---
title: Remote proxy troubleshooting
description: Troubleshoot common PingIDM remote proxy issues including 401, 403, 404, and SSL errors, with a testing checklist
component: pingoneaic
page_id: pingoneaic:idm-objects:remote-proxy-troubleshooting
canonical_url: https://docs.pingidentity.com/pingoneaic/idm-objects/remote-proxy-troubleshooting.html
llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
keywords: ["Data Object Model", "Synchronization"]
section_ids:
  remote-proxy-401: OAuth 2.0 authentication fails
  remote-proxy-403: Forbidden access
  remote-proxy-404: Proxy not found
  remote-proxy-ssl-errors: SSL/TLS certificate errors
  remote-proxy-testing-checklist: Testing checklist
---

# Remote proxy troubleshooting

These troubleshooting topics and a testing checklist address common remote proxy issues:

* [OAuth 2.0 authentication fails](#remote-proxy-401)

* [Forbidden access](#remote-proxy-403)

* [Proxy not found](#remote-proxy-404)

* [SSL/TLS certificate errors](#remote-proxy-ssl-errors)

* [Testing checklist](#remote-proxy-testing-checklist)

## OAuth 2.0 authentication fails

**Symptom**: 401 Unauthorized when accessing the proxy.

* Verify the OAuth 2.0 client exists in the receiving tenant.

* Check that `clientId` and `clientSecret` match the OAuth 2.0 client credentials on the receiving tenant.

* Ensure the OAuth 2.0 client has the `client_credentials` grant type.

* Verify `tokenEndpointAuthMethod` is `client_secret_post`.

* Check that the OAuth 2.0 client has the `fr:idm:*` scope.

## Forbidden access

**Symptom**: 403 Forbidden when querying data.

* Verify the static user mapping is configured.

* Check that `subject` in the static user mapping matches the OAuth 2.0 `clientId`.

* Ensure roles include `internal/role/openidm-admin`.

## Proxy not found

**Symptom**: 404 Not Found when accessing `/openidm/external/idm/<receiving-tenant-name>`.

* Check that the config was created: `GET /openidm/config/external.idm/<receiving-tenant-name>`.

* Verify the config name matches the proxy name formatting (for example, hyphen in config path, slash in access path).

* Ensure `enabled` is `true` in the configuration.

## SSL/TLS certificate errors

**Symptom**: SSL handshake failures.

* Import the receiving tenant's certificate into the originating tenant's truststore.

* Verify the certificate is valid and not expired.

* Check network connectivity and firewall rules.

## Testing checklist

Before reporting a connectivity issue, verify the following:

* OAuth 2.0 client is created on the receiving tenant.

* OAuth 2.0 client has the `client_credentials` grant.

* OAuth 2.0 client has the `fr:idm:*` scope.

* `tokenEndpointAuthMethod` is `client_secret_post`.

* Static user mapping is configured on the receiving tenant.

* Static user mapping `subject` matches the OAuth 2.0 client ID.

* External IDM config is created on the originating tenant.

* Config `clientId` and `clientSecret` match the OAuth 2.0 client.

* Config `tokenEndpoint` points to the correct realm.

* Config `instanceUrl` ends with `/openidm/`.

* Proxy query succeeds: `GET /openidm/external/idm/<receiving-tenant-name>/managed/realm-name_user`.
