Error logs / Troubleshooting

The logs for the program can be found in /var/log/srv-idp.log

A correct and healthy setup of the service should result in log file output which details the authentication process, such as:

{"datetime":"2017-08-09T14:14:40Z","hostname":"","level":"debug","msg":"Handler: SSO","program":"srv-idp","release":"380","timestamp":1502288080008127306,"version":"1.3.3"}
{"datetime":"2017-08-09T14:14:40Z","hostname":"","level":"debug","msg":"Parsing request","program":"srv-idp","release":"380","timestamp":1502288080008452529,"version":"1.3.3"}
{"datetime":"2017-08-09T14:14:40Z","hostname":"","level":"debug","msg":"Processing SSO Request","program":"srv-idp","release":"380","timestamp":1502288080009417431,"version":"1.3.3"}
{"datetime":"2017-08-09T14:14:40Z","hostname":"","level":"debug","msg":"Check session validity","program":"srv-idp","release":"380","timestamp":1502288080012028640,"version":"1.3.3"}

Examples of incorrect configuration leading to errors are:

Incorrect server clock

It is important that your server clock is set correctly and is in sync with the authentication server. Failure to do this can lead to a "user is rejected by the platform" message:

{"datetime":"2017-08-01T11:50:23Z","hostname":"","level":"info","msg":"The user is rejected by the platform","program":"srv-radius","release":"77","timestamp":1501588223058776400,"version":"1.1.0"}

Incorrect JSON format in config

One common error message which can result from incorrectly formatted json is Service is dead and /var/lock/srv-idp lock file exists. Correcting the format of the json and running sudo service srv-idp restart will fix this.

Incorrect REDIS setup

The following is a result of incorrect port config for the REDIS server:

{"datetime":"2017-08-09T14:32:42Z","ext_error":"dial tcp: lookup redis on 172.31.0.2:53: no such host","hostname":"","level":"fatal","msg":"UNABLE TO RUN THE COMMAND","program":"srv-idp","release":"380","timestamp":1502289162800865849,"version":"1.3.3"}

Incorrect Firewall / network settings

It is important that your network settings allow connection to the https://api.mpin.io/.well-known/openid-configuration endpoint, as this is where the program attempts to get the platform configuration. It also needs outgoing access to https://api.mpin.authorize/, https://api.mpin.io/oidc/certs and https://api.mpin.io/oidc/token

If access to these urls is not configured, the following error may be result:

Error while processing the request: Unable to generate a new ZFA client: Get https://api.mpin.io/.well-known/openid-configuration: dial tcp: i/o timeout

It is also important to make sure access is permitted to REDIS (default port 6379), which is used for user session storage.

Top