when accessing /openidm/external/idm/<receiving-tenant-name>.

  • Check that the config was created: GET /openidm/config/external.idm/<receiving-tenant-name>.

  • Verify the config name matches the proxy name formatting (for example, hyphen in config path, slash in access path).

  • Ensure enabled is true in the configuration.

SSL/TLS certificate errors

Symptom: SSL handshake failures.

  • Import the receiving tenant’s certificate into the originating tenant’s truststore.

  • Verify the certificate is valid and not expired.

  • Check network connectivity and firewall rules.

Testing checklist

Before reporting a connectivity issue, verify the following:

  • OAuth 2.0 client is created on the receiving tenant.

  • OAuth 2.0 client has the client_credentials grant.

  • OAuth 2.0 client has the fr:idm:* scope.

  • tokenEndpointAuthMethod is client_secret_post.

  • Static user mapping is configured on the receiving tenant.

  • Static user mapping subject matches the OAuth 2.0 client ID.

  • External IDM config is created on the originating tenant.

  • Config clientId and clientSecret match the OAuth 2.0 client.

  • Config tokenEndpoint points to the correct realm.

  • Config instanceUrl ends with /openidm/.

  • Proxy query succeeds: GET /openidm/external/idm/<receiving-tenant-name>/managed/realm-name_user.