The following topic discusses troubleshooting possible error cases and solutions.
Consent Service is unavailable
If the Consent Service is unavailable, check the following:
- Ensure that the service is enabled and that communication with the service is available.
- Confirm that the service account for the Consent Service has been properly provisioned.
- If the Consent Service resides on a PingDirectoryProxy server, make sure that the service account exists on the PingDirectoryProxy server and all PingDirectory servers behind the PingDirectoryProxy server.
Requester lacks sufficient rights to perform operation
A request might be rejected with a 403 for the following reasons:
- The bearer token does not contain a required scope. Check the
unprivileged-consent-scopeproperties of the Consent Service configuration.
- The bearer token does not contain a required
audienceclaim. Check the
audienceproperty of the Consent Service configuration.
- Authentication was successful, but the requester is
unprivilegedand attempted to perform an operation that only a
privilegedrequester can perform. For example, the requester attempted to act upon a consent record that it does not own, or it attempted to delete a consent record.
When using basic authentication, the requester must be listed in the Consent Service
configuration service-account-dn property to be considered
Subject and actor do not match
privileged requester can
modify a consent record whose subject and
actor values do not match.
The Consent Service doesn't allow a client to make an unindexed search. In most cases, a client should be able to fix this by refining the search. For example, if a search by subject is unindexed, perform a search by subject and definition ID.
Search size limit exceeded
The Consent Service caps the maximum number of records that can be returned in a search result using its search-size-limit configuration property. This limit can be increased, or the client might be able to refine the search to produce fewer results.