Consent Service is unavailable

If the Consent Service is unavailable, check that the service is enabled and that the communcation with the service is available. Confirm that the service account for the Consent Service has been properly provisioned. If the Consent Service resides on a PingDirectoryProxy Server, make sure that the service account exists on the PingDirectoryProxy Server and all PingDirectory Server behind the PingDirectoryProxy Server.

Requester lacks sufficient rights to perform operation

A request may be rejected with a 403 for the following reasons:

  • The bearer token does not contain a required scope. Check the privileged-consent-scope and unprivileged-consent-scope properties of the Consent Service configuration.
  • The bearer token does not contain a required audience claim. Check the audience property of the Consent Service configuration.
  • Authentication was successful, but the requester is unprivileged and attempted to perform an operation that only a privileged requester may perform. For example, it may have attempted to act upon a consent record that it does not own, or it may have attempted to delete a consent record.

When using basic authentication, the requester must be listed in the Consent Service configuration service-account-dn property to be considered privileged.

Subject and actor do not match

Only a privileged requester can create or modify a consent record whose subject and actor values do not match.

Unindexed search

The Consent Service will not allow a client to make an unindexed search. In most cases, a client should be able to fix this by refining the search. For example, if a search by subject would be unindexed, perform a search by subject definition ID.

Search size limit exceeded

The Consent Service caps the maximum number of records that can be returned in a search result using its search-size-limit configuration property. This limit can be increased, or the client may be able to refine the search to produce fewer results.