If you are using PingFederate 7.1 (or an earlier version), or if you do not want to activate the tracking ID in the user-facing error templates, you can capture the HTTP traffic and use the PF cookie value to find related server log messages for a given request.

  1. Capture HTTP traffic and look for the PF cookie value.
  2. Search for the PF cookie value in the server log.
  3. As all server log messages (except the contents of the inbound requests and the outbound responses) are prefixed with their respective tracking IDs, use the tracking ID to review log messages and payloads pertaining to this transaction.

Generally speaking, log messages that are tagged with WARN or ERROR, or prefixed with Caused by are most useful.

Example

Suppose an error had occurred and the associated the PF cookie value was OaxBwPGw5OBeHVXe1sgifB7iZR5Rz2VI4rhJwqUSIXV. Based on the cookie value, you found the following log message:

2015-12-03 11:13:33,784 tid:V3IwuUsy8PQp-9ZbE9UfUjOEo9c DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{PF=OaxBwPGw5OBeHVXe1sgifB7iZR5Rz2VI4rhJwqUSIXV; path=/; maxAge=-1; domain=null} replacing null

After reviewing the related log messages based on the tracking ID (V3IwuUsy8PQp-9ZbE9UfUjOEo9c), you found the next few messages:

2015-12-03 12:36:21,176 tid:V3IwuUsy8PQp-9ZbE9UfUjOEo9c ERROR [org.sourceid.saml20.profiles.idp.HandleAuthnRequest] Exception occurred during request processing org.sourceid.websso.profiles.RequestProcessingException: Unexpected Runtime Authn Adapter Integration Problem.

...

Caused by: org.sourceid.saml20.adapter.AuthnAdapterException: Could not obtain attributes from the IdP Authentication Service.

Based on these log messages, the remedy is to review and update the configuration of the applicable IdP adapter instance.