Consent Service is unavailable

If the Consent Service is unavailable, check the following:

  • Ensure that the service is enabled and that communication with the service is available.
  • Confirm that the service account for the Consent Service has been properly provisioned.
  • If the Consent Service resides on a PingDirectoryProxy server, make sure that the service account exists on the PingDirectoryProxy server and all PingDirectory servers behind the PingDirectoryProxy server.

Requester lacks sufficient rights to perform operation

A request might be rejected with a 403 for the following reasons:

  • The bearer token does not contain a required scope. Check the privileged-consent-scope and unprivileged-consent-scope properties of the Consent Service configuration.
  • The bearer token does not contain a required audience claim. Check the audience property of the Consent Service configuration.
  • Authentication was successful, but the requester is unprivileged and attempted to perform an operation that only a privileged requester can perform. For example, the requester attempted to act upon a consent record that it does not own, or it attempted to delete a consent record.

When using basic authentication, the requester must be listed in the Consent Service configuration service-account-dn property to be considered privileged.

Subject and actor do not match

Only a privileged requester can create or modify a consent record whose subject and actor values do not match.

Unindexed search

The Consent Service doesn't allow a client to make an unindexed search. In most cases, a client should be able to fix this by refining the search. For example, if a search by subject is unindexed, perform a search by subject and definition ID.

Search size limit exceeded

The Consent Service caps the maximum number of records that can be returned in a search result using its search-size-limit configuration property. This limit can be increased, or the client might be able to refine the search to produce fewer results.