Troubleshooting
The information below contains fixes for discovered issues.
Accessing NON-PRD
If you are unable to connect to the Non-Production Environment from your Web browser on Citynet, please verify that your LAN Settings and Proxy server configuration are correct. After verifying your configuration, if you are still unable to connect, open a ticket with the CityWide Service Desk.
Debug SAML Requests and Responses
Install the SAML-tracer Firefox add-on or SAML Chrome Panel to view SAML messages sent through the browser during single sign-on and single logout.
- Verify that the value of the X509Certificate element in your application's SAML request to the IdP matches the X.509 Certificate in the NYC.ID Console.
Wallet is Not Open
If a Web Service returns the following error:
{"cpui.exception":"ORA-28365: wallet is not open\n"}
Open a ticket with the CityWide Service Desk.
- If you have access to Cityshare, open the ticket through My Desk.
- If you don't have access to Cityshare, and therefore My Desk, call the Citywide Service Desk.
Include the following information in the ticket:
- Team/Unit That the Request Should be Assigned to: Portal Support
- Request Type: NYC.ID wallet is not open
- Environment: Non Production (NON-PRD), or Production (PRD)
Web Service Authentication Failed
If a Web Service returns the error below, your application is calculating an incorrect authentication signature.
{"cpui.failedToAuthenticate":"The combination of userName and signature is incorrect."}
Your application may be generating an incorrect signature because your application is using an incorrect:
- NYC.ID Service Account password, or
- StringtoSign, or
- HMAC algorithm, or
- character encoding, or
- storage of password
NYC.ID Service Account Password
First, check that you have a NYC.ID Service Account for the NYC.ID environment you are working with. Once you have confirmed you have a NYC.ID Service Account, then ensure your password:
- is associated with the correct environment,
- is exactly 64 characters, and
- leading and trailing spaces are trimmed from the password when calculating the authentication signature.
Incorrect StringToSign
If Prevent Replay Attacks is enabled for your NYC.ID Service Account, you must include the "dateTime" parameter in your StringToSign.
Incorrect HMAC Algorithm
Ensure your application is using the correct HMAC algorithm. Signature algorithms are included in the Web Services page (e.g., Signature Algorithm – Java).
Incorrect Character Encoding
If your application stores its password in an Oracle database:
- the data type must be
NVARCHAR2and - the connection pool property,
oracle.jdbc.defaultNChar, must be true.
Incorrect Storage of Password
If your application stores its NYC.ID Service Account password in a property file, ensure your application is not silently dropping backslashes or other special characters before generating the authentication signature. If this is encountered, request a new NYC.ID Service Account password.
SAML 2.0 Single Logout Not Working
During SAML 2.0 Single Logout, if your application does not log the user out of all applications he or she is logged into, your Service Provider (SP) metadata may be incorrect or your application may be misconfigured. Learn about Generating Service Provider Metadata.
Spring Security
When responding to a SAML 2.0 Single Logout, your application may not log out the user. To resolve this issue:
- Verify that your application responds with a "StatusMessage" equal to "The SessionIndex was not found" and does not destory the user's session (i.e., The user is not logged out.).
- Create a custom class that extends
org.springframework.security.saml.websso.SingleLogoutProfileImpl. - Override the
processLogoutRequestmethod. Include all lines of code in the parent method and theequalsNameIDanddiffermethods from the parent class (since they are private within it). Within theequalsNameIdmethod, commentequals = equals && !differ(a.getFormat(), b.getFormat()); - Within your application's security context, replace the class of this bean with the custom class created above.
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
- Build and redeploy your application.
! IMPORTANT: This workaround is temporary. Gigya has confirmed this to be a defect.
Expired SAML Assertion
During login, if your application displays the error message "The SAML assertion is outside the valid time period," verify that the date and time of the operating system running the Service Provider (SP) is correct.
SHA-256 SAML Assertions
Follow these steps to configure your application to accept SHA-256 SAML Assertions.
Spring Security
Add this Java class to your application.
import org.opensaml.Configuration; import org.opensaml.xml.security.BasicSecurityConfiguration; import org.opensaml.xml.signature.SignatureConstants; import org.springframework.beans.factory.InitializingBean; public class SAMLConfigurationBean implements InitializingBean { @Override public void afterPropertiesSet() { BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); } }Add this Spring bean to your configuration.
<bean class="SAMLConfigurationBean"/>
ComponentSpace
The following configuration is recommended:
- Windows 2012 R2 (or newer)
- Application is using .NET Framework 4.0 (or newer)
The following configuration is not recommended, but may work:
- Windows 2008 R2 (or newer) with all patches applied
- Application is using .NET Framework 3.5
- .NET Framework 4.6.2 (or newer) is installed